Command Line Options
Display the command line options:
$ docker run -it --rm deepfenceio/yara-hunter:latest --help
Note that all files and directories used in YaraHunter configuration are local to the container, not the host filesystem. The examples given illustrate how to map host directories to the container when needed.
--log-level string: one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG (default "ERROR"); print messages of this severity or higher.
--threads int: Number of concurrent threads to use during scan (default number of logical CPUs).
--temp-directory string: temporary storage for working data (default "/tmp")
--max-ioc uint: Maximum number of indicator of compromise matches to report from a container image or file system (default 1000).
--maximum-file-size int: Maximum file size to process in bytes (default 32Mb, 33554432 bytes).
--image-name string: scan this image (name:tag) in the local registry
--container-id string: scan a running container, identified by the provided container ID
--container-ns string: search the provided namespace (not used for Docker runtime)
--local string: scan the local directory in the YaraHunter docker container. Mount the external (host) directory within the container using
--host-mount-path string: inform YaraHunter of the location in the container where the host filesystem was mounted, such as '/tmp/mnt'. YaraHunter uses this as the root directory when matching
In addition to writing output to stdout / stderr, YaraHunter can write JSON output to a local file. You may wish to mount a directory on the host into
output-path in the container so that you can easily obtain the JSON output file.
--json-filename string: output json file name; required
--output-path string: location in container where json file will be stored (default
YaraHunter applies YARA rules from the local container filesystem; all
*.yara files in the
rules-path are considered. You can replace the default rules with your own by providing a different
rules-path, mounted from the host filesystem.
--fail-on-rule-compile-warn: YaraHunter will fail if a yara rule compilation has warnings; otherwise, rules that fail to compile are just ignored
--rules-path string: all .yar and .yara files in the given local directory will be compiled (default "/home/deepfence/rules")
Scans can be fine-tuned using settings in
--config-path string: directory location of
config.yaml. If not set, YaraHunter will fall back to the local binary directory or the current working directory.
config.yaml can be used to exclude files and locations from the malware scan:
# YaraHunter Configuration File
exclude_strings:  # skip matches containing any of these strings (case sensitive)
exclude_extensions: [ ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock", ".prerm"]
# need to confirm as windows hides file extensions
exclude_paths: ["/var/lib/docker", "/var/lib/containerd", "/bin", "/boot", "/dev", "/lib", "/lib64", "/media", "/proc", "/run", "/sbin", "/usr/lib", "/sys"] # use \ for windows paths