Skip to main content

Scanning with YaraHunter

You can use YaraHunter to scan running or at-rest container images, and local file systems. YaraHunter will match the assets it finds against the YARA rules it has been configured with.

Scan a Container Image

Pull the image to your local repository, then scan it

docker pull node:latest

docker run -it --rm --name=yara-hunter \
    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
    -v /var/run/docker.sock:/var/run/docker.sock \
    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
    --image-name node:latest

docker rmi node:latest

Scan a Running Container

Mount the root directory into the YaraHunter container at a location of your choosing (e.g. /deepfence/mnt) and specify the running container ID:

docker run -it --rm --name=yara-hunter \
    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /:/deepfence/mnt \
    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
    --host-mount-path /deepfence/mnt --container-id 69221b948a73

Scan a filesystem

Mount the filesystem within the YaraHunter container and scan it:

docker run -it --rm --name=yara-hunter \
    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
    -v ~/src/YARA-RULES:/tmp/YARA-RULES \
    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
    --local /tmp/YARA-RULES --host-mount-path /tmp/YARA-RULES

Scan during CI/CD build

Refer to the detailed documentation for CI/CD integration.