Skip to main content

Scanning with YaraHunter

You can use YaraHunter to scan running or at-rest container images, and local file systems. YaraHunter will match the assets it finds against the YARA rules it has been configured with.

Scan a Container Image

Pull the image to your local repository, then scan it

docker pull node:latest

docker run -it --rm --name=yara-hunter \
-v /var/run/docker.sock:/var/run/docker.sock \
deepfenceio/deepfence_malware_scanner_ce:2.0.0 \
--image-name node:latest

docker rmi node:latest

Scan a Running Container

Mount the root directory into the YaraHunter container at a location of your choosing (e.g. /deepfence/mnt) and specify the running container ID:

docker run -it --rm --name=yara-hunter \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /:/deepfence/mnt \
deepfenceio/deepfence_malware_scanner_ce:2.0.0 \
--host-mount-path /deepfence/mnt --container-id 69221b948a73

Scan a filesystem

Mount the filesystem within the YaraHunter container and scan it:

docker run -it --rm --name=yara-hunter \
-v ~/src/YARA-RULES:/tmp/YARA-RULES \
deepfenceio/deepfence_malware_scanner_ce:2.0.0 \
--local /tmp/YARA-RULES --host-mount-path /tmp/YARA-RULES

Scan during CI/CD build

Refer to the detailed documentation for CI/CD integration.