Deepfence YaraHunter

Deepfence YaraHunter is a malware scanning tool that identifies indicators of compromise in container images, running Docker containers, and filesystems. The tool uses YARA rulesets to match known malware signatures and detect potential compromises. YaraHunter can scan both running and at-rest containers, as well as local filesystems. It is distributed as a Docker container for portability and ease of deployment. The tool outputs results in JSON format for integration with automated workflows. The scanner can be deployed at multiple stages of the development and operations lifecycle. During CI/CD build operations, it can scan build artifacts for malware indicators. At rest, it can verify local container images before deployment. At runtime, it can scan active Docker containers when unusual activity is detected. The tool can also scan local filesystems at any time to check for indicators of compromise. YaraHunter uses the Deepfence YARA ruleset to identify malware signatures. Rules can be cached locally for subsequent scans by mounting a separate path and passing the rules-path argument. The tool requires a license key from Deepfence, which can be generated using a work or official email address. The scanner connects to the Docker socket to access container images and running containers. Scan results are stored in a specified output directory and can be parsed using standard JSON tools to extract specific indicators of compromise.