MCPcopy Index your code
hub / github.com/deepfence/YaraHunter

github.com/deepfence/YaraHunter @v2.5.8

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.5.8 ↗ · + Follow
145 symbols 315 edges 26 files 24 documented · 17% 2 cross-repo links
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

GitHub license GitHub stars GitHub issues Slack

YaraHunter

Deepfence YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware. It uses a YARA ruleset to identify resources that match known malware signatures, and may indicate that the container or filesystem has been compromised.

YaraHunter can be used in the following ways:

  • At build-and-test: scan build artifacts in the CI/CD pipeline, reporting on possible indicators of malware
  • At rest: scan local container images, for example, before they are deployed, to verify they do not contain malware
  • At runtime: scan running docker containers, for example, if you observe unusual network traffic or CPU activity
  • Against filesystems: at any time, YaraHunter can scan a local filesystems for indicators of compromise

Key capabilities:

  • Scan running and at-rest containers; scan filesystems; scan during CI/CD build operations
  • Run anywhere: highly-portable, docker container form factor
  • Designed for automation: easy-to-deploy, easy-to-parse JSON output

YaraHunter is a work-in-progress (check the Roadmap and issues list), and will be integrated into the ThreatMapper threat discovery platform. We welcome any contributions to help to improve this tool.

Quick Start

For full instructions, refer to the YaraHunter Documentation.

demo gif

Example: Finding Indicators of Compromise in a container image

Images may be compromised with the installation of a cryptominer such as XMRig. In the following example, we'll scan a legitimiate cryptominer image that contains the same xmrig software that is often installed through an exploit:

Pull the official yarahunter image:

docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.8

or Build it from source clone this repo and run below command

make docker

Scan

Pull the image that needs to be scanned for example metal3d/xmrig and scan it:

docker pull metal3d/xmrig

Scan the image:

docker run -i --rm --name=deepfence-yarahunter \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v /tmp:/home/deepfence/output \
     quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.8 \
     --image-name metal3d/xmrig:latest \
     --output=json > xmrig-scan.json

This returns, among other things, clear indication of the presence of XMRig. Note that we store the output (xmrig-scan.json) for quick and easy manipulation:

Rules can also be cached to use next run by mounting a separate path and passing rules-path argument

docker run -i --rm --name=deepfence-yarahunter \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v /tmp:/home/deepfence/output \
     -v /tmp/rules:/tmp/rules \
     quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.8 \
     --image-name metal3d/xmrig:latest \
     --output=json \
     --rules-path=/tmp/rules > xmrig-scan.json
# Extract the IOC array values.  From these, extract the values of the 'Matched Rule Name' key
cat /tmp/xmrig-scan.json | jq '.IOC[] | ."Matched Rule Name"'

This returns a list of the IOCs identified in the container we scanned.

To get table formatted output omit --output=json flag

Get in touch

Thank you for using YaraHunter.

  • Start with the documentation
  • Got a question, need some help? Find the Deepfence team on Slack
  • GitHub issues Got a feature request or found a bug? Raise an issue
  • productsecurity at deepfence dot io: Found a security issue? Share it in confidence

Security and Support

For any security-related issues in the YaraHunter project, contact productsecurity at deepfence dot io.

Please file GitHub issues as needed, and join the Deepfence Community Slack channel.

License

The Deepfence YaraHunter project (this repository) is offered under the Apache2 license.

Contributions to Deepfence YaraHunter project are similarly accepted under the Apache2 license, as per GitHub's inbound=outbound policy.

Disclaimer

This tool is not meant to be used for hacking. Please use it only for legitimate purposes like detecting indicator of compromise on the infrastructure you own, not on others' infrastructure. DEEPFENCE shall not be liable for loss of profit, loss of business, other financial loss, or any other loss or damage which may be caused, directly or indirectly, by the inadequacy of YaraHunter for any purpose or use thereof or by any defect or deficiency therein.

Extension points exported contracts — how you extend this code

IOCWriter (Interface)
(no doc) [2 implementers]
pkg/runner/types.go

Core symbols most depended-on inside this repo

jsonMarshal
called by 9
pkg/output/output.go
Scan
called by 6
pkg/scan/scanner.go
ExitOnSeverity
called by 4
pkg/output/output.go
removeDuplicateIOCs
called by 3
pkg/runner/ioc.go
PublishScanStatusMessage
called by 3
pkg/output/publish-to-console.go
MalwaresToMalwareInfo
called by 3
pkg/output/output.go
Compile
called by 3
pkg/yararules/yara.go
GetDfInstallDir
called by 2
utils/utils.go

Shape

Function 79
Method 37
Struct 27
Interface 1
TypeAlias 1

Languages

Go100%

Modules by API surface

pkg/output/output.go31 symbols
pkg/scan/process_image.go15 symbols
core/util.go14 symbols
pkg/output/publish-to-console.go13 symbols
pkg/server/grpc.go11 symbols
pkg/runner/types.go9 symbols
pkg/yararules/yara.go8 symbols
utils/utils.go6 symbols
pkg/threatintel/utils.go6 symbols
pkg/scan/scanner.go6 symbols
core/match.go5 symbols
pkg/threatintel/feeds.go3 symbols

Used by 2 indexed graphs manifest dependencies, hub-wide

For agents

$ claude mcp add YaraHunter \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact