# Malware Scanner The Malware Scanner extension consists of workers which scan artefacts for malware using the ClamAV antivirus engine. ## Configuration Example ```yaml clamav: interval: 86400 # 24 hours on_unsupported: warning mappings: - prefix: 'acme.org/product-a' aws_secret_name: aws-account-prod - prefix: '' # catch-all for all other components aws_secret_name: aws-account-default ``` ## Top-Level Options | Option | Type | Default | Description | |--------|------|---------|-------------| | `interval` | int (seconds) | `86400` | Maximum time before a component is re-scanned. | | `mappings` | list | `[]` | Per-prefix component mappings. See mapping fields below. | | `on_unsupported` | string | `warning` | Behaviour when artefact kind/type/access is unsupported. Options: `fail`, `ignore`, `warning`. | ## Mapping Fields Each entry in the `mappings` list supports the following fields: | Option | Type | Required | Description | |--------|------|----------|-------------| | `prefix` | string | yes | Component name prefix. Use `''` (empty string) to match all components. | | `aws_secret_name` | string | no | Name of the AWS secret to use for S3 artefacts. Required when multiple AWS secrets are configured. | ## Configuration Details ### `interval` The maximum time (in seconds) before a component's artefacts are rescanned for malware. Default is 86400 seconds (24 hours). Components are only rescanned after this interval has elapsed since the last scan. ### `on_unsupported` Defines the behaviour when an artefact kind, type, or access method is not supported by the ClamAV scanner: - **`fail`**: Raise an exception and stop processing - **`ignore`**: Silently skip the unsupported artefact - **`warning`** (default): Skip the artefact and log a warning message ### `mappings` Allows per-component-prefix configuration for ClamAV scanning. This is particularly useful when: - Different components are stored in different AWS S3 accounts - You need to apply different scanning configurations to different component groups #### Prefix Matching The `prefix` field uses simple string prefix matching (not regex): - `prefix: 'acme.org'` matches `acme.org/product` and `acme.org/another-product` - `prefix: ''` (empty string) matches all components (use as a catch-all) Multiple mappings are evaluated in order, and the first matching prefix is used. #### AWS Secret Configuration When scanning artefacts stored in AWS S3, the ClamAV extension needs AWS credentials. The `aws_secret_name` field specifies which AWS secret to use from your ODG secrets configuration. **Example with multiple AWS accounts:** ```yaml clamav: interval: 86400 on_unsupported: warning mappings: - prefix: 'prod.acme.org' aws_secret_name: aws-production - prefix: 'dev.acme.org' aws_secret_name: aws-development - prefix: '' aws_secret_name: aws-default ```