Malware Scanner¶

The Malware Scanner extension consists of workers which scan artefacts for malware using the ClamAV antivirus engine.

Configuration Example¶

clamav:
  interval: 86400                    # 24 hours
  on_unsupported: warning
  mappings:
    - prefix: 'acme.org/product-a'
      aws_secret_name: aws-account-prod
    - prefix: ''                     # catch-all for all other components
      aws_secret_name: aws-account-default

Top-Level Options¶

Option

Type

Default

Description

interval

int (seconds)

86400

Maximum time before a component is re-scanned.

mappings

list

[]

Per-prefix component mappings. See mapping fields below.

on_unsupported

string

warning

Behaviour when artefact kind/type/access is unsupported. Options: fail, ignore, warning.

Mapping Fields¶

Each entry in the mappings list supports the following fields:

Option

Type

Required

Description

prefix

string

yes

Component name prefix. Use '' (empty string) to match all components.

aws_secret_name

string

no

Name of the AWS secret to use for S3 artefacts. Required when multiple AWS secrets are configured.

Configuration Details¶

interval¶

The maximum time (in seconds) before a component’s artefacts are rescanned for malware. Default is 86400 seconds (24 hours). Components are only rescanned after this interval has elapsed since the last scan.

on_unsupported¶

Defines the behaviour when an artefact kind, type, or access method is not supported by the ClamAV scanner:

  • fail: Raise an exception and stop processing

  • ignore: Silently skip the unsupported artefact

  • warning (default): Skip the artefact and log a warning message

mappings¶

Allows per-component-prefix configuration for ClamAV scanning. This is particularly useful when:

  • Different components are stored in different AWS S3 accounts

  • You need to apply different scanning configurations to different component groups

Prefix Matching¶

The prefix field uses simple string prefix matching (not regex):

  • prefix: 'acme.org' matches acme.org/product and acme.org/another-product

  • prefix: '' (empty string) matches all components (use as a catch-all)

Multiple mappings are evaluated in order, and the first matching prefix is used.

AWS Secret Configuration¶

When scanning artefacts stored in AWS S3, the ClamAV extension needs AWS credentials. The aws_secret_name field specifies which AWS secret to use from your ODG secrets configuration.

Example with multiple AWS accounts:

clamav:
  interval: 86400
  on_unsupported: warning
  mappings:
    - prefix: 'prod.acme.org'
      aws_secret_name: aws-production
    - prefix: 'dev.acme.org'
      aws_secret_name: aws-development
    - prefix: ''
      aws_secret_name: aws-default