Malware Scanner¶
The Malware Scanner extension consists of workers which scan artefacts for malware using the ClamAV antivirus engine.
Configuration Example¶
clamav:
interval: 86400 # 24 hours
on_unsupported: warning
mappings:
- prefix: 'acme.org/product-a'
aws_secret_name: aws-account-prod
- prefix: '' # catch-all for all other components
aws_secret_name: aws-account-default
Top-Level Options¶
Option |
Type |
Default |
Description |
|---|---|---|---|
|
int (seconds) |
|
Maximum time before a component is re-scanned. |
|
list |
|
Per-prefix component mappings. See mapping fields below. |
|
string |
|
Behaviour when artefact kind/type/access is unsupported. Options: |
Mapping Fields¶
Each entry in the mappings list supports the following fields:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Component name prefix. Use |
|
string |
no |
Name of the AWS secret to use for S3 artefacts. Required when multiple AWS secrets are configured. |
Configuration Details¶
interval¶
The maximum time (in seconds) before a component’s artefacts are rescanned for malware. Default is 86400 seconds (24 hours). Components are only rescanned after this interval has elapsed since the last scan.
on_unsupported¶
Defines the behaviour when an artefact kind, type, or access method is not supported by the ClamAV scanner:
fail: Raise an exception and stop processingignore: Silently skip the unsupported artefactwarning(default): Skip the artefact and log a warning message
mappings¶
Allows per-component-prefix configuration for ClamAV scanning. This is particularly useful when:
Different components are stored in different AWS S3 accounts
You need to apply different scanning configurations to different component groups
Prefix Matching¶
The prefix field uses simple string prefix matching (not regex):
prefix: 'acme.org'matchesacme.org/productandacme.org/another-productprefix: ''(empty string) matches all components (use as a catch-all)
Multiple mappings are evaluated in order, and the first matching prefix is used.
AWS Secret Configuration¶
When scanning artefacts stored in AWS S3, the ClamAV extension needs AWS credentials.
The aws_secret_name field specifies which AWS secret to use from your ODG
secrets configuration.
Example with multiple AWS accounts:
clamav:
interval: 86400
on_unsupported: warning
mappings:
- prefix: 'prod.acme.org'
aws_secret_name: aws-production
- prefix: 'dev.acme.org'
aws_secret_name: aws-development
- prefix: ''
aws_secret_name: aws-default