DEV Community

Wassim Dhif
Wassim Dhif

Posted on • Originally published at Medium

2 1

A Docker Antivirus in Ruby

Originally posted on Medium

Last year, I've had the occasion to work on a project to build Docker images for developers. For security reasons, the developers were not allowed to push to a registry the Docker images they had built on their computer. Instead, they had to use a 'builder', in Ruby, that would take their Dockerfile and build the image for them, after running some tests of course.

One of those test was an antivirus, the docker-antivirus.

GitHub logo wdhif / docker-antivirus

Antivirus for Docker with ClamAV and Atomic

How to run an Antivirus on a Docker image?

The first thing was to choose an antivirus, the choice was pretty straight forward. It should be open-source, run on Linux, and be performant. The answer was ClamAV.
ClamAV
ClamAV is an open-source antivirus that works on Linux with a public virus database with, as of 10 February 2017 contained over 5,760,000 virus signatures.


The idea was to:

  1. Instantiate a Docker container with the image we want to test.
  2. Mount the container file system
  3. Run ClamAV on the mounted file system
  4. Print some result

But we already got an issue here, it is not possible to mount the root of a container.

Atomic to the rescue

Atomic is a project by Red Hat to deploy and manage container-based infrastructures. One of the product of Project Atomic is the Atomic Run Tool.

One of the command added by this tool is atomic mount, which allow us to mount a container root. Atomic mount uses OSTree, a library allowing us to interact with hierarchical file systems.

Using Atomic mount, we are able to mount the root of a container, and therefore this allow us to run ClamAV on it.

Wrapping things up

By using both ClamAV and Atomic, I was able to create a little utility in Ruby to help me check viruses on a Docker image.

The docker-antivirus in action

By running the docker-antivirus on the Busybox Docker image, we can confirm that this image is safe. We also have some informations about the scan itself. For example, how many files were scanned or how much time did it took. But we must also test the docker-antivirus on a malicious Docker image.

Testing our solution with the EICAR test

The EICAR test file is a simple characters chain created by the European Institute for Computer Antivirus Research (EICAR) to test without any risks antivirus solutions.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Enter fullscreen mode Exit fullscreen mode

This simple characters chain is designed to trigger any antivirus, although it is completely harmless. For testing purpose, I simply created a Docker image containing this file, the docker-eicar.

Here, we can see the result of the docker-antivirus when analyzing the docker-eicar image:

Running the docker-antivirus with the docker-eicar image

As you can see, the docker-antivirus tells us that there is in fact something wrong with the docker-eicar image.

What's next?

I am planning on adding more information about the virus itself in case it's detected. I would also like to make the docker-antivirus more easy to use, maybe by embedding it inside a docker image, or maybe by using static builds.

You can also participate yourself in the development of this project, contributions are more than welcome!

Billboard image

Use Playwright to test. Use Playwright to monitor.

Join Vercel, CrowdStrike, and thousands of other teams that run end-to-end monitors on Checkly's programmable monitoring platform.

Get started now!

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay