Allowlisting ClamAV Findings

ClamAV scans run as part of the pipeline. If any findings are detected that have not been allowlisted, the ClamAV job will fail, preventing the pipeline from progressing past the scan stage.

Each finding should be investigated to determine whether it is a legitimate issue or a false positive. If a finding is determined to be a false positive, an Iron Bank team member can allowlist it by setting or updating the CLAMAV_ALLOWLIST_YAML CI/CD variable.

Example Findings Output

If a finding is detected, the ClamAV job will log it and mark the scan as failed:

INFO amd64 scan completed with 1 findings, 0 allowlisted
[
    {
        "finding": "Win.Test.EICAR_HDB-1",
        "link": null,
        "package": "eicar.com.txt",
        "packagePath": "/eicar.com.txt",
        "scanSource": "clamav",
        "score": "",
        "severity": "critical"
    }
]

Investigating Findings

Review the finding details.
Determine whether the finding is a legitimate security issue.
If confirmed to be a false positive, proceed with allowlisting.

Allowlisting Findings

To allowlist a false positive, add an entry to the YAML defined in the CLAMAV_ALLOWLIST_YAML CI/CD variable.
All three of these fields must match: finding, package, and packagePath.

Example allowlist for the above finding:

- finding: Win.Test.EICAR_HDB-1
  package: eicar.com.txt
  packagePath: /eicar.com.txt

Once allowlisted, a finding will no longer cause the ClamAV job to fail.