Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Malware scanning is an important layer of security. In this blog, you'll learn some basics as well as details of how to use malware scanning on Puppet Forge.
Table of Contents:
Malware scanning is a critical early warning system to prevent cyber attacks. As a security tactic, properly setting up your malware scan can be the first line of defense to protect your organization and your users.
The Forge team at Puppet has been hard at work for the past few months building out a malware scanning framework in order to help folks be more proactive about their security posture.
Now, to be clear, this doesn't replace your own security mitigations. You should still audit untrusted code. You should still run your own virus protections. There are many layers in a robust security profile, and this is only one of them. But what we can do is give you relatively high confidence that the Puppet modules you use are not introducing malware themselves.
We had to first put some thought into what it meant to be a secure Puppet module and balance that against what we could actually test for, programmatically. One of the challenges of scanning configuration management code is there's inherently so much overlap with malicious code already! It's a bit like the definition of a "weed" being an unwanted plant, no more and no less. It's all about context.
A bit of research indicated some prior art that we could build upon. Last year a team of students from the University of Pernambuco released a "security smell" scanner for Puppet code and prior to that, a student at FernUniversität in Hagen built a set of puppet-lint plugins to check for security issues. ClamAV, the popular malware scanner, also already had a container available.
Ultimately we decided that the malware scan would have the biggest impact for our users, and got to work. We quickly realized that while the ClamAV solution was useful, we'd get even more value with an enterprise subscription to VirusTotal — and our internal security team was stoked to get their hands on such a powerful tool.
VirusTotal provides an upload API. Although it doesn't know Puppet code natively, it knows how to uncompress the module tarball format and how to scan files and their contents for known malicious code. If any of the scanners discovered malware, we flagged the module and marked it as passing the scan if no malware was detected by any scanner. We also link back to the VirusTotal results page so that users can see the details for themselves, if they'd like.
With the help of our Design team and some backend plumbing, we had a malware scanning solution to help you select modules that best fit your needs and security policies. Because we have thousands of module releases a year, we're starting small by scanning all of our Supported modules, then expanding to Partner Supported, and then Approved. But by the end of the year, we expect that every module release will be security scanned as it's published. To avoid zero-day vulnerabilities, we will not retroactively scan existing modules so be sure to look for the malware scan status when you're evaluating modules. See an example on our puppetlabs-postgresql module.
The process of building the scanner identified a couple of interesting UX questions. At the top of that list was the realization that this was the first use of the quality scoring system that could actually block publication or put a module into an ambiguous state. Solving that problem means that we're now in a position to resolve some other outstanding feature requests. For example, users have been asking for the ability to "preview" module releases to check for rendering issues or quality scores prior to actually publishing a release and this is now a feature on our roadmap.
We're excited to provide you another tool in your security arsenal and hope that it builds confidence in the content you use from the Puppet Forge.
Explore Puppet Forge
Community and Developer Relations Lead, Puppet by Perforce
Software Engineer, Puppet by Perforce