Configuration Reference

Guardimesh configuration is split into two layers:

1. Web Console (Remote Config) — Settings managed through the UI that are pushed to scanners automatically
2. Helm Values / Environment Variables — Settings applied at install time via the Helm chart

Console settings take precedence over Helm values for overlapping options (namespace skips, scan modes, feature flags).

---

Web Console Settings

These are configured at Scan Configuration in the web console and polled by scanners every 5 minutes.

Scan Modes

Setting	Description	Default
Active scanning	Scan new containers automatically when pods are created	Enabled
Scheduled scanning	Periodically re-scan existing containers	Disabled

Active and scheduled scanning can both be enabled simultaneously.

Schedule Settings

Setting	Description	Default
Scan schedule	Per-day time slots (Mon–Sun, HH:MM) for scheduled scans	—
Minimum container age	Number of days a container must be running before it is eligible for scheduled re-scan	1

Namespace Filtering

Setting	Description	Example
Skip namespaces	Exact namespace names to exclude from scanning	kube-system, guardimesh-system
Skip namespace prefixes	Namespace prefixes to exclude	openshift-

Detection Features

Setting	Tier Required	Description	Default
Real-time file monitoring (fanotify)	Startup+	Continuously monitor container writable layers for new file writes	Disabled
Scan deduplication TTL	All	Minutes between repeated scans of the same container triggered by pod events	5 min

Signature Databases

Category	Databases
Official	main, daily, bytecode
Guardimesh	guardimesh-custom
Unofficial (opt-in)	Sanesecurity, SecuriteInfo, MalwarePatrol

Toggle individual databases on or off from the console. The puller sidecar will download only enabled databases.

Custom Signatures (Team / Enterprise)

Upload custom ClamAV signature files via the Custom Signatures page:

Tier	Max databases	Max size per database
Team	10	2 MB
Enterprise	Unlimited	5 MB

Supported formats: .hsb, .sfp, .db, .ldb (Enterprise only for .ldb)

---

Helm Chart Values

Set these at install time with --set or a custom values.yaml.

Required

Value	Description
apiKey	Guardimesh SaaS API key (from the web console API Keys page)

Namespace

Value	Default	Description
namespace	guardimesh-system	Namespace for all Guardimesh resources
createNamespace	false	Whether the chart creates the namespace (use --create-namespace instead)
createApiKeySecret	true	Set false if you manage the Secret externally (e.g., Vault, ExternalSecrets)

Operator

Value	Default	Description
operator.replicaCount	1	Operator replica count
operator.image.repository	quay.io/guardimesh/guardimesh-operator	Operator image
operator.image.tag	Chart appVersion	Operator image tag
operator.image.pullPolicy	IfNotPresent	Image pull policy
operator.imagePullSecrets	[]	Image pull secrets for private registries
operator.resources.requests.cpu	10m	CPU request
operator.resources.requests.memory	64Mi	Memory request
operator.resources.limits.cpu	500m	CPU limit
operator.resources.limits.memory	128Mi	Memory limit
operator.nodeSelector	{}	Node selector for operator pod
operator.tolerations	[]	Tolerations for operator pod
operator.affinity	{}	Affinity rules for operator pod
operator.leaderElect	true	Enable leader election (for HA)
operator.serviceAccount.name	guardimesh-operator	ServiceAccount name
operator.serviceAccount.annotations	{}	SA annotations (e.g., for IRSA/Workload Identity)

Scanner

Value	Default	Description
scanner.enabled	true	Deploy the GuardimeshScanner CR
scanner.name	guardimeshscanner	CR name
scanner.clusterID	""	Identifier for this cluster in scan results

Scanner — SaaS Connection

Value	Default	Description
scanner.saas.backendURL	https://api.guardimesh.io	Backend API endpoint
scanner.saas.storageURL	""	Signature storage URL (defaults to backendURL)
scanner.saas.freshclamMirrorURL	""	ClamAV mirror URL (defaults to database.clamav.net)
scanner.saas.apiKeySecret	guardimesh-api-key	Name of the Secret containing the API key
scanner.saas.tls.skipVerify	false	Skip TLS certificate verification (not recommended for production)
scanner.saas.tls.caSecret	""	Secret containing a custom CA certificate

Scanner — Scan Behavior

Value	Default	Description
scanner.scanner.enabled	true	Enable the scanner DaemonSet
scanner.scanner.activeScan	true	Scan new pods on creation
scanner.scanner.scheduledScan	false	Enable periodic re-scanning
scanner.scanner.skipNamespaces	kube-system,guardimesh-system	Namespaces to skip (comma-separated)
scanner.scanner.skipNamespacePrefixes	openshift-	Namespace prefixes to skip
scanner.scanner.signatureUpdateInterval	43200	Seconds between signature update checks (12 hours)
scanner.scanner.antivirusMaxThreads	1	ClamAV scanning threads

Scanner — Images

Value	Default	Description
scanner.scanner.image	"" (CRD default)	Scanner container image
scanner.scanner.antivirusImage	"" (CRD default)	ClamAV container image
scanner.scanner.inspectorImage	"" (CRD default)	Inspector container image
scanner.scanner.pullerImage	"" (CRD default)	Puller sidecar image
scanner.scanner.imagePullPolicy	"" (CRD default)	Image pull policy
scanner.scanner.imagePullSecrets	[]	Pull secrets for private registries

Scanner — Scheduling

Value	Default	Description
scanner.scanner.resources	{}	Scanner container resources (requests/limits)
scanner.scanner.antivirusResources	{}	Antivirus container resources
scanner.scanner.nodeSelector	{}	Node selector for scanner pods
scanner.scanner.tolerations	[{effect: NoSchedule, operator: Exists}]	Tolerations (defaults to schedule on all nodes)
scanner.scanner.affinity	{}	Affinity rules
scanner.scanner.serviceAccountName	""	Custom ServiceAccount name

Scanner — Advanced

Value	Default	Description
scanner.scanner.extraEnv	[]	Additional environment variables injected into the scanner container
scanner.license.acceptTerms	true	Accept the Guardimesh license terms
scanner.license.mode	online	License mode (online for SaaS, local for air-gap)

---

Scanner Environment Variables

These can be set via scanner.scanner.extraEnv in the Helm chart or directly in custom manifests. Most are overridden by remote config when CONFIG_URL is set.

Core

Variable	Default	Description
API_KEY	—	API key for authentication (usually from Secret)
API_KEY_FILE	—	Path to file containing API key (alternative to API_KEY)
CLAM_LOG_URL	—	URL for scan result ingest endpoint
POD_LOG_URL	—	URL for pod log ingest endpoint
CONFIG_URL	—	Base URL for remote config polling
CONFIG_POLL_INTERVAL	300	Seconds between remote config polls (minimum: 30)
CLUSTER_ID	—	Cluster identifier included in all results

Scan Behavior

Variable	Default	Description
ACTIVE_SCAN	—	Enable active pod scanning (true/false)
SCHEDULED_SCAN	—	Enable scheduled scanning (true/false)
SCHEDULED_SCAN_DAY	—	Day for scheduled scans
MIN_CON_DAY	—	Minimum container age in days for scheduled scans
SCAN_MODE	runtime	Scan mode
SKIP_NAMESPACES	—	Comma-separated namespace exclusions
SKIP_NAMESPACE_PREFIXES	—	Comma-separated prefix exclusions
HOST_SCAN_DIRS	—	Additional host directories to scan
SCAN_DEDUP_TTL	300	Seconds between repeat scans of same container

Detection Features

Variable	Default	Description
FANOTIFY_ENABLED	false	Enable real-time file monitoring (overridden by tier-based remote config)
FANOTIFY_DEBOUNCE_SEC	2	Seconds to debounce fanotify events
DRIFT_DETECT_ENABLED	true	Enable executable drift detection
MEMFD_SCAN_ENABLED	true	Enable memfd fileless payload scanning
MEMFD_MAX_SIZE_BYTES	52428800	Maximum memfd size to scan (50 MB)
OBFSCAN_ENABLED	—	Enable obfuscation scanner sidecar
OBFSCAN_SOCKET	—	Path to obfuscation scanner socket

Runtime

Variable	Default	Description
CLAM_SOCKET	/clam/clamd.sock	Path to ClamAV Unix socket
INFO_SOCKET	—	Path to inspector info socket
HEALTH_PORT	8086	Port for Kubernetes probes (/healthz, /readyz, /startupz)
LOG_LEVEL	info	Logging level (debug, info, warn, error)
RETRY_BUFFER_SIZE	1000	In-memory buffer for failed result sends

Kubernetes Metadata (set automatically by the DaemonSet)

Variable	Description
CUR_NODE_NAME	Node name (from spec.nodeName)
CUR_POD_NAME	Pod name (from metadata.name)
CUR_POD_NAMESPACE	Pod namespace (from metadata.namespace)

---

Configuration Precedence

When CONFIG_URL is set (the default SaaS path), remote config from the web console takes precedence:

Web Console settings (remote config)
  ↓ overrides
Helm values / environment variables
  ↓ overrides
Built-in defaults

Specifically, remote config overrides:

• SKIP_NAMESPACES and SKIP_NAMESPACE_PREFIXES
• SCAN_DEDUP_TTL
• FANOTIFY_ENABLED (also gated by subscription tier on the backend)

Settings that are not overridden by remote config:

• CLUSTER_ID, LOG_LEVEL, HEALTH_PORT
• DRIFT_DETECT_ENABLED, MEMFD_SCAN_ENABLED
• Resource limits, tolerations, node selectors

---

Example: Custom Values File

apiKey: "gm_live_abc123..."

scanner:
  clusterID: "production-us-east-1"
  saas:
    tls:
      skipVerify: false
  scanner:
    activeScan: true
    scheduledScan: true
    skipNamespaces: "kube-system,guardimesh-system,monitoring"
    skipNamespacePrefixes: "openshift-,istio-"
    resources:
      requests:
        memory: "1Gi"
        cpu: "500m"
      limits:
        memory: "2Gi"
        cpu: "2000m"
    antivirusResources:
      requests:
        memory: "2Gi"
      limits:
        memory: "4Gi"
    tolerations:
      - effect: NoSchedule
        operator: Exists
      - key: "dedicated"
        operator: "Equal"
        value: "security"
        effect: "NoSchedule"
    extraEnv:
      - name: LOG_LEVEL
        value: "debug"
      - name: MEMFD_MAX_SIZE_BYTES
        value: "104857600"

Install with:

helm install guardimesh-operator \
  oci://quay.io/guardimesh/guardimesh-operator \
  --namespace guardimesh-system \
  --create-namespace \
  -f custom-values.yaml

Next Steps

• Subscription Tiers — Understand feature availability per tier
• Integrations — Set up notifications
• Custom Signatures — Add your own detection rules