Add ClamAV mirror overrides for definition downloads

README.md

@@ -65,6 +65,19 @@ The inspiration for this project came from reviewing the [AWS Labs cdk-serverles
 
 ---
 
+## 🗄️ ClamAV Definition Mirror Overrides
+
+If GitHub-hosted builds begin throttling ClamAV definition downloads, you can point `freshclam` at your
+own mirror (for example, a private S3 or HTTP mirror) by setting these environment variables before
+`cdk synth` or `cdk deploy`:
+
+- `CLAMAV_MIRROR` (primary mirror hostname or URL)
+- `CLAMAV_MIRROR_FALLBACK` (secondary mirror hostname or URL)
+
+These values are passed as Docker build args so the image build uses your mirrors when running `freshclam`.
+
+---
+
 ## 🚀 CLI Build & Deploy (Mac / ARM Platform)
 
 If you have [brew](https://brew.sh) installed (highly recommended) then:

cdk/Dockerfile

@@ -3,6 +3,8 @@ FROM ubuntu:20.04 AS builder
 
 # Prevent interactive prompts.
 ENV DEBIAN_FRONTEND=noninteractive
+ARG CLAMAV_MIRROR=database.clamav.net
+ARG CLAMAV_MIRROR_FALLBACK=database.clamav.net
 
 RUN apt-get update -y && \
     apt-get install -y clamav clamav-freshclam p7zip-full
@@ -31,7 +33,9 @@ RUN mkdir -p /tmp/clamav_libs && \
 # Create a directory for the definitions and run freshclam to update them.
 RUN mkdir -p /tmp/clamav_defs && \
     chmod -R 777 /tmp/clamav_defs && \
-    freshclam --stdout --datadir=/tmp/clamav_defs && \
+    printf "DatabaseMirror %s\nDatabaseMirror %s\nMaxAttempts 5\nConnectTimeout 30\nReceiveTimeout 60\n" \
+      "$CLAMAV_MIRROR" "$CLAMAV_MIRROR_FALLBACK" > /tmp/freshclam.conf && \
+    freshclam --stdout --config-file=/tmp/freshclam.conf --datadir=/tmp/clamav_defs && \
     cp -R /tmp/clamav_defs /tmp/clamav_defs_output
 
 # Final stage: use the AWS Lambda Java 21 base image.
@@ -54,4 +58,3 @@ COPY lambda-jar/lambda-1.0.jar ${LAMBDA_TASK_ROOT}/lib/
 
 # Specify the Lambda handler (in the format Package.Class::method).
 CMD [ "cloud.cleo.clamav.lambda.ScanningLambda::handleRequest" ]
-

cdk/src/main/java/cloud/cleo/clamav/cdk/ClamavLambdaStack.java

@@ -3,6 +3,7 @@
 import cloud.cleo.clamav.ScanStatus;
 import static cloud.cleo.clamav.ScanStatus.*;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import software.amazon.awscdk.App;
@@ -88,6 +89,7 @@ public ClamavLambdaStack(final Construct scope, final String id, final StackProp
         DockerImageAsset imageAsset = DockerImageAsset.Builder.create(this, "ClamavLambdaImage")
                 .platform(isCloudShell() ? Platform.LINUX_AMD64 : Platform.LINUX_ARM64)
                 .directory(".")
+                .buildArgs(getDockerBuildArgs())
                 .build();
 
         // Create custom log group first
@@ -220,6 +222,20 @@ private boolean getContextBoolean(String key, boolean defaultValue) {
         return defaultValue;
     }
 
+    private Map<String, String> getDockerBuildArgs() {
+        Map<String, String> buildArgs = new HashMap<>();
+        addBuildArgIfPresent(buildArgs, "CLAMAV_MIRROR");
+        addBuildArgIfPresent(buildArgs, "CLAMAV_MIRROR_FALLBACK");
+        return buildArgs;
+    }
+
+    private void addBuildArgIfPresent(Map<String, String> buildArgs, String envVarName) {
+        String value = System.getenv(envVarName);
+        if (value != null && !value.isBlank()) {
+            buildArgs.put(envVarName, value);
+        }
+    }
+
     /**
      * Detect if using CloudShell which means we need x86 architecture/platform.
      *