Hello, Is there any way to run yara rules on the files inside a docker container ?

Well, you could use a mounted directory that is shared between host and container, but I would not recommend sharing all of

/

due to security implications. You could also probably run osquery in another container alongside your workload containers and share directories between them for access, but I'm not sure is this is feasible. In general though, I think that osquery is not the right tool for that. Files inside a container (image) are not supposed to be changed permanently and containers are meant to be ephemeral, so it might be easier to just start a new container if you are suspicious. Also, you might want to try security scanners like Trivy to scan images before deploying containers based on them to make sure that as many vulns as possible have been patched.