Git AV Scan Action

Action and Dockerfile to scan Git HEAD or commit history using ClamAV. ClamAV® is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

Disclaimer

This is a proof of concept, and does not provide any guarantee that carefully hidden objects will be scanned. Strong endpoint security, access, and code review policies and practices are the most effective way to ensure that malicious files or code is not introduced into a repository.

This project is not affiliated with the official ClamAV project.

What is Scanned

This tool scans:

• Working directory files (excluding .git directory)
• Each commit in the repository history (when using --full flag)
• Git stashed changes
• Git submodules (recursive)
• Git worktrees (additional working directories)
• Git hooks (executable scripts in .git/hooks/)
• Git LFS (Large File Storage) files

Security Limitations

The following are not scanned and could potentially hide malicious content:

• Git objects (loose and packed) in .git/objects/ directory
• Git reflog entries and deleted commits
• Git notes

Important: This tool should be used as part of a defense-in-depth security strategy.

For maximum security, combine this tool with:

• Code review processes
• Branch protection rules
• Endpoint security software
• Regular security audits

Example usage

uses: djdefi/gitavscan@v23
with:
  full: '--full'

Example workflow

Deep history scan. Scans each commit in the repository history. Slow but thorough:

on: [push]

jobs:
  gitavscan:
    runs-on: ubuntu-latest
    name: History AV Scan
    steps:
    - uses: actions/checkout@v6
      with:
        fetch-depth: '0'
    - name: Git AV Scan
      uses: djdefi/gitavscan@v23
      with:
        full: '--full'

Scan current HEAD only. Only the most recent commit pushed will be scanned. Best used with an enforced linear history, or by disabling PR merges in a repository. Fast but misses deeper history:

on: [push]

jobs:
  gitavscan:
    runs-on: ubuntu-latest
    name: AV scan
    steps:
    - uses: actions/checkout@v6
    - name: Git AV Scan
      uses: djdefi/gitavscan@v23

Passing options to clamscan

Setting additional clamscan command line options is supported. This can be used to limit or exclude directories from the scope of the scan.

on: [push]
jobs:
  gitavscan:
    runs-on: ubuntu-latest
    name: History AV Scan
    steps:
    - uses: actions/checkout@v6
      with:
        fetch-depth: '0'
    - name: Git AV Scan
      uses: djdefi/gitavscan@v23
      with:
        options: '--max-filesize=1M'

Running locally with Docker

Build:

docker build -t gitavscan .

Run full scan:

docker run --rm -it -v /path/to/repo:/scandir gitavscan --full