@@ -65,10 +65,6 @@ inputs:
6565 description : " Maximum file size to scan in MB"
6666 required : false
6767 default : " 100"
68- max_scan_size :
69- description : " Maximum scan data size in MB"
70- required : false
71- default : " 400"
7268 output_format :
7369 description : " Format for scan results (json/txt)"
7470 required : false
@@ -92,95 +88,80 @@ outputs:
9288runs :
9389 using : composite
9490 steps :
95- - name : Install ClamAV
96- shell : bash
97- run : |
98- sudo apt-get update
99- sudo apt-get install -y clamav clamav-daemon
100- sudo systemctl stop clamav-freshclam
101-
102- name : Update virus definitions
103- shell : bash
104- run : sudo freshclam --quiet
105-
10691 - name : Get changed files
10792 if : inputs.scan_scope == 'changed'
10893 id : changed-files
10994 uses : tj-actions/changed-files@v41
11095
11196 - name : Run ClamAV scan
11297 id : run-clamav
113- shell : bash
114- run : |
115- REPORT_FILE="clamav-report.${{ inputs.output_format }}"
116- EXCLUDE_DIRS=$(echo "${{ inputs.exclude_dirs }}" | tr ',' ' ' | sed 's/[^ ]* */--exclude-dir=&/g')
117-
118- # Convert MB to bytes for ClamAV
119- MAX_FILE_SIZE=$(( ${{ inputs.max_file_size }} * 1024 * 1024 ))
120- MAX_SCAN_SIZE=$(( ${{ inputs.max_scan_size }} * 1024 * 1024 ))
121-
122- if [[ "${{ inputs.scan_scope }}" == "changed" && -n "${{ steps.changed-files.outputs.all_changed_files }}" ]]; then
123- echo "Running ClamAV on changed files"
124- FILES="${{ steps.changed-files.outputs.all_changed_files }}"
125- SCAN_CMD="clamscan"
126- else
127- echo "Running ClamAV on all files in ${{ inputs.paths }}"
128- FILES="${{ inputs.paths }}"
129- SCAN_CMD="clamscan -r"
130- fi
131-
132- # Create temporary file for raw scan output
133- TEMP_OUTPUT=$(mktemp)
134-
135- echo "Running scan with max file size: ${MAX_FILE_SIZE} bytes"
136- echo "Running scan with max scan size: ${MAX_SCAN_SIZE} bytes"
137-
138- ${SCAN_CMD} \
139- --max-filesize=${MAX_FILE_SIZE} \
140- --max-scansize=${MAX_SCAN_SIZE} \
141- ${EXCLUDE_DIRS} \
142- ${FILES} 2>&1 | tee ${TEMP_OUTPUT}
143-
144- SCAN_EXIT_CODE=${PIPESTATUS[0]}
145- echo "exit_code=${SCAN_EXIT_CODE}" >> $GITHUB_OUTPUT
146-
147- # Parse scan summary
148- SCANNED_FILES=$(grep "Scanned files:" ${TEMP_OUTPUT} | awk '{print $3}')
149- INFECTED_FILES=$(grep "Infected files:" ${TEMP_OUTPUT} | awk '{print $3}')
150- START_DATE=$(grep "Start Date:" ${TEMP_OUTPUT} | cut -d: -f2- | xargs)
151- END_DATE=$(grep "End Date:" ${TEMP_OUTPUT} | cut -d: -f2- | xargs)
152-
153- # Generate report in requested format
154- if [[ "${{ inputs.output_format }}" == "json" ]]; then
98+ uses : docker://clamav/clamav:stable
99+ env :
100+ GITHUB_OUTPUT : /tmp/gh_output
101+ with :
102+ entrypoint : sh
103+ args : |
104+ -c "
105+ # Update virus definitions
106+ freshclam --quiet
107+
108+ # Prepare exclude dirs
109+ EXCLUDE_DIRS=`echo '${{ inputs.exclude_dirs }}' | tr ',' ' ' | sed 's/[^ ]* */--exclude-dir=&/g'`
110+
111+ # Convert MB to bytes
112+ MAX_FILE_SIZE=`expr ${{ inputs.max_file_size }} \* 1024 \* 1024`
113+
114+ # Create output directory
115+ mkdir -p security-results/clamav
116+
117+ # Run scan based on scope
118+ if [ '${{ inputs.scan_scope }}' = 'changed' ] && [ -n '${{ steps.changed-files.outputs.all_changed_files }}' ]; then
119+ echo 'Running ClamAV on changed files'
120+ FILES='${{ steps.changed-files.outputs.all_changed_files }}'
121+ SCAN_CMD='clamscan'
122+ else
123+ echo 'Running ClamAV on all files in ${{ inputs.paths }}'
124+ FILES='${{ inputs.paths }}'
125+ SCAN_CMD='clamscan -r'
126+ fi
127+
128+ # Run scan and capture output
129+ $SCAN_CMD \
130+ --max-filesize=$MAX_FILE_SIZE \
131+ $EXCLUDE_DIRS \
132+ $FILES \
133+ > scan_output.txt 2>&1
134+
135+ SCAN_EXIT_CODE=$?
136+
137+ # Count infected files
138+ INFECTED_FILES=`grep 'Infected files:' scan_output.txt | awk '{print $3}'`
139+ if [ -z \"$INFECTED_FILES\" ]; then
140+ INFECTED_FILES=0
141+ fi
142+
143+ # Generate report
144+ if [ '${{ inputs.output_format }}' = 'json' ]; then
145+ echo '{
146+ \"scan_summary\": {
147+ \"files_scanned\": '`grep 'Scanned files:' scan_output.txt | awk '{print $3}'`',
148+ \"threats_found\": '$INFECTED_FILES',
149+ \"start_time\": \"'`grep 'Start time:' scan_output.txt | cut -d: -f2- | xargs`'\",
150+ \"end_time\": \"'`grep 'End time:' scan_output.txt | cut -d: -f2- | xargs`'\"
151+ }
152+ }' > security-results/clamav/report.json
153+ else
154+ cp scan_output.txt security-results/clamav/report.txt
155+ fi
156+
157+ # Write to outputs file
155158 {
156- echo "{"
157- echo " \"scan_summary\": {"
158- echo " \"files_scanned\": ${SCANNED_FILES:-0},"
159- echo " \"threats_found\": ${INFECTED_FILES:-0},"
160- echo " \"start_date\": \"${START_DATE}\","
161- echo " \"end_date\": \"${END_DATE}\""
162- echo " },"
163- echo " \"threats\": ["
164- # Only try to process threats if there are any
165- if [ "${INFECTED_FILES:-0}" -gt 0 ]; then
166- grep "FOUND" ${TEMP_OUTPUT} | while IFS= read -r line; do
167- FILE=$(echo "$line" | cut -d: -f1)
168- THREAT=$(echo "$line" | awk '{print $NF}')
169- echo " {\"file\": \"${FILE}\", \"threat\": \"${THREAT}\"},"
170- done | sed '$ s/,$//'
171- fi
172- echo " ]"
173- echo "}"
174- } > "${REPORT_FILE}"
175- else
176- cp ${TEMP_OUTPUT} "${REPORT_FILE}"
177- fi
178-
179- echo "report_path=${REPORT_FILE}" >> $GITHUB_OUTPUT
180- echo "threats_found=${INFECTED_FILES:-0}" >> $GITHUB_OUTPUT
181-
182- rm ${TEMP_OUTPUT}
183-
184- if [[ "${{ inputs.fail_on_findings }}" == "true" && "${INFECTED_FILES:-0}" -gt 0 ]]; then
185- exit 1
186- fi
159+ echo \"exit_code=$SCAN_EXIT_CODE\"
160+ echo \"threats_found=$INFECTED_FILES\"
161+ echo \"report_path=security-results/clamav/report.${{ inputs.output_format }}\"
162+ } > \"$GITHUB_OUTPUT\"
163+
164+ if [ '${{ inputs.fail_on_findings }}' = 'true' ] && [ $INFECTED_FILES -gt 0 ]; then
165+ exit 1
166+ fi
167+ "
0 commit comments