attachmentAV for GitHub: Setup Guide

Install (#)

To install attachmentAV for GitHub, you:

  1. Create an attachmentAV for GitHub API key.
  2. Use attachmentAV in GitHub.

Create API key (#)

Create a subscription to get your API key.

Use attachmentAV (#)

To use attachmentAV, we recommend to store the attachmentAV API key as a repository secret. To create a repository secret follow the Github Docs.

To trigger a scan, you add a step to your GitHub Actions workflow:

Scan Local Repository Files (#)

Scan files directly from your repository.

- name: Scan local file
  uses: widdix/attachmentav-github-action-malware-antivirus-scan@v1
  with:
    local-file-path: path/to/file.zip
    api-key: ${{ secrets.ATTACHMENTAV_API_KEY }}

For files larger than 10MB, a GitHub token is required:

- name: Scan large local file
  uses: widdix/attachmentav-github-action-malware-antivirus-scan@v1
  with:
    local-file-path: path/to/large-file.zip
    api-key: ${{ secrets.ATTACHMENTAV_API_KEY }}
    token: ${{ github.token }}

Required Permissions:

permissions:
  contents: read

Limitations:

  • Files ≤10MB: Uploaded directly (no token required)
  • Files >10MB and ≤100MB: Downloaded via GitHub Contents API (token required)
  • Files >100MB: Not supported for local scanning; upload as release asset or artifact first

Scan GitHub Actions Artifacts (#)

Scan artifacts, usually created by actions/upload-artifact. The action automatically selects the appropriate malware scanning API based on artifact size (sync API for <200MB, async API for ≥200MB).

- name: Upload artifact
  id: upload
  uses: actions/upload-artifact@v6
  with:
    name: my-artifact
    path: dist/

- name: Scan artifact
  uses: widdix/attachmentav-github-action-malware-antivirus-scan@v1
  with:
    artifact-id: ${{ steps.upload.outputs.artifact-id }}
    api-key: ${{ secrets.ATTACHMENTAV_API_KEY }}
    token: ${{ github.token }}

Required Permissions:

permissions:
  actions: read
  contents: read

Note: The token input is required for artifact scanning as artifacts always require authentication.

Scan GitHub Release Assets (#)

Scan files attached to GitHub releases. The action automatically selects the appropriate scanning method based on asset size (sync API for <200MB, async API for ≥200MB).

- name: Scan release asset
  uses: widdix/attachmentav-github-action-malware-antivirus-scan@v1
  with:
    release-asset-id: ${{ steps.get_asset.outputs.asset_id }}
    api-key: ${{ secrets.ATTACHMENTAV_API_KEY }}
    token: ${{ github.token }}  # Optional for public repos, but recommended to provide

Required Permissions:

permissions:
  contents: read

Note: The token input is optional for public repositories but recommended to avoid rate limiting and ensure reliable access.

Uninstall (#)

To cancel your subscription, visit FastSpring Account Management.

Need help?

Do you have any questions? Please get in touch.

Send email