Fix security gaps, command injection, and add comprehensive scanning coverage (worktrees, hooks, LFS)

[Copilot]

The scanner had critical security gaps allowing malware to hide in stashes and submodules, plus a command injection vulnerability and multiple operational bugs. This PR fixes those issues and adds comprehensive scanning for worktrees, hooks, and LFS files.

Security

Command injection in submodule scanning

# Before: vulnerable to injection via $ADDITIONAL_OPTIONS
git submodule foreach "clamscan $ADDITIONAL_OPTIONS ."

# After: export as environment variable
export ADDITIONAL_OPTIONS
git submodule foreach 'clamscan $ADDITIONAL_OPTIONS .'

Missing scan coverage

• Initial scan wasn't excluding .git directory (inconsistent with full scan)
• Stashed changes never scanned - added extraction and scanning of all stashes
• Submodules completely ignored - added recursive submodule scanning
• Worktrees never scanned - added scanning of all additional working directories
• Git hooks never scanned - added scanning of executable scripts in .git/hooks/
• Git LFS files never scanned - added pulling and scanning of all Large File Storage files

Variable quoting

• Unquoted $TMP, $REPO, $F, $EXCLUDE enabled word splitting/globbing attacks
• All variables now properly quoted

Bugs

• getopt parsing: -f flag incorrectly declared with : (expecting argument)
• Arithmetic in set -e: ((var++)) exits when var=0, changed to var=$((var + 1))
• Error handling: git operations lacked failure checks, now exit fast with errors
• Resource leak: $TMP directory created unconditionally, now only when needed
• VERBOSE_MODE: unused variable removed

Performance

• git rev-list executed twice in full scan (count + iterate), now cached
• freshclam could hang indefinitely, added 300s timeout
• Worktree list cached to avoid redundant git commands
• LFS files list cached to avoid redundant git commands

New Features

Git Worktrees Scanning

Scans all additional working directories linked to the repository using git worktree list. Worktrees are independent working directories that could contain malware.

Git Hooks Scanning

Scans executable scripts in .git/hooks/ directory. Hooks are high-risk as they execute automatically on git events (commit, push, etc.).

Git LFS Scanning

Pulls and scans all Git LFS (Large File Storage) files using git lfs ls-files -n. Large binaries are common malware vectors.

All implementations include:

• Cached lists to avoid pipeline issues with set -o pipefail
• Proper variable quoting for paths with spaces
• Error handling and graceful fallbacks

Tests

Added comprehensive validation suite (17 static checks including 3 new tests for worktrees/hooks/LFS, 13 functional tests). All pass, shellcheck clean.

Documentation

• Added "What is Scanned" and "Security Limitations" sections to README
• Updated scan coverage to include worktrees, hooks, and LFS files
• Script now prints security limitations notice on completion
• Documented known gaps: git objects, reflog, notes (worktrees now scanned)
• Added ADVANCED_SCANNING.md: Comprehensive implementation guide for scanning currently unsupported areas including git objects, reflog, notes, and other advanced git storage locations. Includes working code examples, performance considerations, and priority recommendations for future enhancements.

Original prompt

Fix any lacking test coverage or actual operational gaps in this. Evan method of deep scan and other ways that malicious files could be hidden in a repository.

What bugs and problems exist. What is inefficient or not performant

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[djdefi]

@copilot how do we make it support looking at all of that stuff and what else is missing ?

[Copilot]

I've created ADVANCED_SCANNING.md with detailed implementation guidance. Key points:

Easy wins (recommend implementing next):

• Worktrees: git worktree list → scan each path (fast, simple)
• Hooks: clamscan -ri .git/hooks/ (instant, high security value)
• LFS: git lfs pull → scan files (common malware vector)

Complex but valuable:

• Reflog: Scan deleted commits via git reflog --all (slow, requires checkouts)
• Objects: git cat-file blob on all objects (very slow, 1000s of objects)

Also missing:

• Git attributes with filters (code execution risk)
• Alternate object databases
• Staged files in index
• Bundle files

Main challenge with objects: they're compressed/deltified, requiring extraction of every object individually (hours on large repos).

See ADVANCED_SCANNING.md for complete implementation examples and priority recommendations. Ready to implement any of these if you want to prioritize specific features.

[djdefi]

@copilot Please address the review feedback and implement the easy wins you identified (worktrees, hooks, LFS scanning). Once those are added to gitscan.sh:

1. Add worktree scanning using git worktree list
2. Add hooks scanning with clamscan -ri .git/hooks/
3. Add LFS file scanning

After implementing, run shellcheck, ensure all tests pass, and mark this PR as ready for review (remove draft status).

[Copilot]

@copilot Please address the review feedback and implement the easy wins you identified (worktrees, hooks, LFS scanning). Once those are added to gitscan.sh:

1. Add worktree scanning using `git worktr...

Implemented all three "easy wins":

✅ Worktrees - Scans all additional working directories (git worktree list)
✅ Hooks - Scans executable scripts in .git/hooks/ directory
✅ LFS - Pulls and scans all Git LFS files (git lfs ls-files -n)

All implementations include:

• Cached lists to avoid pipeline issues with set -o pipefail
• Proper variable quoting for paths with spaces
• Error handling and graceful fallbacks

Testing:

• All 17 validation tests pass (+3 new tests)
• Shellcheck passes (0 errors)
• Code review feedback addressed

Commits:

• 32d8175 - Initial implementation
• 50d2692 - Code review improvements (caching, quoting, robust LFS parsing)

The PR is now ready for review and merge.