Hi,
I am using Gitea for years as self-hosted and I would like to use it as a some kind of CRM to include my customers to development stage (for example viewing roadmap, discussing and etc.)
I found this [Solved] How to setup users with only access to issues that allows only specific users to see the issues but not the codes. But in case of attachments with virus, is there a way to trigger actions just like sFTPGO ? So, I can trigger a ClamAV virus scan.
If it finds something suspicious, it won’t add it to the database.
Hi
Interesting use case using Gitea as a lightweight CRM with customer-facing issue tracking actually makes a lot of sense
About virus scanning attachments in Gitea
Out of the box, Gitea doesn’t provide built-in antivirus scanning for uploaded attachments (issues, comments, etc.). So there’s no native hook like “scan before saving to DB” similar to what tools like SFTPGo offer.
However, you do have a few practical workarounds:
Option 1: Use a Reverse Proxy / Upload Gateway (Recommended)
You can put a layer in front of Gitea:
-
Use something like NGINX + upload module or a small middleware service
-
Intercept file uploads before they reach Gitea
-
Run a scan with ClamAV
-
Only forward the request if the file is clean
This is the closest approach to “blocking before database storage”.
Option 2: Post-upload scanning (Gitea Actions / Cron)
If pre-upload interception is too complex:
-
Use Gitea Actions or a scheduled job
-
Scan the attachments directory (usually on disk or object storage)
-
If something malicious is found:
Downside: the file is briefly stored before being removed.
Option 3: Custom webhook / external service
You could:
-
Trigger a webhook when an issue/comment is created
-
Send metadata to an external service
-
That service scans the file and calls back (delete/quarantine if needed)
This requires some scripting but gives you flexibility.
Additional considerations for your CRM setup
Since you’re exposing issues to customers:
-
Consider restricting file types (e.g., no executables)
-
Set file size limits
-
Use private repos + issue-level visibility controls (as you already explored)
Reality check
If strict security is critical (especially with external users uploading files), Gitea alone isn’t designed as a hardened file intake system adding a scanning layer in front is the safest approach
1 Like
Hi, thank you very much for your answer and possible suggestions.
I can understand that Gitea itself doesn’t have built-in virus scanning but neither does sFTPGO. It uses your second suggestion. it just triggers a CLI function after receiving a file. But for Gitea’s case I didn’t know if I can get some kind of notification or delegate to trigger something. I thought maybe I should trigger virus checking by checking if a folder receives a new file periodically with another program.
and you are right about other suggestions like limiting file size and file types.