feat: Update security and analysis (#2935)

Brink2Three · nickfloyd · web-flow · commit d866b8e453dc · 2025-11-24T15:50:37.000-06:00
* Update repository settings to include new API fields

* correct naming of code scanning to code security to match API

---------

Co-authored-by: Nick Floyd &lt;139819+nickfloyd@users.noreply.github.com&gt;
diff --git a/github/resource_github_repository.go b/github/resource_github_repository.go
@@ -100,7 +100,23 @@ func resourceGithubRepository() *schema.Resource {
 										Type:             schema.TypeString,
 										Required:         true,
 										ValidateDiagFunc: toDiagFunc(validation.StringInSlice([]string{"enabled", "disabled"}, false), "status"),
-										Description:      "Set to 'enabled' to enable advanced security features on the repository. Can be 'enabled' or 'disabled'.",
+										Description:      "Set to 'enabled' to enable advanced security features on the repository. Can be 'enabled' or 'disabled', This value being present when split licensing is enabled will error out.",
+									},
+								},
+							},
+						},
+						"code_security": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "The code security configuration for the repository.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"status": {
+										Type:             schema.TypeString,
+										Required:         true,
+										ValidateDiagFunc: toDiagFunc(validation.StringInSlice([]string{"enabled", "disabled"}, false), "code_security"),
+										Description:      "Set to 'enabled' to enable code security on the repository. Can be 'enabled' or 'disabled'. If set to 'enabled', the repository's visibility must be 'public', 'security_and_analysis[0].advanced_security[0].status' must also be set to 'enabled', or your Organization must have split licensing for Advanced security.",
 									},
 								},
 							},
@@ -116,7 +132,7 @@ func resourceGithubRepository() *schema.Resource {
 										Type:             schema.TypeString,
 										Required:         true,
 										ValidateDiagFunc: toDiagFunc(validation.StringInSlice([]string{"enabled", "disabled"}, false), "secret_scanning"),
-										Description:      "Set to 'enabled' to enable secret scanning on the repository. Can be 'enabled' or 'disabled'. If set to 'enabled', the repository's visibility must be 'public' or 'security_and_analysis[0].advanced_security[0].status' must also be set to 'enabled'.",
+										Description:      "Set to 'enabled' to enable secret scanning on the repository. Can be 'enabled' or 'disabled'. If set to 'enabled', the repository's visibility must be 'public', 'security_and_analysis[0].advanced_security[0].status' must also be set to 'enabled', or your Organization must have split licensing for Advanced security.",
 									},
 								},
 							},
@@ -132,7 +148,39 @@ func resourceGithubRepository() *schema.Resource {
 										Type:             schema.TypeString,
 										Required:         true,
 										ValidateDiagFunc: toDiagFunc(validation.StringInSlice([]string{"enabled", "disabled"}, false), "secret_scanning_push_protection"),
-										Description:      "Set to 'enabled' to enable secret scanning push protection on the repository. Can be 'enabled' or 'disabled'. If set to 'enabled', the repository's visibility must be 'public' or 'security_and_analysis[0].advanced_security[0].status' must also be set to 'enabled'.",
+										Description:      "Set to 'enabled' to enable secret scanning push protection on the repository. Can be 'enabled' or 'disabled'. If set to 'enabled', the repository's visibility must be 'public', 'security_and_analysis[0].advanced_security[0].status' must also be set to 'enabled', or your Organization must have split licensing for Advanced security.",
+									},
+								},
+							},
+						},
+						"secret_scanning_ai_detection": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "The secret scanning AI detection configuration for this repository.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"status": {
+										Type:             schema.TypeString,
+										Required:         true,
+										ValidateDiagFunc: toDiagFunc(validation.StringInSlice([]string{"enabled", "disabled"}, false), "secret_scanning_ai_detection"),
+										Description:      "Set to 'enabled' to enable secret scanning AI detection on the repository. Can be 'enabled' or 'disabled'. If set to 'enabled', the repository's visibility must be 'public', 'security_and_analysis[0].advanced_security[0].status' must also be set to 'enabled', or your Organization must have split licensing for Advanced security.",
+									},
+								},
+							},
+						},
+						"secret_scanning_non_provider_patterns": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "The secret scanning non-provider patterns configuration for this repository.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"status": {
+										Type:             schema.TypeString,
+										Required:         true,
+										ValidateDiagFunc: toDiagFunc(validation.StringInSlice([]string{"enabled", "disabled"}, false), "secret_scanning_non_provider_patterns"),
+										Description:      "Set to 'enabled' to enable secret scanning non-provider patterns on the repository. Can be 'enabled' or 'disabled'. If set to 'enabled', the repository's visibility must be 'public', 'security_and_analysis[0].advanced_security[0].status' must also be set to 'enabled', or your Organization must have split licensing for Advanced security.",
 									},
 								},
 							},
diff --git a/github/resource_github_repository_test.go b/github/resource_github_repository_test.go
@@ -1110,12 +1110,21 @@ func TestAccGithubRepositorySecurity(t *testing.T) {
 			    advanced_security {
 			      status = "enabled"
 			    }
-			    secret_scanning {
+			    code_security {
+					status = "enabled"
+				}
+				secret_scanning {
 			      status = "enabled"
 			    }
 			    secret_scanning_push_protection {
 			       status = "enabled"
 			    }
+				secret_scanning_ai_detection {
+					status = "enabled"
+				}
+				secret_scanning_non_provider_patterns {
+					status = "enabled"
+				}
 			  }
 			}
 			`, randomID)
@@ -1125,13 +1134,25 @@ func TestAccGithubRepositorySecurity(t *testing.T) {
 					"github_repository.test", "security_and_analysis.0.advanced_security.0.status",
 					"enabled",
 				),
+				resource.TestCheckResourceAttr(
+					"github_repository.test", "security_and_analysis.0.code_security.0.status",
+					"enabled",
+				),
 				resource.TestCheckResourceAttr(
 					"github_repository.test", "security_and_analysis.0.secret_scanning.0.status",
 					"enabled",
 				),
 				resource.TestCheckResourceAttr(
 					"github_repository.test", "security_and_analysis.0.secret_scanning_push_protection.0.status",
-					"disabled",
+					"enabled",
+				),
+				resource.TestCheckResourceAttr(
+					"github_repository.test", "security_and_analysis.0.secret_scanning_ai_detection.0.status",
+					"enabled",
+				),
+				resource.TestCheckResourceAttr(
+					"github_repository.test", "security_and_analysis.0.secret_scanning_non_provider_patterns.0.status",
+					"enabled",
 				),
 			)
 			testCase := func(t *testing.T, mode string) {
diff --git a/website/docs/r/repository.html.markdown b/website/docs/r/repository.html.markdown
