feat(security): stage CodeQL default-setup config pending upstream provider#11
Merged
Merged
Conversation
…ovider
Adds code_scanning.tf as a commented-out placeholder for the eventual
github_repository_code_scanning_default_setup resource. README's "Next
up" section now points at this file so the work isn't forgotten when
upstream ships.
Provider gap: integrations/terraform-provider-github does not yet expose
a resource for PUT /repos/{owner}/{repo}/code-scanning/default-setup.
The closest existing knob (security_and_analysis.code_security) requires
paid GHAS, which dryvist is intentionally off (AGENTS.md "Cost policy").
Upstream: integrations/terraform-provider-github#3315 — adds the resource
with the exact schema captured in the comment block. When that PR merges
and ships:
1. Bump provider version in versions.tf.
2. Uncomment data + resource blocks in code_scanning.tf.
3. tofu apply.
Cost impact: $0 once enabled. Code scanning is FREE on public repos and
the data source's visibility:public filter is the safety belt — no
private repo can land in the for_each.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
code_scanning.tfas a commented-out placeholder for the eventualgithub_repository_code_scanning_default_setupresource, plus a one-line update to the README's "Next up" section pointing at it.The repo stays pure declarative HCL — no scripts, no
null_resource, no third-party stopgap providers. When upstream ships, uncomment + bump version + apply.Why staged commented
integrations/terraform-provider-githubdoes not yet expose a resource forPUT /repos/{owner}/{repo}/code-scanning/default-setup. Verified against the provider source — thesecurity_and_analysisblock ingithub_repositoryhasadvanced_security,code_security(paid GHAS),secret_scanning,secret_scanning_push_protection,secret_scanning_ai_detection, andsecret_scanning_non_provider_patterns— but no field for free CodeQL default-setup.Upstream PR: integrations/terraform-provider-github#3315 — opened 2026-04-01 by oda251, still open. Adds the resource with this schema:
repositorystateconfiguredornot-configuredquery_suitedefaultorextendedlanguagesThe commented block in this PR uses that exact shape so the merge-time delta is just removing
#prefixes.Cost impact
$0 (once enabled). Code scanning is FREE on public repos — no GHAS license consumed. The
data.github_repositoriesquery stages withvisibility:publicas the safety belt; no private repo can land in thefor_each. Belt-and-suspenders: org-default GHAS is off per AGENTS.md "Cost policy", so an accidental PUT against a private repo would 403 anyway.What lands when upstream ships
Test plan
tofu planto confirm the expected creates (one resource per public repo with a supported language).🤖 Generated with Claude Code