Skip to content

Support for code_security field in security_and_analysis block #2963

New issue
New issue
Open
Open
Support for code_security field in security_and_analysis block#2963
@dreamiurg

Description

@dreamiurg
dreamiurg
opened on Dec 4, 2025

The Problem

I've been trying to enable GitHub's code security features via Terraform and keep hitting a wall. Our organization has access to GitHub Code Security, but we don't have the older "Advanced Security" product licensed. When I try to use the advanced_security block in the security_and_analysis configuration, I get this error:

Error: PATCH https://api.github.com/repos/org/repo: 422 Updating Advanced Security
on this repository is not available, nor a pre-requisite for security features. []

After digging into this, I discovered that GitHub's API now returns a code_security field (separate from advanced_security) in the repository response:

{
  "security_and_analysis": {
    "code_security": {
      "status": "enabled"
    },
    "secret_scanning": {
      "status": "enabled"
    },
    ...
  }
}

But the Terraform provider doesn't support this field at all.

What I Expected

I should be able to configure code security like this:

resource "github_repository" "repo" {
  name = "my-repo"

  security_and_analysis {
    code_security {
      status = "enabled"
    }
    secret_scanning {
      status = "enabled"
    }
    secret_scanning_push_protection {
      status = "enabled"
    }
  }
}

Current Workaround

Right now I have to:

  1. Manage secret scanning via Terraform (works fine)
  2. Manually enable code security through the GitHub UI for every repository
  3. Add lifecycle ignore rules so Terraform doesn't try to "fix" the manually-set code security

This defeats the whole point of infrastructure-as-code.

Background

GitHub split their security products into "Code Security" and "Secret Protection" sometime in 2024. The API added a code_security field to reflect this, and they even have a changelog entry from August 2024 about retrieving code security configurations via API.

The provider currently only supports the older advanced_security field, which requires a different license that not all organizations have.

Impact

Organizations using GitHub Code Security (without Advanced Security) can't manage this via Terraform. We either have to:

  • Manually configure it on every repo
  • Not use code security at all
  • Deal with Terraform trying to remove manually-set configurations

Would love to see support for the code_security field added to the provider. Happy to help test or provide more details if needed!

Provider version: 6.8.3
Terraform/OpenTofu version: 1.8.11

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions