Feature: Repository Settings Compliance Check

[flemzord]

Feature: Repository Settings Compliance Check

Summary

Add a new compliance check to verify and enforce repository settings standards across the organization, including Issues, Wiki, Projects, Discussions, and other GitHub features configuration.

Problem Statement

Organizations often have standards for which repository features should be enabled or disabled based on repository types (public/private, production/development, etc.). Currently, there's no automated way to audit and enforce these settings across all repositories.

Proposed Solution

Implement a new repository-settings check that verifies and optionally enforces standard repository settings configurations.

Detailed Design

Configuration Schema

defaults:
  repository_settings:
    features:
      has_issues: true
      has_projects: false
      has_wiki: false
      has_discussions: false
      has_pages: false
    visibility:
      allow_public: false
      enforce_private: true
    general:
      allow_auto_merge: true
      delete_branch_on_merge: true
      allow_update_branch: true
      use_squash_pr_title_as_default: true
      allow_merge_commit: false
      allow_squash_merge: true
      allow_rebase_merge: false
    templates:
      require_issue_templates: true
      require_pr_template: true

Implementation Requirements

Check Logic

1. Fetch current repository settings via GitHub API
2. Compare against configured standards
3. Report any deviations
4. Apply fixes if not in dry-run mode

API Endpoints

• GET /repos/{owner}/{repo} - Fetch current settings
• PATCH /repos/{owner}/{repo} - Update settings

Edge Cases

• Handle repositories with special requirements (e.g., documentation repos needing wiki)
• Consider repository type (public vs private) in validation
• Respect organization-level settings that override repository settings

User Stories

• As a security officer, I want to ensure all production repositories have issues disabled to prevent information disclosure
• As a platform engineer, I want to enforce consistent merge settings across all repositories
• As a compliance manager, I need to verify that public repositories don't have certain features enabled

Technical Considerations

• Rate limiting: Settings API has standard GitHub rate limits
• Permissions: Requires admin access to modify repository settings
• Backward compatibility: Should work with existing configuration structure

Testing Strategy

• Unit tests for settings comparison logic
• Integration tests with mocked GitHub API
• Test scenarios for different repository types and configurations
• Validate partial settings updates

Documentation Needs

• Add to configuration reference documentation
• Include examples for common scenarios (public repos, internal tools, production services)
• Document which settings require specific GitHub plan features

Success Criteria

• Check correctly identifies non-compliant repository settings
• Dry-run mode reports issues without making changes
• Fix mode successfully updates repository settings
• Configuration supports repository-specific overrides via rules
• Comprehensive test coverage (>80%)
• Documentation includes clear examples

Dependencies

• Existing check infrastructure
• GitHub API client with repository settings methods
• Configuration schema updates

Open Questions

1. Should we support GitHub Enterprise specific settings?
2. How to handle settings that require specific GitHub plan features (e.g., required reviewers in free tier)?
3. Should we include repository naming convention checks in this feature?