FociSolutions · vedantthapa · Mar 11, 2025 · Mar 10, 2025 · Mar 10, 2025 · Mar 10, 2025
diff --git a/modules/internal_repository/README.md b/modules/internal_repository/README.md
@@ -36,6 +36,7 @@ No resources.
 | <a name="input_dependabot_security_updates"></a> [dependabot\_security\_updates](#input\_dependabot\_security\_updates) | Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository. | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no |
 | <a name="input_environments"></a> [environments](#input\_environments) | Environments to create for the repository. | <pre>map(object({<br/>    wait_timer          = optional(number)<br/>    can_admins_bypass   = optional(bool)<br/>    prevent_self_review = optional(bool)<br/>    action_secrets      = optional(map(string))<br/>    reviewers = optional(object({<br/>      teams = optional(list(string))<br/>      users = optional(list(string))<br/>    }))<br/>    deployment_branch_policy = optional(object({<br/>      protected_branches     = bool<br/>      custom_branch_policies = bool<br/>      branch_patterns        = list(string)<br/>    }))<br/>  }))</pre> | `{}` | no |
+| <a name="input_has_ghas_license"></a> [has\_ghas\_license](#input\_has\_ghas\_license) | If the organization owning the repository has a GitHub Advanced Security license or not. Defaults to false. | `bool` | `false` | no |
 | <a name="input_homepage"></a> [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no |
 | <a name="input_license_template"></a> [license\_template](#input\_license\_template) | The (Optional) license template to apply to the repository | `string` | `null` | no |
 | <a name="input_merge_commit_message"></a> [merge\_commit\_message](#input\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if allow\_merge\_commit is `true`. | `string` | `"PR_TITLE"` | no |

diff --git a/modules/internal_repository/repository.tf b/modules/internal_repository/repository.tf
@@ -1,3 +1,7 @@
+locals {
+  enable_secret_scanning = var.has_ghas_license
+}
+
 module "repository_base" {
   source = "../repository_base"
 
@@ -29,8 +33,8 @@ module "repository_base" {
   requires_web_commit_signing = var.requires_web_commit_signing
   pages                       = var.pages
 
-  secret_scanning             = true
-  secret_scanning_on_push     = true
+  secret_scanning             = local.enable_secret_scanning
+  secret_scanning_on_push     = local.enable_secret_scanning
   has_vulnerability_alerts    = true
   advance_security            = var.advance_security
   dependabot_security_updates = var.dependabot_security_updates

diff --git a/modules/internal_repository/variables.tf b/modules/internal_repository/variables.tf
@@ -73,6 +73,12 @@ variable "advance_security" {
   default     = true
 }
 
+variable "has_ghas_license" {
+  description = "If the organization owning the repository has a GitHub Advanced Security license or not. Defaults to false."
+  type        = bool
+  default     = false
+}
+
 variable "action_secrets" {
   description = "An (Optional) map of GitHub Actions secrets to create for this repository. The key is the name of the secret and the value is the encrypted value."
   type        = map(string)