feat: add repository settings compliance check

README.md

@@ -105,8 +105,9 @@ The CLI can perform the following compliance checks:
 | `repo-access-teams` | Manages repository team access and individual collaborators |
 | `repo-security-controls` | Verifies security features (secret scanning, Dependabot, code scanning) |
 | `repo-archival-policy` | Controls access to archived repositories |
+| `repo-settings` | Enforces repository feature toggles, visibility, and collaboration templates |
 
-Legacy identifiers (merge-methods, team-permissions, branch-protection, security-scanning, archived-repos, team-sync) are still accepted and automatically mapped to the new names.
+Legacy identifiers (merge-methods, team-permissions, branch-protection, security-scanning, archived-repos, team-sync, repository-settings) are still accepted and automatically mapped to the new names.
 
 Each check can be configured in the `defaults` section of your configuration file and selectively applied using the `--checks` flag.
 

compliance-config.example.yml

@@ -43,6 +43,26 @@ defaults:
     dependabot_updates: true
     code_scanning_recommended: true
 
+  # Repository feature & workflow settings
+  repository_settings:
+    features:
+      has_issues: true
+      has_projects: false
+      has_wiki: false
+      has_discussions: false
+      has_pages: false
+    visibility:
+      allow_public: false
+      enforce_private: true
+    general:
+      allow_auto_merge: true
+      delete_branch_on_merge: true
+      allow_update_branch: true
+      use_squash_pr_title_as_default: true
+    templates:
+      require_issue_templates: true
+      require_pr_template: true
+
   # Team permissions
   permissions:
     remove_individual_collaborators: true
@@ -85,3 +105,4 @@ checks:
     - "repo-branch-protection"
     - "repo-security-controls"
     - "repo-archival-policy"
+    - "repo-settings"

compliance-schema.json

@@ -34,6 +34,9 @@
         },
         "archived_repos": {
           "$ref": "#/definitions/archived_repos"
+        },
+        "repository_settings": {
+          "$ref": "#/definitions/repository_settings"
         }
       },
       "additionalProperties": false
@@ -81,6 +84,9 @@
               },
               "archived_repos": {
                 "$ref": "#/definitions/archived_repos_partial"
+              },
+              "repository_settings": {
+                "$ref": "#/definitions/repository_settings_partial"
               }
             },
             "additionalProperties": false
@@ -325,7 +331,14 @@
           "$ref": "#/definitions/required_status_checks"
         },
         "restrictions": {
-          "oneOf": [{ "$ref": "#/definitions/restrictions" }, { "type": "null" }],
+          "oneOf": [
+            {
+              "$ref": "#/definitions/restrictions"
+            },
+            {
+              "type": "null"
+            }
+          ],
           "description": "Restrict who can push to protected branches (optional - leave out or set to null if not needed)"
         },
         "allow_force_pushes": {
@@ -431,7 +444,14 @@
           "$ref": "#/definitions/required_status_checks_partial"
         },
         "restrictions": {
-          "oneOf": [{ "$ref": "#/definitions/restrictions_partial" }, { "type": "null" }]
+          "oneOf": [
+            {
+              "$ref": "#/definitions/restrictions_partial"
+            },
+            {
+              "type": "null"
+            }
+          ]
         },
         "allow_force_pushes": {
           "type": "boolean"
@@ -810,6 +830,139 @@
         }
       },
       "additionalProperties": false
+    },
+    "repository_features": {
+      "type": "object",
+      "description": "Toggle availability of built-in repository features",
+      "properties": {
+        "has_issues": {
+          "type": "boolean",
+          "description": "Enable GitHub Issues"
+        },
+        "has_projects": {
+          "type": "boolean",
+          "description": "Enable GitHub Projects"
+        },
+        "has_wiki": {
+          "type": "boolean",
+          "description": "Enable repository wiki"
+        },
+        "has_discussions": {
+          "type": "boolean",
+          "description": "Enable GitHub Discussions"
+        },
+        "has_pages": {
+          "type": "boolean",
+          "description": "Enable GitHub Pages"
+        }
+      },
+      "additionalProperties": false
+    },
+    "repository_visibility": {
+      "type": "object",
+      "description": "Visibility requirements for repositories",
+      "properties": {
+        "allow_public": {
+          "type": "boolean",
+          "description": "Whether public repositories are allowed"
+        },
+        "enforce_private": {
+          "type": "boolean",
+          "description": "Require repositories to be private"
+        }
+      },
+      "additionalProperties": false,
+      "allOf": [
+        {
+          "not": {
+            "properties": {
+              "allow_public": {
+                "const": true
+              },
+              "enforce_private": {
+                "const": true
+              }
+            },
+            "required": ["allow_public", "enforce_private"]
+          }
+        }
+      ]
+    },
+    "repository_general_settings": {
+      "type": "object",
+      "description": "General repository workflow preferences",
+      "properties": {
+        "allow_auto_merge": {
+          "type": "boolean",
+          "description": "Allow auto-merge for pull requests"
+        },
+        "delete_branch_on_merge": {
+          "type": "boolean",
+          "description": "Automatically delete head branch after merging"
+        },
+        "allow_update_branch": {
+          "type": "boolean",
+          "description": "Allow maintainers to update pull request branches"
+        },
+        "use_squash_pr_title_as_default": {
+          "type": "boolean",
+          "description": "Default squash commit title to pull request title"
+        }
+      },
+      "additionalProperties": false
+    },
+    "repository_templates": {
+      "type": "object",
+      "description": "Template requirements for collaboration workflows",
+      "properties": {
+        "require_issue_templates": {
+          "type": "boolean",
+          "description": "Require issue templates to exist"
+        },
+        "require_pr_template": {
+          "type": "boolean",
+          "description": "Require a pull request template to exist"
+        }
+      },
+      "additionalProperties": false
+    },
+    "repository_settings": {
+      "type": "object",
+      "description": "Repository settings compliance policy",
+      "properties": {
+        "features": {
+          "$ref": "#/definitions/repository_features"
+        },
+        "visibility": {
+          "$ref": "#/definitions/repository_visibility"
+        },
+        "general": {
+          "$ref": "#/definitions/repository_general_settings"
+        },
+        "templates": {
+          "$ref": "#/definitions/repository_templates"
+        }
+      },
+      "additionalProperties": false
+    },
+    "repository_settings_partial": {
+      "type": "object",
+      "description": "Partial repository settings overrides for matched repositories",
+      "properties": {
+        "features": {
+          "$ref": "#/definitions/repository_features"
+        },
+        "visibility": {
+          "$ref": "#/definitions/repository_visibility"
+        },
+        "general": {
+          "$ref": "#/definitions/repository_general_settings"
+        },
+        "templates": {
+          "$ref": "#/definitions/repository_templates"
+        }
+      },
+      "additionalProperties": false
     }
   }
 }

docs/configuration-reference.md

@@ -13,6 +13,7 @@ This document provides a comprehensive reference for all configuration options a
   - [Security Settings](#security-settings)
   - [Permissions](#permissions)
   - [Archived Repositories](#archived-repositories)
+  - [Repository Settings](#repository-settings)
 - [Rules Section](#rules-section)
 - [Checks Section](#checks-section)
 - [Complete Configuration Example](#complete-configuration-example)
@@ -257,6 +258,70 @@ defaults:
     specific_repos: ["old-project-2019"]
 ```
 
+### Repository Settings
+
+Validate and enforce repository-level options such as feature toggles, visibility, and workflow helpers.
+
+**Path**: `defaults.repository_settings`
+
+#### Feature Toggles (`defaults.repository_settings.features`)
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `has_issues` | `boolean` | Enable GitHub Issues |
+| `has_projects` | `boolean` | Enable classic Projects (deprecated in some plans) |
+| `has_wiki` | `boolean` | Enable the repository wiki |
+| `has_discussions` | `boolean` | Enable GitHub Discussions |
+| `has_pages` | `boolean` | Enable GitHub Pages |
+
+#### Visibility Controls (`defaults.repository_settings.visibility`)
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `allow_public` | `boolean` | Permit repositories to remain public |
+| `enforce_private` | `boolean` | Force repositories to be private (takes precedence over `allow_public`) |
+
+#### General Options (`defaults.repository_settings.general`)
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `allow_auto_merge` | `boolean` | Allow pull requests to auto-merge when checks succeed |
+| `delete_branch_on_merge` | `boolean` | Delete head branches automatically after merging |
+| `allow_update_branch` | `boolean` | Allow maintainers to update pull request branches |
+| `use_squash_pr_title_as_default` | `boolean` | Use the pull request title as the default squash commit message |
+
+#### Template Requirements (`defaults.repository_settings.templates`)
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `require_issue_templates` | `boolean` | Require an issue template directory or file to be present |
+| `require_pr_template` | `boolean` | Require a pull request template file to be present |
+
+> ℹ️ Template checks verify the existence of common template paths (e.g. `.github/ISSUE_TEMPLATE/`, `.github/pull_request_template.md`). They surface remediation guidance but do not create templates automatically.
+
+**Example**:
+```yaml
+defaults:
+  repository_settings:
+    features:
+      has_issues: true
+      has_projects: false
+      has_wiki: false
+      has_discussions: false
+      has_pages: false
+    visibility:
+      allow_public: false
+      enforce_private: true
+    general:
+      allow_auto_merge: true
+      delete_branch_on_merge: true
+      allow_update_branch: true
+      use_squash_pr_title_as_default: true
+    templates:
+      require_issue_templates: true
+      require_pr_template: true
+```
+
 ## Rules Section
 
 Rules allow you to apply different settings to specific repositories based on matching criteria.
@@ -349,6 +414,7 @@ Specifies which compliance checks to run.
 - `repo-branch-protection`: Ensures branch protection rules are configured
 - `repo-security-controls`: Validates security features are enabled
 - `repo-archival-policy`: Validates archived repository settings
+- `repo-settings`: Validates repository-level options (features, visibility, templates)
 
 **Example**:
 ```yaml
@@ -360,12 +426,13 @@ checks:
     - repo-branch-protection
     - repo-security-controls
     - repo-archival-policy
+    - repo-settings
 ```
 
 If not specified, all checks are enabled by default.
 
 > Legacy identifiers (merge-methods, team-permissions, branch-protection,
-> security-scanning, archived-repos, team-sync) are still accepted and
+> security-scanning, archived-repos, team-sync, repository-settings) are still accepted and
 > automatically mapped to the new names.
 
 ## Complete Configuration Example
@@ -411,6 +478,25 @@ defaults:
     dependabot_updates: true
     code_scanning_recommended: true
 
+  repository_settings:
+    features:
+      has_issues: true
+      has_projects: false
+      has_wiki: false
+      has_discussions: false
+      has_pages: false
+    visibility:
+      allow_public: false
+      enforce_private: true
+    general:
+      allow_auto_merge: true
+      delete_branch_on_merge: true
+      allow_update_branch: true
+      use_squash_pr_title_as_default: true
+    templates:
+      require_issue_templates: true
+      require_pr_template: true
+
   permissions:
     remove_individual_collaborators: true
     teams:
@@ -477,12 +563,21 @@ rules:
 # Enabled compliance checks
 checks:
   enabled:
+<<<<<<< HEAD
     - org-team-sync
     - repo-merge-strategy
     - repo-access-teams
     - repo-branch-protection
     - repo-security-controls
     - repo-archival-policy
+=======
+    - merge-methods
+    - team-permissions
+    - branch-protection
+    - security-scanning
+    - archived-repos
+    - repo-settings
+>>>>>>> 2644f36 (feat: add repository settings compliance check)
 ```
 
 ## Best Practices