From d94b3d84ff9ab36fdab295d2b69fc74e43427eff Mon Sep 17 00:00:00 2001
From: Tim Kelly <1355145+austimkelly@users.noreply.github.com>
Date: Thu, 11 Jan 2024 10:16:01 -0600
Subject: [PATCH] Check ghas features (#21)

* Action to check that features of GHAS are enabled (dependabot, secrets scanning, code scanning)
---
 .github/workflows/check-ghas-features.yml | 51 +++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 .github/workflows/check-ghas-features.yml

diff --git a/.github/workflows/check-ghas-features.yml b/.github/workflows/check-ghas-features.yml
new file mode 100644
index 0000000..b58b88e
--- /dev/null
+++ b/.github/workflows/check-ghas-features.yml
@@ -0,0 +1,51 @@
+name: "Check Security Features"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - develop
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Dependabot
+        id: check_dependabot
+        run: |
+          echo "Checking if Dependabot is enabled..."
+          DEPENDABOT=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ github.repository }}/dependabot/alerts)
+          if [[ "$DEPENDABOT" == *"Not Found"* ]]; then
+            echo "Dependabot is not enabled"
+            exit 1
+          else
+            echo "Dependabot is enabled"
+          fi
+
+      - name: Check Code Scanning
+        id: check_code_scanning
+        run: |
+          echo "Checking if Code Scanning is enabled..."
+          CODE_SCANNING=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ github.repository }}/code-scanning/alerts)
+          if [[ "$CODE_SCANNING" == *"Not Found"* ]]; then
+            echo "Code Scanning is not enabled"
+            exit 1
+          else
+            echo "Code Scanning is enabled"
+          fi
+
+      - name: Check Secrets Scanning
+        id: check_secrets_scanning
+        run: |
+          echo "Checking if Secrets Scanning is enabled..."
+          SECRETS_SCANNING=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ github.repository }}/actions/secrets)
+          if [[ "$SECRETS_SCANNING" == *"Not Found"* ]]; then
+            echo "Secrets Scanning is not enabled"
+            exit 1
+          else
+            echo "Secrets Scanning is enabled"
+          fi
+
+      - name: Summary
+        run: echo "All checks passed. All required GitHub Advanced Security features are enabled."
\ No newline at end of file