GitHub Advanced Security

GitHub Advanced Security Cheat Sheet

GitHub Advanced Security (GHAS) is a set of security features that help you find and fix vulnerabilities and prevent secret leaks in your code. It is available as two separate products: GitHub Secret Protection and GitHub Code Security. These products can be purchased by accounts on GitHub Team or GitHub Enterprise Cloud. Some features are available for free on public repositories.

Who Can Use GitHub Advanced Security?

GitHub Secret Protection and GitHub Code Security are available for accounts on GitHub Team and GitHub Enterprise Cloud.
Some features are also available for free for public repositories on GitHub.com.
For a full comparison of features across plans, see GitHub’s plans.

GitHub Secret Protection

Secret Protection helps you detect and prevent secret leaks in your code. It includes the following features:

Feature	Description
Secret scanning	Detect secrets, such as keys and tokens, that have been checked into a repository and receive alerts.
Push protection	Prevent secret leaks before they happen by blocking commits containing secrets.
Copilot secret scanning	Leverage AI to detect unstructured credentials, such as passwords, that have been checked into a repository.
Custom patterns	Detect and prevent leaks for organization-specific secrets.
Delegated bypass for push protection	Implement an approval process for better control over who can bypass push protection.
Security campaigns	Remediate exposed secrets at scale by creating a campaign and collaborating to fix them.
Security overview	Understand the distribution of risk across your organization.

Feature Availability – Code Security

Feature	Public Repository (without Code Security)	Private Repository (without Code Security)	Public or Private Repository (with Code Security)
Code scanning	Yes	No	Yes
CodeQL CLI	Yes	No	Yes
Copilot Autofix	Yes	No	Yes
Security campaigns	No	No	Yes
Custom auto-triage rules	No	No	Yes
Dependency review	Yes	No	Yes
Security overview	Yes	Yes	Yes

Licensing and Billing

How Usage Is Measured

License usage is calculated based on unique, active committers to repositories with GitHub Secret Protection or GitHub Code Security features enabled.
An active committer is someone whose commit has been pushed to a repository within the last 90 days.
GitHub App bots are ignored in license calculations.
Usage is measured across the whole organization or enterprise to ensure each member uses only one license, even if they contribute to multiple repositories.

Billing Models

Model	Description
Metered billing	Pay monthly for the number of licenses used by active committers. No predefined license limit. Available for GitHub Enterprise Cloud and GitHub Enterprise Server 3.13+ (with GitHub Connect).
Volume/subscription billing	Purchase a specific number of licenses for a defined period (typically at least a year). If usage exceeds purchased licenses, you need to purchase additional licenses to cover overage.

What Happens When You Exceed License Limits

Features continue working on already-enabled repositories.
You cannot enable Secret Protection or Code Security on any additional repositories until you free up licenses or increase your license count.

New repositories created where features are set to auto-enable will be created with the products disabled.

Free Access

All public repositories on GitHub.com get code scanning, secret scanning, and dependency review for free.
Secret risk assessment is available for free for organizations on GitHub.com.

Security Features Available for All Plans

The following security features are available on all GitHub plans, without needing to purchase Advanced Security:

Security policy – Allow users to confidentially report security vulnerabilities.
Dependency graph – Explore ecosystems and packages your repository depends on.
Software Bill of Materials (SBOM) – Export dependency graph as an SPDX-compatible SBOM.
GitHub Advisory Database – Browse a curated list of security vulnerabilities.
Dependabot alerts and security updates – Get alerts about vulnerable dependencies and automatic pull requests to update them.
Dependabot version updates – Automatically raise pull requests to keep dependencies up-to-date.
Repository security advisories – Privately discuss and fix security vulnerabilities in public repositories.
Repository rulesets – Enforce consistent code standards, security, and compliance across branches.
Artifact attestations – Create unfalsifiable provenance for software builds (public repositories only on lower plans; private/internal require GitHub Enterprise Cloud).
Secret scanning alerts for partners – GitHub alerts service providers when their secrets are leaked in public repositories.
Push protection for users – Automatically protects you from accidentally committing secrets to public repositories (on by default).

Deployment and Enablement

Running a Secret Leak Assessment

Organizations on GitHub Team and GitHub Enterprise can run a free report to scan code for leaked secrets. This helps you understand current exposure and see how many leaks could have been prevented by GitHub Secret Protection.

Enabling Features at Scale

Use the GitHub-recommended security configuration to quickly enable security features across repositories in an organization.
Further customize Advanced Security features at the organization level with global settings.
License use for the entire team or enterprise is shown on your license page.

GitHub Advanced Security with Azure DevOps

GitHub Advanced Security for Azure DevOps adds GHAS security features to Azure Repos. It is available as two products: GitHub Secret Protection for Azure DevOps and GitHub Code Security for Azure DevOps.

Product	Included Features
Secret Protection	Push protection (blocks commits containing secrets), Secret scanning alerts with notifications, Security overview.
Code Security	Dependency alerts (for open-source vulnerabilities), CodeQL scanning, Security findings for third-party tools, Security overview.

Prerequisites

Permissions:
- Contributor access to view alert summaries.
- Project Administrator to dismiss alerts.
- Member of Project Collection Administrators group or have “Advanced Security: manage settings” permission set to Allow for managing permissions.
Self-hosted agents (if used):
- Add required URLs to your allowlist (e.g., https://advsec.dev.azure.com).
- Run a compatible .NET runtime (currently .NET 8.x).
- Ensure the CodeQL bundle is installed or use the enableAutomaticCodeQLInstall: true pipeline variable.

Enablement
You can enable Advanced Security at three levels. The process involves toggling the products on and beginning billing.

Repository-level: Go to Project Settings > Repos > Repositories, select the repo, toggle the product, and click Begin billing.
Project-level: Go to Project Settings > Repos > Settings, click Enable all to see an estimate, toggle products, click Begin billing.
Organization-level: Go to Organization Settings > Repositories, click Enable all to see an estimate, toggle products, click Begin billing.

Setup Guides

Secret Scanning: Automatically enabled with Secret Protection.
Dependency Scanning: Requires Code Security. Use the “Scan for vulnerable dependencies” setting for the default branch, or add the AdvancedSecurity-Dependency-Scanning@1 task to pipelines.
Code Scanning: Requires Code Security. Add tasks to a pipeline in this order:
1. AdvancedSecurity-Codeql-Init@1 (specify languages like java, javascript).
2. Your custom build steps.
3. AdvancedSecurity-Codeql-Analyze@1.
Pull Request Annotations: Automatically configured for PRs with build validation policies that include the scanning tasks.