About GitHub Advanced Security products
GitHub has many features that help you improve and maintain the quality of your code. Some of these are included in all plans, such as dependency graph and Dependabot alerts.
Other security features require you to purchase one of GitHub's Advanced Security products:
- GitHub Secret Protection, which includes features that help you detect and prevent secret leaks, such as secret scanning and push protection.
- GitHub Code Security, which includes features that help you find and fix vulnerabilities, like code scanning, premium Dependabot features, and dependency review.
Some of these features, such as code scanning and secret scanning, are enabled for public repositories by default. To run the feature on your private or internal repositories, you must purchase the relevant GitHub Advanced Security product.
You must be on a GitHub Team or GitHub Enterprise plan in order to purchase GitHub Code Security or GitHub Secret Protection. For more information, see GitHub’s plans and About billing for GitHub Advanced Security.
GitHub Code Security
You get the following features with GitHub Code Security:
-
Code scanning: Search for potential security vulnerabilities and coding errors in your code using CodeQL or a third-party tool.
-
CodeQL CLI: Run CodeQL processes locally on software projects or to generate code scanning results for upload to GitHub.
-
Copilot Autofix: Get automatically generated fixes for code scanning alerts.
-
Security campaigns: Reduce security debt at scale.
-
Custom auto-triage rules for Dependabot: Manage your Dependabot alerts at scale, by automating which alerts you want to ignore, snooze, or trigger a Dependabot security update for.
-
Dependency review: Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request.
-
Security overview: Understand the distribution of risk across your organization.
The table below summarizes the availability of GitHub Code Security features for public and private repositories.
| Public repository without GitHub Secret Protection | Private repository without GitHub Code Security | Public or private repository with GitHub Code Security | |
|---|---|---|---|
| Code scanning | |||
| CodeQL CLI | |||
| Copilot Autofix | |||
| Security campaigns | |||
| Custom auto-triage rules | |||
| Dependency review | |||
| Security overview |
For more information about features, see GitHub security features.
GitHub Secret Protection
You get the following features with GitHub Secret Protection:
-
Secret scanning: Detect secrets, for example keys and tokens, that have been checked into a repository and receive alerts.
-
Push protection: Prevent secret leaks before they happen by blocking commits containing secrets.
-
Copilot secret scanning: Leverage AI to detect unstructured credentials, such as passwords, that have been checked into a repository.
-
Custom patterns: Detect and prevent leaks for organization-specific secrets.
-
Delegated bypass for push protection and Delegated alert dismissal: Implement an approval process for better control over who in your enterprise can perform sensitive actions, supporting governance at scale.
-
Security overview: Understand the distribution of risk across your organization.
The table below summarizes the availability of GitHub Secret Protection features for public and private repositories.
| Public repository without GitHub Secret Protection | Private repository without GitHub Secret Protection | Public or private repository with GitHub Secret Protection | |
|---|---|---|---|
| Secret scanning | |||
| Push protection | |||
| Copilot secret scanning | |||
| Custom patterns | |||
| Delegated bypass for push protection | |||
| Security overview |
For more information about individual features, see GitHub security features.
Run an assessment of your organization's exposure to secret leaks
Organizations on GitHub Team and GitHub Enterprise can run a free report to scan the code in the organization for leaked secrets. This can help you understand the current exposure of repositories in your organization to leaked secrets, as well as help you see how many existing secret leaks could have been prevented by GitHub Secret Protection. See About the secret risk assessment.
Deploying GitHub Code Security and GitHub Secret Protection
To learn about what you need to know to plan your deployment of GitHub Code Security and GitHub Secret Protection at a high level and to review the rollout phases we recommended, see Adopting GitHub Advanced Security at scale.
Enabling features
You can quickly enable security features at scale with the GitHub-recommended security configuration, a collection of security enablement settings you can apply to repositories in an organization. You can then further customize Advanced Security features at the organization level with global settings. See About enabling security features at scale.
If you are on a GitHub Team or GitHub Enterprise plan, license use for the entire team or enterprise is shown on your license page. See Viewing and downloading licensed use of Advanced Security.
Leveraging GitHub Copilot Chat to understand security alerts
Additionally, with a GitHub Copilot Enterprise license, you can ask GitHub Copilot Chat for help to better understand security alerts in repositories in your organization (code scanning, secret scanning, and Dependabot alerts). See Asking GitHub Copilot questions in GitHub.
About GitHub Advanced Security Certification
You can highlight your knowledge by earning a GitHub Advanced Security certificate with GitHub Certifications. The certification validates your expertise in vulnerability identification, workflow security, and robust security implementation. See About GitHub Certifications.
About GitHub Advanced Security with Azure Repos
If you want to use GitHub Advanced Security with Azure Repos, see GitHub Advanced Security & Azure DevOps in our resources site. For documentation, see Configure GitHub Advanced Security for Azure DevOps in Microsoft Learn.