Skip to content
GitHub Advanced Security

Application security
built in, not bolted on.

With application security tools at their fingertips, developers fix vulnerabilities up to 7x faster than those using third-party tools.1

GitHub Security is used by

Telus's logoFidelity's logoMercado Libre's logoShopify's logoLinkedIn's logo3M's logoKPMG's logoRaiffeisen Bank International's logoDeutsche Börse's logo
Enterprise-ready

Fixes in minutes,
not months.

With AI-powered static analysis, secret scanning, and software composition analysis, GitHub Advanced Security helps developers and security teams work together to accelerate the delivery of more secure software.

Secure code, accelerated.

7x
faster
fixes

Detect, prevent, and remediate vulnerabilities more than 7x faster than the industry average.1

2.4x
more
precise.

Finds leaked secrets with
fewest false positives.2

Prevent secret leaks.

Screenshot of a failed git push due to the detection of a secret

Found means fixed.

Code scanning autofix example that highlights the line of vulnerable code and adds a secure code suggestion

Keep vulnerabilities out of your code.

Telus's logo
GitHub Advanced Security helps developers fix potential issues before production.
Mercado libre's logo

Features

For developers who love to code. Detect, prevent, and fix vulnerabilities without leaving your flow.

Secure code in your flow.

With actionable feedback in the pull request, code scanning helps you find, triage, and prioritize security vulnerabilities right in your workflow.

CodeQL warns of a reflected cross-site scripting vulnerability

Available in public beta – March, 2024Public beta – March, 2024AI-powered security fixes.

Confidently resolve vulnerabilities before they make it to production with code suggestions in the pull request. With code scanning autofix, powered by GitHub Copilot, you don’t need to be a security expert to write more secure code.

Code scanning autofix identifies vulnerable code and provides an explanation, together with a secure code suggestion to remediate the vulnerability

Secure your secrets, protect your business.

Secret scanning with push protection guards over 200 token types and patterns from more than 180 service providers, including secrets unique to your organization.

GitHub push protection confirms an active secret and blocks the push
Push protection is such a beautiful workflow. We’ve never received a single complaint from developers.

Dependencies you can depend on.

Secure, manage, and report on software supply chains with automated security and version updates and one-click software bills of material (SBOMs).
Secure your end-to-end supply chain
Dependency review identifies high severity vulnerabilities in a .json package

Security status at a glance.

Verify progress and track trends to prioritize remediation tasks across multiple repositories.
Discover security overview
Trend graph showing a decline in critical vulnerabilities over time

Your workflows,
your tools.

With support for more than 17,000 app integrations and actions templates, GitHub Advanced Security provides one workflow for your entire toolchain.
Explore GitHub Marketplace
Chat
Project management
Code Quality
Deployment
Continuous Integration
Learning
Monitoring
Security
Testing
API Management
Code review
Dependency management
IDEs
Localization
Mobile
Publishing
Recently added
Support
Utilities

Security expertise at your command.

Powered by security experts and a global community of more than 100m developers, GitHub Advanced Security provides the insights and automation you need to ship more secure software on schedule.

Visit the Security Lab
Insights and remediation advice for a critical Log4j vulnerability as documented in the GitHub Advisory Database
Pricing

Enable native security
for every repository.

Eliminate toolchain cost and complexity with native DevSecOps tools for
GitHub Enterprise and Azure DevOps.

Included with all plans

Standard Security

Manage and secure open source components and public repositories

$0USD
For all users and plans
Learn more
What’s included:
Code Scanning
  • Code scanning for public repositories
  • Code scanning autofix, powered by GitHub Copilot**
  • Contextual vulnerability intelligence and advice
  • Hunt zero-day threats and their variants
Secret Scanning
  • Find secrets in public repositories only
  • Block secrets on pushes to public repositories
  • Revoke and notify on leaked secrets
Supply Chain
  • Identify and update vulnerable open source components
  • Access intelligence in the GitHub Advisory Database
  • Report vulnerabilities to open source maintainers
  • Generate and export SBOMs
  • Manage transitive dependencies with submission API
  • Detect calls to vulnerable functions (public repositories)
  • Define and enforce auto-triage rules
Administration
  • View security metrics and insights
  • Assess feature adoption and code security risk
  • Enable security features for multiple repositories

Requires GitHub Enterprise or Azure DevOps

GitHub Advanced Security

Detect, prevent, and remediate vulnerabilities in all public and private repositories

$49USD
per month / per active committer
Contact sales
What’s included:
Code Scanning
  • Code scanning for private and public repositories
  • Code scanning autofix, powered by GitHub Copilot**
  • Contextual vulnerability intelligence and advice
  • Hunt zero-day threats and their variants
Secret Scanning
  • Find secrets in public and private repositories
  • Block secrets on pushes to public and private repositories
  • Revoke and notify on leaked secrets
Supply Chain
  • Identify and update vulnerable open source components
  • Access intelligence in the GitHub Advisory Database
  • Report vulnerabilities to open source maintainers
  • Generate and export SBOMs
  • Manage transitive dependencies with submission API
  • Detect calls to vulnerable functions (all repositories)
  • Define and enforce auto-triage rules
Administration
  • View security metrics and insights
  • Assess feature adoption and code security risk
  • Enable security features for multiple repositories
** Only with GitHub Advanced Security on GitHub Enterprise Cloud. Public beta in March, 2024.

Get the most out of
GitHub Advanced Security.

How to get started with GitHub Advanced Security (GHAS)

Learn about GitHub Advanced Security and how it can benefit your organization.

Get started with GHAS

GitHub TEI spotlight for GitHub Advanced Security

Read about the benefits of improving software security standards in organizations.

Read the Forrester Report

Security playlist

Learn how industry experts use GitHub Advanced Security to protect their code without sacrificing developer productivity.

Watch the videos

Frequently Asked Questions

General

What is GitHub Advanced Security?

GitHub Advanced Security is the native Static Application Security Testing (SAST) solution for GitHub Enterprise and Azure DevOps. Designed to accelerate the delivery of secure software, GitHub Advanced Security adds cutting-edge tools for static analysis, software composition analysis, and secret scanning to the GitHub platform that developers already know and love. Unlike traditional application security packages that burden the software development toolchain with complex workflows that inhibit adoption, GitHub Advanced Security makes it easy for developers to find and fix vulnerabilities earlier in the software development life cycle. By adding GitHub Advanced Security to the GitHub platform, security leaders can address compliance requirements while empowering development teams to solve customer problems, surpass competitors, and reduce the time-to-value for software development projects.

Why choose GitHub Advanced Security instead of a third-party AppSec product?

Unlike third-party security add-ons, GitHub Advanced Security operates entirely in the native GitHub workflows that developers already know and love. By making it easier for developers to remediate vulnerabilities as they go, GitHub Advanced Security frees time for security teams to focus on critical strategies that protect businesses, customers, and communities from application-based vulnerabilities.

What is DevSecOps?

DevSecOps refers to a combination of the development, security, and operations tools necessary to develop software applications.

What is AppSec?

Application security (AppSec) is the process of finding, fixing, and preventing security vulnerabilities in applications. GitHub Advanced Security provides AppSec tools for static application security testing (SAST), which identifies vulnerabilities in the code itself. Unlike dynamic application security testing (DAST), which probes live applications for vulnerabilities, GitHub Advanced Security helps keep vulnerabilities out of production.

Where can I find information about the security of the GitHub platform?

The GitHub platform itself features multiple layers of security to keep developers and their code safe in transit and at rest.

Evaluation

Which GitHub plans are compatible with GitHub Advanced Security?

GitHub Advanced Security can be added to GitHub Enterprise Cloud (GHEC) and GitHub Enterprise Server (GHES) plans. If you have a free or Team account, you will need to upgrade to a GitHub Enterprise plan before you can add GitHub Advanced Security. You can also request a free trial of both GitHub Enterprise and GitHub Advanced Security; contact sales to learn more.

Can I use GitHub Advanced Security with Microsoft Azure DevOps?

Yes. GitHub Advanced Security is available as an add-on for Azure DevOps.

Can I get a demo or a free trial of GitHub Advanced Security?

Yes. Please contact sales to request a free trial.

Where can I find a video overview of GitHub Advanced Security?

This video provides an overview of GitHub Advanced Security, plus demos of key features like code scanning, AI-powered autofix code suggestions, software supply chain management, and secret scanning.

Where can I find case studies and reference customers?

Read our customer stories to learn how customers like Telus, Mercado Libre, and KPMG use GitHub Advanced Security to secure applications and accelerate the software development lifecycle.

AI

What are the AI-powered features in GHAS?

GitHub Advanced Security leverages the GitHub Copilot to provide code suggestions to remediate vulnerabilities (autofix) and to deliver new secret scanning capabilities such as a regular expression generator for custom patterns.

How does autofix work?

GitHub code scanning analyzes the code in a repository to find security vulnerabilities and other errors. Scans can be triggered on a schedule or upon specified events, such as pushing to a branch or opening a pull request. When a problem is identified, an alert is presented to the user. Code scanning can be used with first- or third-party alerting tools, including open source and private tools. GitHub Advanced Security provides a first-party alerting tool powered by CodeQL, our semantic code analysis engine, which allows querying of a codebase as though it were data. Our in-house security experts have developed a rich set of queries to detect security vulnerabilities across a host of popular languages and frameworks. Building on top of this detection capability, code scanning autofix takes security a step further by suggesting AI-generated fixes for alerts. In its first iteration, autofix is enabled for CodeQL alerts detected in a pull request, beginning with JavaScript, TypeScript, and Python alerts. It explains the problem and its fix strategy in natural language, displays the suggested fix directly in the pull request page, and allows the developer to commit, dismiss, or edit the suggestion. Learn more.

Do I need GitHub Copilot to use AI-powered features in GitHub Advanced Security?

No, a GitHub Copilot license is not required to get AI-powered features like autofix code suggestions in GitHub Advanced Security.

Where can I learn more about code scanning autofix?

Learn more about how GitHub Advanced Security generates and tests autofix code suggestions on GitHub Docs.

Deployment

Can I review documentation before purchase?

Yes. As with all GitHub products, documentation for GitHub Advanced Security is publicly available.

Does GitHub offer consulting, training, and other deployment services?

Yes! Please visit Expert Services to learn more.

More Security Resources

What security features are free to use for public repositories?

As part of our mission to support the open source community and keep open source software safe and reliable for all, GitHub provides security features like code scanning, secret scanning, and supply chain security tools at no charge for use with public repositories.

What is the GitHub Security Lab?

The GitHub Security Lab is a team of security experts who cultivate a collaborative community where developers and security professionals come together to help secure open source software. Our mission: make open source software secure and reliable for the benefit of developers everywhere through collaboration and contributions from maintainers, developers, and security researchers around the world.

What is the Advisory Database, and how is it different from a CVE?

Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information about security issues, with a unique number to identify each vulnerability. But while CVEs document vulnerabilities, they don’t tell the whole story. Unlike a CVE, entries in the GitHub Advisory Database contain additional context and remediation guidance – sourced from a global community of security experts and curated by the GitHub Security Lab – to help developers and security teams understand vulnerabilities, assess risk, and fix with confidence.

How can I manage and secure open source dependencies?

GitHub provides extensive supply chain security tools and resources to help developers and maintainers keep open source software up-to-date and secure, including Dependabot. If you’re new to software supply chain security, the Dependabot quickstart guide is a great place to begin.

General

What is GitHub Advanced Security?

GitHub Advanced Security is the native Static Application Security Testing (SAST) solution for GitHub Enterprise and Azure DevOps. Designed to accelerate the delivery of secure software, GitHub Advanced Security adds cutting-edge tools for static analysis, software composition analysis, and secret scanning to the GitHub platform that developers already know and love. Unlike traditional application security packages that burden the software development toolchain with complex workflows that inhibit adoption, GitHub Advanced Security makes it easy for developers to find and fix vulnerabilities earlier in the software development life cycle. By adding GitHub Advanced Security to the GitHub platform, security leaders can address compliance requirements while empowering development teams to solve customer problems, surpass competitors, and reduce the time-to-value for software development projects.

Why choose GitHub Advanced Security instead of a third-party AppSec product?

Unlike third-party security add-ons, GitHub Advanced Security operates entirely in the native GitHub workflows that developers already know and love. By making it easier for developers to remediate vulnerabilities as they go, GitHub Advanced Security frees time for security teams to focus on critical strategies that protect businesses, customers, and communities from application-based vulnerabilities.

What is DevSecOps?

DevSecOps refers to a combination of the development, security, and operations tools necessary to develop software applications.

What is AppSec?

Application security (AppSec) is the process of finding, fixing, and preventing security vulnerabilities in applications. GitHub Advanced Security provides AppSec tools for static application security testing (SAST), which identifies vulnerabilities in the code itself. Unlike dynamic application security testing (DAST), which probes live applications for vulnerabilities, GitHub Advanced Security helps keep vulnerabilities out of production.

Where can I find information about the security of the GitHub platform?

The GitHub platform itself features multiple layers of security to keep developers and their code safe in transit and at rest.

  1. Based on data from the industry’s longest running analysis of fix rates, Veracode State of Software Security 2023. Developers with GitHub Advanced Security fix 48% of vulnerabilities in real time, more than 7x faster than the industry average, where it takes 198 days to reach a 50% fix rate.
  2. A Comparative Study of Software Secrets Reporting by Secret Detection Tools, Setu Kumar Basak et al., North Carolina State University, 2023