GHAS — Playbook

In one sentence

GitHub Advanced Security (GHAS) is GitHub's paid add-on that bundles security features. It was the license needed to enable code scanning and secret scanning on private repos.

In April 2025, it was split into GitHub Secret Protection and GitHub Code Security — you can now buy only the features you need.

🌐 Public repos continue to get everything for free. A GHAS / Secret Protection / Code Security license is only required when you want to enable features on private / internal repos. 🤖 Dependabot itself (alerts / security updates / version updates / dependency graph) is completely free on every plan — no GHAS required. See Dependabot ↗.

What’s included?

Product	Key features	Details
🔑 Secret Protection	Secret scanning · Push protection (org/repo level) · Custom patterns · AI detection · Validity checks	Secret Scanning ↗
🔍 Code Security	Code scanning (CodeQL) · Copilot Autofix · Security campaigns · Dependency review (PR enforcement) · Security overview	Code Scanning ↗

Pricing (from April 2025)

Product	Price	Billing unit
🔑 GitHub Secret Protection	$19 / month	active committer
🔍 GitHub Code Security	$30 / month	active committer
📦 Both together	$49 / month	active committer

👥 Active committer = a unique committer who pushed to a repository with the feature enabled during the past 90 days. The same person counts as one across any number of repositories
💳 Metered (pay-as-you-go) model — no need to reserve license seats upfront; you’re billed only for the people who actually push
🏷️ Available on GitHub Team plan too (previously Enterprise-only)
🆓 Public repos are completely free — open source projects need no license

💡 If you only need secret scanning, Secret Protection alone ($19) is enough. Add Code Security ($30) when you also want CodeQL — the split model lets you adopt incrementally.

How to think about licensing

🌐 Public repos only? Do nothing — everything is free
🆓 Enable free features for private repos first — Dependabot (alerts / updates), user-level push protection, and Secret Risk Assessment (one-time inventory)
🔑 Want org-level enforcement against secret leaks? → Buy Secret Protection
🔍 Want code vulnerability scanning (CodeQL) and Autofix too? → Add Code Security

🎯 Start with a Risk Assessment (below) to visualize how many secrets and vulnerabilities are hiding in your org — then evaluate the cost-effectiveness of Secret Protection / Code Security.

Pre-purchase inventory — Risk Assessments

GitHub provides two Risk Assessments to visualize your organization's security posture — no license required, completely free.

Both can be triggered with a single click from Org → Security → Assessments, and you can review the results before deciding to purchase Secret Protection / Code Security.

Assessment	What it shows	Scope	Frequency	Details
🔑 Secret Risk Assessment	Types and count of secrets hiding in org repos	All repos (public / private / internal / archived)	Once	Secret Scanning ↗
🔍 Code Security Risk Assessment	Code vulnerabilities detected by CodeQL (severity / language / Autofix-eligible count)	Up to 20 most active repos	Once every 90 days	Code Scanning ↗

🆓 Completely free — no GHAS / Secret Protection / Code Security license required
🛂 Permissions — only Organization owners or security managers can run them
📊 Output — aggregated reports (individual secret values and code are not stored on GitHub servers)
🏷️ Eligible plans — GitHub Team and GitHub Enterprise Cloud (Server support expected in 3.22)
⚙️ Actions minutes — Code Security Risk Assessment does not consume your regular Actions quota

💡 Use these first when you “need numbers for a budget proposal” or “want to see the impact before buying.” Running both on the same day gives you a complete view of your organization’s security posture in hours.

📘 Risk Assessment references:

📘 GHAS general: