GitHub Advanced Security (GHAS) bundles three security capabilities into the platform where most developers already work: CodeQL for code scanning, Dependabot for dependency security, and secret scanning for credential detection. The promise is security that meets developers where they are. After deploying GHAS across several organizations, here is what that looks like in practice.
What GHAS Includes
Code Scanning (CodeQL): Semantic static analysis using GitHub's CodeQL engine. Supports C, C++, C#, Go, Java, Kotlin, JavaScript, TypeScript, Python, Ruby, and Swift.
Dependabot: Three components. Dependabot Alerts notify you of vulnerable dependencies. Dependabot Security Updates automatically create PRs to fix vulnerable dependencies. Dependabot Version Updates keep dependencies current.
Secret Scanning: Detects secrets (API keys, tokens, passwords) committed to repositories. Includes push protection to prevent secrets from being committed in the first place.
Security Overview: Dashboard views at the organization and enterprise level showing security posture across repositories.
Note that Dependabot Alerts and secret scanning are available on all GitHub plans. The paid GHAS add-on is primarily for CodeQL and the advanced features of secret scanning (custom patterns, push protection).
CodeQL in Practice
CodeQL is the centerpiece of GHAS and the most technically impressive component. It compiles your code into a queryable database and runs security queries against it. The depth of analysis is significant. CodeQL traces data flow through function calls, class hierarchies, and module boundaries. It finds vulnerabilities that pattern-based scanners miss.
The default query suite catches OWASP Top 10 vulnerabilities reliably. SQL injection, XSS, path traversal, command injection, and SSRF are well-covered for the supported languages. Java and JavaScript have the most mature query libraries.
The developer experience is where CodeQL excels. Findings appear as annotations in pull requests with clear descriptions, affected code paths, and remediation suggestions. Developers can dismiss findings with a reason, which creates an audit trail. The integration feels native because it is native.
The downside is analysis time. CodeQL database creation takes 5-30 minutes depending on language and codebase size. For large monorepos, this can be a bottleneck. GitHub recommends running CodeQL on a schedule rather than on every PR for large projects, which reduces the developer feedback loop.
Dependabot Effectiveness
Dependabot Alerts leverage the GitHub Advisory Database, which is one of the most comprehensive advisory databases available. It aggregates NVD data, security advisories from package registries, and community reports. The advisory quality is high because GitHub employs reviewers who verify and enrich submissions.
Dependabot Security Updates automatically create PRs to resolve vulnerable dependencies. The PRs include the advisory details, compatibility scores, and CI status. For simple version bumps, this is a significant time saver.
The limitation is that Dependabot operates at the manifest level. It knows what your package.json declares, but it does not perform deep dependency resolution. Transitive dependency vulnerabilities are reported through alerts but automated fixes only work when updating a direct dependency resolves the transitive issue.
Dependabot Version Updates keep dependencies current, which is valuable as a preventive measure. Projects that stay current with minor and patch updates are less likely to accumulate vulnerability debt. The configuration through dependabot.yml is straightforward but limited compared to Renovate.
Secret Scanning
Secret scanning checks repository content (including history) for patterns matching known secret formats from partner providers. GitHub partners with over 200 service providers (AWS, Azure, Slack, Stripe, etc.) to detect their secret formats and, in some cases, automatically revoke detected secrets.
Push protection is the more impactful feature. It blocks pushes that contain detected secrets before they enter the repository. This prevents the "committed and then tried to remove" pattern that leaves secrets in git history.
Custom pattern support lets organizations define their own secret patterns. If your organization uses internal services with specific token formats, you can add detection patterns. This is more useful than it sounds because many security incidents involve internal credentials, not just third-party API keys.
Security Overview
The Security Overview dashboard provides organization-level visibility into security findings across repositories. You can see which repositories have code scanning enabled, which have open vulnerability alerts, and which have unresolved secret scanning findings.
The dashboard is useful for security teams managing hundreds of repositories. It answers "how much of our organization is covered" and "where are the biggest gaps." The filtering and export capabilities are adequate for reporting purposes.
Pricing
GHAS costs $49 per active committer per month for GitHub Enterprise Cloud. An active committer is anyone who has committed to a repository with GHAS enabled in the last 90 days. For an organization with 200 active committers, that is roughly $118,000 annually.
The per-committer model has implications for large organizations with many occasional contributors. A developer who makes one commit to a GHAS-enabled repository counts the same as one who commits daily. Organizations often enable GHAS selectively on their most critical repositories to manage costs.
For GitHub Enterprise Server (self-hosted), GHAS is available as an add-on with different pricing.
Strengths
The native integration with GitHub's developer workflow is unmatched. No other security tool provides as seamless an experience for GitHub users. Findings in PRs, security dashboards in the repository, and organization-level visibility all work without additional integration effort.
The CodeQL analysis depth is genuinely best-in-class for the languages it supports. GitHub's investment in CodeQL research continues to improve the query libraries.
The GitHub Advisory Database is a community asset that benefits even organizations not using GHAS.
Weaknesses
GHAS is GitHub-only. If your organization uses multiple Git platforms, GHAS cannot cover the non-GitHub repositories.
The SCA capabilities (Dependabot) are less sophisticated than dedicated SCA tools. No reachability analysis, limited policy engine, basic reporting. Organizations with serious SCA requirements typically supplement Dependabot with Snyk, Sonatype, or another dedicated tool.
CodeQL's language support, while growing, is narrower than alternatives like Semgrep. PHP, Rust, and Elixir developers are not covered.
How Safeguard.sh Helps
Safeguard.sh extends GHAS with dedicated supply chain security capabilities. While GHAS provides excellent in-flow security scanning, Safeguard.sh adds SBOM management, cross-repository dependency tracking, and vulnerability lifecycle management that goes beyond what a development platform can offer. For organizations using GHAS, Safeguard.sh provides the supply chain security layer that ties together GitHub's findings with data from other environments, creating organizational visibility that spans beyond any single platform.