If your team ships code on GitHub, you're already sitting on more security tooling than you probably realize — and also further from "secure by default" than the marketing suggests. GitHub hosts code for more than 100 million developers and over 420 million repositories, and it has spent the last several years bolting security features directly into the platform: secret scanning, dependency alerts, and a paid tier called GitHub Advanced Security (GHAS) that adds static analysis and push protection. The problem is that "built into GitHub" doesn't mean "turned on," "free," or "enough." Teams routinely assume Dependabot is scanning everything, that secret scanning covers their private repos, or that GHAS is a checkbox rather than a $19-per-committer-per-month line item. This guide walks through what's actually free, what GHAS adds, what it costs in 2026, and where the gaps are — so you can make an informed call instead of a default one.
What security features come free with every GitHub repository?
Three things are free on every public repository, and two of those extend to private ones on paid plans: Dependabot alerts, Dependabot security updates, and secret scanning (public repos only, on by default since 2022). Dependabot alerts have been free since 2019 and work by cross-referencing your dependency manifests — package-lock.json, requirements.txt, go.sum, and similar — against the GitHub Advisory Database, which pulls from the National Vulnerability Database (NVD) and vendor disclosures. If a match is found, you get an alert on the repo's Security tab. Dependabot security updates go a step further and open an automated pull request bumping the vulnerable package to a patched version, provided one exists in the same major version line. Private repositories on GitHub Team and Enterprise Cloud plans get these same two features at no extra cost — that part is genuinely free, not a GHAS upsell. What's not free on private repos is secret scanning detection for the 200+ token patterns GitHub partners with providers on (AWS, Stripe, Slack, etc.) — that requires GHAS or the newer standalone Secret Protection product.
What is GitHub Advanced Security, and what does it actually add?
GHAS is GitHub's paid security bundle, and it adds three capabilities beyond the free tier: code scanning with CodeQL, secret scanning on private repositories with push protection, and dependency review at the pull-request level. CodeQL is GitHub's semantic static analysis engine (acquired via Semmle in 2019) — it treats your code as a queryable database and runs pattern-based queries to catch SQL injection, path traversal, hardcoded credentials, and similar classes of bugs before merge. Push protection, which GitHub made a default for public repos in 2023 and rolled into GHAS for private repos, blocks a git push in real time if it contains a recognizable secret pattern like an AWS access key or a Google API key — rather than alerting after the fact, when the secret is already in history. Dependency review adds a diff view directly in the pull request showing which new dependencies a change introduces and whether any carry known CVEs, so reviewers see supply chain risk before approving instead of discovering it days later in a Dependabot alert.
How does Dependabot catch vulnerable dependencies before they ship?
Dependabot works by matching your lockfile against a curated advisory database, not by analyzing your code's actual usage of the dependency — which is exactly why it produces so much noise. When a CVE like Log4Shell (CVE-2021-44228, disclosed December 10, 2021) lands in the GitHub Advisory Database, Dependabot flags every repository with a matching vulnerable version of Log4j in its manifest, regardless of whether that repo actually invokes the vulnerable JndiLookup code path. This is why security teams that rely solely on Dependabot often end up triaging hundreds of "vulnerable dependency" alerts where the vast majority are unreachable in practice. It's also worth knowing that Dependabot's update PRs only bump within the constraints your manifest allows — if a fix requires a major version jump with breaking changes, Dependabot will flag it but often won't auto-open the PR, leaving a human to do the harder upgrade work manually. And because the NVD itself slowed its CVE enrichment pace starting in February 2024, some advisories land in GitHub's database with incomplete CVSS scoring or delayed CWE tagging, which further muddies prioritization.
How much does GitHub Advanced Security cost, and who needs it?
As of GitHub's 2025 pricing restructure, GHAS is no longer sold as a single bundle — it's split into GitHub Secret Protection and GitHub Code Security, each priced separately at $19 per active committer per month, replacing the older ~$49/committer/month all-in-one GHAS SKU. "Active committer" means anyone who has pushed a commit to the repository in the last 90 days, which matters because cost scales with contributor headcount, not repo count — a single large monorepo with 200 active committers costs the same as 200 small repos with one committer each. This pricing model tends to make sense for regulated organizations (finance, healthcare, government contractors) that need SAST and secret detection as an auditable, contractually documented control, and for larger engineering orgs already standardized on GitHub Enterprise. It tends to make less sense for smaller teams or organizations running a polyglot stack across GitHub, GitLab, and Bitbucket, where paying per-committer for a GitHub-only tool means re-buying equivalent coverage elsewhere — or leaving those other repos uncovered entirely.
Where do GitHub's native tools stop short?
GitHub's security stack is built to protect GitHub, which means it stops at the repository boundary — it doesn't see your CI/CD runners, your container registries, your package publishing pipeline, or your production runtime. CodeQL analyzes source code you've already committed; it has no visibility into a compromised GitHub Actions runner, a malicious post-install script executing during npm install in CI, or a dependency that was fine at scan time but got taken over via account compromise afterward — the pattern behind incidents like the 2021 ua-parser-js and coa npm hijacks. Dependabot alerts on known CVEs but doesn't assess whether a package is actively maintained, has an anomalous new maintainer, or shipped an update with suspicious install-time behavior — the kind of software supply chain attack that CVE databases catch only after the fact, if at all. And because GHAS pricing and tooling are GitHub-specific, organizations with mixed source control (common after M&A, or with contractor teams on other platforms) end up with uneven coverage: strong on GitHub repos, blind everywhere else. None of this is a knock on GHAS doing its job — it's a reminder that "GitHub security" and "supply chain security" are overlapping but not identical categories.
How Safeguard Helps
Safeguard is built to cover the gaps GitHub's native tools were never designed to close, without asking teams to rip out Dependabot or CodeQL where they're already working. Where GHAS stops at the repository, Safeguard extends visibility across the full software supply chain — CI/CD pipelines, package registries, build provenance, and runtime dependencies — so a compromised GitHub Actions workflow or a maliciously updated open-source package gets flagged whether or not it maps to a published CVE. Where Dependabot's CVE-matching produces high-volume, low-context alerts, Safeguard correlates dependency risk with actual reachability and exploitability, so security teams triage the handful of findings that matter instead of hundreds that don't. And because Safeguard isn't tied to a single source control platform or a per-committer pricing model, teams running mixed environments — GitHub alongside GitLab, Bitbucket, or self-hosted Git — get consistent policy enforcement instead of the patchwork coverage that comes from stacking platform-native tools per repository host. For teams that have outgrown what GitHub's free tier catches but aren't sure GHAS's per-committer pricing buys them supply chain coverage rather than just code scanning, Safeguard is built to answer that gap directly — reach out to see how it fits alongside your existing GitHub security setup.