In April 2025, GitHub retired "GitHub Advanced Security" as a single bundled SKU and split it into two standalone products: GitHub Secret Protection and GitHub Code Security. For years, GHAS was an all-or-nothing add-on — available only to GitHub Enterprise customers, priced per active committer, and bundling secret scanning together with CodeQL code scanning whether you wanted both or not. That bundling forced a lot of buying decisions that didn't match how teams actually work: a fintech startup that mainly worried about leaked API keys still had to license semantic code analysis for every engineer, and a platform team focused on CodeQL coverage paid for secret-scanning capacity it barely used. The split changes the unit of purchase, the pricing, and — for the first time — makes these capabilities available outside GitHub Enterprise. Here's what's actually in each product now, what it costs, and where the gaps still are.
What actually changed when GHAS split in two?
GitHub Advanced Security stopped existing as a purchasable product and became an umbrella term for two separately licensed offerings: GitHub Secret Protection and GitHub Code Security. Before April 2025, any org that wanted push protection for leaked credentials also had to pay for CodeQL scanning capacity, and vice versa, because GHAS was sold as one per-committer license tied to GitHub Enterprise Cloud or Server. After the split, each product has its own SKU, its own per-active-committer price, and — notably — both are now purchasable on the GitHub Team plan, not just Enterprise. That last point matters more than the rebrand: it's the first time GitHub has offered secret scanning on private repos and CodeQL scanning to mid-market teams without requiring an Enterprise contract.
What's included in GitHub Secret Protection?
GitHub Secret Protection covers detection and blocking of credentials before and after they land in a repository. The core feature is secret scanning across roughly 200 partner token patterns (AWS keys, Stripe keys, Slack tokens, and similar structured formats), paired with push protection, which rejects a git push in real time if it contains a matching pattern. It also includes validity checks, where GitHub calls the issuing provider's API to tell you whether a detected secret is still active or already revoked — a meaningful signal when you're triaging hundreds of scanner hits and need to know which ones are actual incidents. Newer additions include AI-detected secrets, which uses a model rather than fixed regex patterns to catch unstructured credentials (a hardcoded database password, not just a recognizable API key format), custom pattern definitions for internal token formats, and a security-overview dashboard that rolls up exposure across every repo in an org.
What's included in GitHub Code Security?
GitHub Code Security is built around CodeQL, GitHub's semantic static analysis engine, plus the dependency tooling that sits next to it. CodeQL scanning runs on pushes and pull requests to flag injection flaws, insecure deserialization, and similar code-level vulnerabilities across languages like JavaScript, Python, Java, C#, Go, and Ruby. The product bundles Copilot Autofix, which generates a suggested code change for a scanning alert directly in the pull request rather than just flagging the line, and dependency review, which blocks a PR from merging if it introduces a dependency with a known CVE above a configured severity. Code Security also includes security campaigns, a triage workflow for batching hundreds of open alerts into an assigned remediation plan with a due date — useful for the common scenario where a team turns on scanning and immediately inherits 800 pre-existing findings.
How much do the two products actually cost?
GitHub prices Secret Protection at $19 per active committer per month and Code Security at $30 per active committer per month, both billed on top of a GitHub Team or Enterprise plan. "Active committer" means anyone who pushes a commit to a private repo in the billing cycle, not your full headcount — so a 200-engineer org where 140 people commit in a given month pays for 140 seats, not 200. Buying both products separately (about $49/committer/month combined) lands close to legacy GHAS Enterprise pricing, but the difference is optionality: an org that only cares about credential leaks can now buy Secret Protection alone for $19/committer/month instead of being forced into the full bundle. For a 150-committer team, that's roughly $2,850/month for secrets-only coverage versus needing the combined ~$7,350/month spend under the old all-or-nothing model.
Does unbundling actually close any security gaps, or just repackage pricing?
Unbundling changes who can afford the tooling, not what the tooling covers — the underlying detection engines for both products are unchanged from pre-split GHAS. The real gaps are the same ones that existed before April 2025: neither product generates a signed SBOM, neither produces SLSA-style build provenance, and neither monitors public package registries like npm or PyPI for typosquats and dependency-confusion attacks targeting your internal package names. Dependency review only checks for already-published CVEs at PR time — it does nothing for a compromised package version published to a registry after the dependency was merged, which is exactly the pattern behind incidents like the 2024 XZ Utils backdoor and the recurring wave of npm supply-chain compromises. Both products are also GitHub-native only: if any part of your codebase lives in GitLab, Bitbucket, or a self-hosted Git server, Secret Protection and Code Security simply don't see it.
What should buyers watch for when evaluating GitHub's new pricing model?
The per-active-committer model means costs scale with contributor headcount, not with repository count or risk surface, which can produce uneven results for orgs with a long tail of low-activity repos or contractors who commit occasionally. A team with 300 nominal GitHub users but only 90 monthly active committers pays for 90 seats — but a team going through a hiring wave or an acquisition can see its bill jump mid-year as more people start pushing code. Buyers should also confirm which alerts carry over: switching from a legacy bundled GHAS Enterprise license to the two new standalone products is generally a clean migration, but orgs on older Enterprise Server versions need to check their release train, since Secret Protection and Code Security parity with GHAS features rolled out over several GHES point releases through 2025 rather than landing everywhere on day one.
How Safeguard Helps
GitHub Secret Protection and Code Security are solid first-party controls for code already sitting in a GitHub repo, but they stop at the repo boundary — they don't touch your SBOM, your build provenance, your package registries, or anything living outside GitHub. Safeguard is built to cover exactly that gap without asking you to rip out CodeQL or secret scanning you're already paying for. We ingest findings from GitHub Advanced Security's two products alongside signals from GitLab, Bitbucket, and self-hosted Git, and correlate them with SBOM generation, signed build provenance, and continuous monitoring of your actual dependency tree — not just the CVEs known at merge time, but new compromises published to npm, PyPI, or crates.io after a dependency is already in production. For orgs standardizing on the new GitHub pricing, Safeguard sits on top as the cross-repo, cross-registry layer that turns per-tool alert noise from Secret Protection, Code Security, and any other scanner you run into a single prioritized supply-chain risk view — so switching which GitHub SKU you buy doesn't mean rebuilding your remediation workflow from scratch.