Microsoft GitHub Advanced Security Licensing Guide 2026

What Is GitHub Advanced Security?

GitHub Advanced Security is Microsoft's application security platform embedded natively in the GitHub source code management platform. It provides developer-first security capabilities — scanning code for vulnerabilities, preventing secret and credential leaks, identifying vulnerable dependencies, and enabling security campaigns to remediate accumulated technical debt — without requiring developers to leave the GitHub environment or use external security tooling.

GitHub was acquired by Microsoft in 2018 and is now the dominant software development platform for enterprise organisations worldwide, with over 100 million developers and a significant proportion of enterprise software development occurring on GitHub. GitHub Advanced Security was introduced in 2020 as the enterprise application security layer for GitHub, and it has become increasingly central to Microsoft's security portfolio since the integration with Microsoft Defender for DevOps and the introduction of GitHub Copilot Autofix for security vulnerabilities.

The 2025 Product Unbundling

Prior to April 1, 2025, GitHub Advanced Security was sold as a single bundle. From April 2025, GHAS was unbundled into two separate products: GitHub Secret Protection and GitHub Code Security. This change allows organisations to purchase only the security capability they need rather than the full GHAS bundle, and — significantly — makes both products available to GitHub Team plan customers for the first time, removing the previous requirement for a GitHub Enterprise subscription to access GHAS features.

The unbundling has material commercial implications. Organisations that previously purchased GHAS for all enterprise repositories now have the option to deploy Secret Protection alone (covering the most critical risk category — exposed credentials) without paying for Code Security. Organisations that need both products face a combined per-active-committer cost of $49 per month — higher than the previous bundled GHAS pricing for many customers.

GitHub Secret Protection: What It Covers

GitHub Secret Protection at $19 per active committer per month addresses the highest-severity, lowest-complexity security risk in software development: secrets — API keys, access tokens, private keys, passwords, and credentials — accidentally committed to source code repositories.

Core Capabilities

Push protection is the foundational Secret Protection capability. When a developer attempts to push a commit containing a detected secret pattern, GitHub blocks the push at the point of upload and notifies the developer before the secret reaches the repository. Push protection covers over 200 secret patterns including AWS, Azure, Google Cloud, GitHub, Slack, and most common SaaS platform credentials. The prevention-before-persistence model of push protection is substantially more effective than remediation after the fact — a secret that never reaches the repository cannot be exploited by automated scanners that harvest public repository secrets within minutes of publication.

Secret scanning alerts continuously scan repository history (including commits, issues, pull request comments, and wikis) for secrets that have already been committed. When a secret is detected in existing repository content, Secret Protection generates an alert that notifies the security team and repository administrators. Secret scanning runs automatically on all repositories when Secret Protection is enabled and covers both public and private repositories.

Custom patterns allow organisations to define their own secret patterns beyond the 200+ default patterns, enabling detection of organisation-specific credentials, internal service tokens, and proprietary API key formats that are not covered by the default ruleset.

Delegated bypass and policy management allow security teams to configure exception workflows for developers who have a legitimate reason to push a specific secret (for example, committing a test credential with known constraints) without disabling push protection organisation-wide.

When Secret Protection Alone Is Sufficient

For organisations where the primary developer security risk is credential leakage — particularly organisations with significant public-facing development activity, open source contributions, or contractors who may not follow secure coding practices — Secret Protection alone provides high return on investment relative to its cost. The $19 per committer per month investment in Secret Protection is typically justified by preventing a single credential exposure incident, which can lead to cloud resource abuse, data exfiltration, or regulatory notification obligations that cost orders of magnitude more than the annual GHAS licensing spend.

GitHub Code Security: Vulnerability Detection and Remediation

GitHub Code Security at $30 per active committer per month addresses the broader category of code vulnerabilities and dependency risks — SQL injection, cross-site scripting, buffer overflows, path traversal, insecure cryptographic implementations, and hundreds of other Common Weakness Enumeration (CWE) classes.

Code Scanning with CodeQL

CodeQL is GitHub's semantic code analysis engine, which analyses source code as a queryable database rather than applying simple pattern matching. CodeQL understands the data flow and control flow within the codebase, enabling it to detect vulnerability classes that require reasoning about how data moves through the application — taint analysis, cross-procedure vulnerabilities, and complex injection patterns that rule-based scanners miss. CodeQL supports Java, JavaScript, TypeScript, Python, C, C++, C#, Go, Ruby, and Swift, covering the majority of enterprise application development languages.

Code scanning runs automatically on pull requests and can be configured to block merges when critical or high severity vulnerabilities are detected. The developer-friendly presentation of code scanning results — inline in the pull request review interface, with fix guidance and documentation links — encourages remediation at the point of development rather than discovery in a backlog of SAST findings weeks after the code was written.

Copilot Autofix: AI-Assisted Vulnerability Remediation

GitHub Code Security includes Copilot Autofix, which uses GitHub's Copilot AI model to automatically generate suggested fixes for detected vulnerabilities. When code scanning identifies a vulnerability, Copilot Autofix generates a code fix suggestion in the pull request interface that the developer can review, modify, and apply. Copilot Autofix covers a significant proportion of common vulnerability classes — GitHub's data indicates it reduces developer time to fix security issues by 60 percent on average, and it can produce a fix for approximately 90 percent of the vulnerabilities CodeQL detects.

For enterprises that have been challenged by the slow remediation rate of traditional SAST findings (large backlogs, developer resistance, security teams that lack the code context to drive fixes), Copilot Autofix represents a material change in the vulnerability remediation economics. The $30 per committer cost for Code Security includes Copilot Autofix at no additional charge — it is not a separate add-on.

Dependency Review and Dependabot

Code Security includes dependency review in pull requests (blocking merges when new vulnerable dependencies are introduced) and Dependabot (automated pull requests to update vulnerable dependencies to patched versions). Dependabot's automated pull request generation for dependency updates is particularly valuable for organisations with large application portfolios where manual dependency update tracking is operationally unsustainable. Dependabot version updates can be configured to auto-merge low-risk minor and patch version updates, reducing developer overhead while maintaining dependency currency.

Security Campaigns

Security campaigns are a governance feature that allows security teams to define a set of vulnerability types (for example, all SQL injection findings across a specific subset of repositories) and create a tracked remediation initiative with assigned developers, deadlines, and progress tracking. Security campaigns address the chronic problem of accumulated security technical debt — the backlog of known vulnerabilities that have never been remediated because there is no structured process for managing remediation at scale across a large development organisation.

Active Committer Billing: How It Works

Understanding active committer billing is essential for managing GHAS costs. GHAS products are licensed per active committer — not per developer account, not per repository, and not per organisation seat.

Active Committer Definition

An active committer is a unique GitHub user who has pushed at least one commit to a repository with Secret Protection or Code Security enabled in the 90 days preceding the billing date. The 90-day window is rolling — a developer who commits once in a quarter is counted as an active committer for that quarter. A developer who did not commit in the 90-day window is not counted, even if they have repository write access.

This definition has several important implications for cost management. Developer accounts that access repositories without committing (read-only access, code reviewers without commit access, product managers with repository visibility) are never counted as active committers. Developers on extended leave, contractors who have finished their engagement, and developers who have moved to non-GHAS-enabled repositories are not counted. The 90-day window means that developers who commit infrequently (quarterly release cycle contributors, on-call developers, documentation writers) may be counted for one or two quarters per year rather than all four.

Billing Model Options

Two billing models are available for GHAS products. Metered billing counts active committers monthly and charges only for the actual active committer count in each billing period. There is no pre-defined seat limit — you pay for actual usage with no overage penalties. Metered billing is available for GitHub Enterprise Cloud (cloud-hosted) and from GitHub Enterprise Server 3.13 onward with GitHub Connect. Volume/subscription billing allows organisations to purchase a defined number of committer licences in advance for a defined period (typically annual), usually at a discount relative to metered billing rates. Volume billing is available only for GitHub Enterprise plan customers.

For organisations with predictable, stable developer populations, volume billing with the annual commit provides better per-committer economics. For organisations with variable developer populations — project-based teams, seasonal development peaks, contractor-heavy environments — metered billing provides cost efficiency aligned with actual usage.

Active Committer Cost Optimisation

Several strategies consistently reduce active committer counts and the associated GHAS billing without reducing security coverage. First, scope GHAS to the repositories that require it. Not every repository in a GitHub organisation needs Code Security — internal tooling repositories, documentation repositories, and low-risk projects do not require the same security treatment as customer-facing applications and repositories handling sensitive data. Apply a risk-based repository classification and enable Code Security only for repositories above a defined risk threshold. This targeting approach can reduce active committer counts by 30 to 60 percent relative to blanket organisation-wide enablement.

Second, review bot and service account activity. Automated tools that commit to repositories — dependency update bots, CI/CD pipelines that commit build artifacts, and automated code generation tools — may be counted as active committers if they have commit activity in GHAS-enabled repositories. Review whether automated accounts with commit activity need to be in GHAS-enabled repositories or whether their activity can be moved to non-GHAS repositories.

Third, clean up stale developer accounts. Many enterprise GitHub organisations have developer accounts for former employees, completed contractors, and users who have moved to different projects. These accounts may still have commit history within the 90-day window from activity before departure. Deprovisioning stale accounts eliminates them from the active committer count at the next billing cycle.

GitHub Copilot and GHAS: The Integration Layer

GitHub Copilot and GitHub Advanced Security are increasingly integrated in Microsoft's developer security vision. Copilot Autofix (included with Code Security) is the most direct integration — using Copilot's code generation to produce vulnerability fixes. But the integration extends beyond Autofix.

GitHub Copilot Enterprise includes security-aware code completion that understands the organisation's CodeQL findings and can suggest code patterns that avoid detected vulnerability classes. GitHub Copilot for Security (available as a Copilot Studio extension or through Microsoft Security Copilot integration) enables natural language interaction with GHAS findings — querying active vulnerability backlogs, generating remediation plans, and creating security briefings from CodeQL output.

Microsoft's field teams increasingly bundle GitHub Copilot and GHAS in EA renewal proposals as a developer productivity plus developer security story. The M365 SKU stack context is relevant here: while GHAS and GitHub Copilot are GitHub-licensed products (not M365 licensed), they connect to the broader Microsoft E5-to-E7 upsell narrative as Microsoft positions E7's AI capabilities alongside GitHub Copilot and GHAS as the complete developer-to-enterprise security stack. Understanding how GitHub licensing fits within the broader Microsoft EA negotiation is important for organisations that use both GitHub and M365 extensively.

GitHub Enterprise Tiers and GHAS Availability

GitHub is available across several tiers, and GHAS product availability varies by tier.

GitHub Free and Team

GitHub Free provides unlimited public repositories with basic security features. GitHub Team at $4 per user per month provides unlimited private repositories, pull request reviews, and protected branches. From April 2025, GitHub Team customers can purchase Secret Protection and Code Security as standalone add-ons — previously, GHAS required GitHub Enterprise. This makes developer security accessible to smaller organisations and teams within larger enterprises that may not have standardised on GitHub Enterprise.

GitHub Enterprise

GitHub Enterprise is available as GitHub Enterprise Cloud (SaaS, hosted by GitHub) and GitHub Enterprise Server (self-hosted, deployed in the organisation's own infrastructure). GitHub Enterprise Cloud at $21 per user per month includes single sign-on with Entra ID (SAML), IP allowlisting, audit log API, and advanced security configuration management. GitHub Enterprise Server requires self-hosting and includes all Enterprise Cloud features plus data residency control and air-gapped deployment capability. Both Enterprise tiers support volume billing for GHAS products and provide enterprise-grade administration, policy, and compliance features that are essential for regulated industries and large organisations.

GitHub Advanced Security is included in GitHub Enterprise when purchased through the legacy GHAS bundled product (for organisations still on pre-April 2025 contracts). Organisations renewing or signing new agreements post-April 2025 purchase Secret Protection and Code Security as separate line items at their respective per-committer rates.

Negotiating GHAS Within the Microsoft EA

GitHub Advanced Security products can be included in Microsoft Enterprise Agreement negotiations, though the commercial framework is different from M365 and Azure. GitHub products are typically procured separately from the main EA and may be part of a Microsoft Digital and App Innovation licensing structure or included as a discrete commitment within the broader Microsoft commercial relationship.

Organisations that are significant Microsoft customers — with large M365, Azure, and Dynamics 365 spend — have leverage to include GitHub GHAS in an EA-level negotiation where the overall TCV creates discount authority that a standalone GHAS procurement would not activate. Presenting GHAS as part of a consolidated Microsoft developer platform investment (GitHub Copilot plus GHAS plus GitHub Enterprise) creates a larger bundled commitment that Microsoft's account team can discount more aggressively than individual product negotiations.

Volume billing discounts for GHAS products at scale (500+ active committers) are typically 10 to 20 percent below list pricing through the EA channel, compared to metered billing at list rates. Three-year GHAS commitments can achieve 15 to 25 percent below list pricing when negotiated alongside M365 and Azure renewals in Microsoft's Q4 window (April through June).

GHAS vs Alternative Application Security Tools

The application security market includes a range of SAST, SCA, and secret scanning alternatives to GitHub Advanced Security. Understanding how GHAS compares commercially and technically is important for organisations making security tooling decisions.

On the SAST side, Veracode, Checkmarx, and Semgrep are the primary enterprise alternatives. Veracode and Checkmarx offer broader language coverage and established enterprise compliance reporting capabilities, but at significantly higher per-developer pricing (typically $50 to $150 per developer per month depending on deployment model and contract). Semgrep's community rules provide excellent SAST coverage at lower cost but lack the native GitHub integration depth of CodeQL. For organisations standardised on GitHub, CodeQL's native integration advantage — no connector complexity, no separate CI pipeline configuration, results surfaced inline in pull requests — creates operational efficiency that partially offsets the per-developer cost comparison.

On the secret scanning side, GitGuardian and Trufflesecurity are established alternatives that provide broader coverage across code hosting platforms (GitLab, Bitbucket, Azure Repos) and can monitor public internet sources for leaked secrets beyond the repository context. For organisations with multi-platform source code management, third-party secret scanning provides platform-agnostic coverage that GitHub Secret Protection cannot deliver.