Home GitHub Advanced Security Feature Comparison
Post
Cancel

GitHub Advanced Security Feature Comparison

Overview

GitHub Advanced Security (GHAS) is an addon for those on GitHub Enterprise. While it costs extra, the code scanning, secret scanning, and the dependency review feature set is quite impressive. Pretty much all of these features are enabled by default for Public Repos hosted on github.com (with the exception of the organization-level security overview and custom secret scanning patterns), so you can easily create a repo with some sample code from your personal GitHub account to test.

Follow updates in the Changelog blog for the latest updates on GitHub Advanced Security!

GitHub Advanced Security Feature Comparison

I made this chart a while back for a client when helping them determine if the GHAS addon was worth it to them:

Notes:

  • GHE = GitHub Enterprise
  • GHAS = GitHub Advanced Security
  • * - Note that you won’t see a secret scanning menu for public repos, you will just get an email when a secret was committed to the repo and that the secret was (likely) automatically rolled or disabled
  • This chart primarily focuses on GitHub Enterprise Cloud, but note that Advanced Security is available for GitHub Enterprise Server 3.0 or higher

About Dependabot

There are a few components of Dependabot, and while I tried to list each feature individually in the chart, I wanted to call out a helpful quote of the documentation to help describe part of the differences between version updates and security updates:

About Dependabot version updates:

When Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, Dependabot raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see “Enabling and disabling Dependabot version updates.”

If you enable security updates, Dependabot also raises pull requests to update vulnerable dependencies. For more information, see “About Dependabot security updates.”

When Dependabot raises pull requests, these pull requests could be for security or version updates:

  • Dependabot security updates are automated pull requests that help you update dependencies with known vulnerabilities.
  • Dependabot version updates are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. To check the status of version updates, navigate to the Insights tab of your repository, then Dependency Graph, and Dependabot.

Dependabot version updates requires creating a dependabot.yml configuration file in your repository whereas Dependabot security updates automatically locates supported package manifest files and alerts you when it contains vulnerable dependencies.

Dependabot version updates supported package ecosystems differs from that of Dependabot security updates.

Changelog

DateNote
Apr 06 2022Adding Dependency Review Action (Beta)
Apr 04 2022Adding Secret Scanning - Push Protections (Beta)
Mar 07 2022Adding new Security Overview for the Enterprise (Beta) and secret scanning note for public repos
Jan 26 2022Adding Dependabot section; reorganized chart
Dec 03 2021Initial post
This post is licensed under CC BY 4.0 by the author.

Powerlevel10k Zsh Theme in GitHub Codespaces

Connecting Azure Boards Github App to Multiple Azure DevOps Orgs