A buyer side guide to GitHub Advanced Security licensing in 2026. How the per committer metric works, what the 2025 SKU split changed, and the scope lever that controls the bill.
GitHub Advanced Security is a paid add on to GitHub Enterprise, billed per committer for the cloud product and per active committer for the server product. The metric counts who pushes code, not who reads it, which is why the bill rarely matches your developer headcount.
This guide is for engineering and procurement leaders sizing a GitHub Advanced Security purchase in 2026. Read it with the GitHub Enterprise licensing guide and the Microsoft security licensing guide.
GHAS is an add on. You buy it on top of GitHub Enterprise, and it is metered by the committer, the unique user who pushes code to a repository where GHAS is switched on.
Microsoft owns GitHub and documents the model on the GitHub Advanced Security billing page. The metric is the same idea across cloud and server, with a different counting window for each.
A committer is any account that has pushed a commit to a GHAS enabled repository. The window matters, because that is what turns a one time contributor into a billable line.
GitHub broke the single GHAS product into two SKUs. You can now buy them apart, which helps teams that only need one half.
List pricing runs near 30 dollars per committer per month for each new SKU. The total depends on how many of your committers touch GHAS enabled repositories, not on your seat count.
GitHub Advanced Security indicative list pricing, 2026
| SKU | Metric | Indicative list | What it covers |
|---|---|---|---|
| Code Security | Per committer per month | 30 dollars | Code scanning, CodeQL, dependency review |
| Secret Protection | Per committer per month | 30 dollars | Secret scanning, push protection |
| Both SKUs | Per committer per month | 60 dollars | Full original GHAS feature set |
| Bundled in GHE | Included | No extra | Base GitHub Enterprise only, no GHAS |
The active committer count picks up contractors, short term contributors, and automation. Each one that pushes to a GHAS enabled repository adds to the metered total.
Scope. You decide which repositories have GHAS switched on. Enabling it organization wide is the most common reason a quote comes back far higher than expected.
GHAS is not priced by who can see the code. It is priced by who pushes it. Control the repository scope and you control the bill, not the other way around.
GHAS is licensed per committer as an add on to GitHub Enterprise. A committer is any unique user who pushed code to a repository where GHAS is enabled, so the bill tracks active contributors rather than total seats or readers.
A committer is an account that pushed a commit to a GHAS enabled repository. On GitHub cloud the count uses a rolling 90 day window, so a developer who stops pushing eventually drops out of the billable total.
List pricing is near 30 dollars per committer per month for each of the two SKUs, Code Security and Secret Protection. Buying both brings the list rate to roughly 60 dollars per committer per month before any negotiated discount.
Code Security covers code scanning, CodeQL, and dependency review. Secret Protection covers secret scanning and push protection. GitHub split the old single GHAS product into these two SKUs so teams can buy only the half they need.
Yes. GHAS is enabled per repository, which is the main cost control lever. Turning it on organization wide counts every active committer across every repository, which is why broad enablement drives the largest quotes.
They can. Automation that pushes code to a GHAS enabled repository may be counted as an active committer. Review your service accounts before sizing, because pipeline identities are a common and avoidable source of bill inflation.
Microsoft renewal moves, the EA framework, the M365 SKU framework, the Copilot framework, and the buyer side moves across the full Microsoft estate.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.
Teams buy GHAS on seat count, then get billed on active committers. The gap is the contractors and bots pushing to repositories nobody scoped. Fix the scope first.
500+ enterprise clients. 11 vendor practices. Industry recognized. One conversation can change what you pay for the next three years.
One short note on Microsoft licensing moves, EA and CSP mechanics, M365 and Azure SKU traps, and the buyer side levers we run in client engagements. No noise.
