GitHub Advanced Security
Licensing

How GitHub Advanced Security Licensing Works in 2026

GitHub Advanced Security (GHAS) shifted to two distinct standalone products in April 2025: GitHub Secret Protection and GitHub Code Security. This replaced the previous all-or-nothing GHAS bundle, giving enterprises the option to buy the tier that matches their risk profile rather than paying for capabilities they do not use.

Both products are priced on an active committer model, not by seat count. An active committer is defined as any unique user who has pushed at least one commit to a GHAS-enabled repository within the previous 90 days. The window is rolling — someone who committed in January remains billable through April. If they commit again in March, their 90-day window resets from March. This rolling calculation means committer counts fluctuate, and enterprises that do not actively manage repository enablement often carry 15–25% more billable committers than they need.

GHAS is an add-on to GitHub Enterprise Cloud or GitHub Enterprise Server — it is not included in base GitHub Enterprise licensing. Organisations on GitHub Team plans gained access to Secret Protection and Code Security as of April 2025, widening the addressable market but also increasing the complexity of licence management for teams that span multiple GitHub plan tiers. When comparing total security tool spend, it is worth cross-referencing with your Microsoft Sentinel ingestion costs, as GHAS and Sentinel often address complementary but occasionally overlapping risk categories in large enterprises.

Secret Protection vs Code Security: What Each Tier Covers

The restructured GHAS product line separates secret leakage prevention from application vulnerability detection — two disciplines with different audiences and different cost-benefit calculations.

GitHub Secret Protection — $19 per active committer/month

Secret Protection targets the risk of credentials, API keys, and tokens being committed to repositories. It covers push protection (which blocks a developer from committing a detected secret before it reaches the repository), secret scanning across 200+ provider patterns including GitHub tokens, AWS IAM credentials, Azure storage keys, and Slack webhooks, AI-assisted secret detection with a low false positive rate, and a security insights dashboard. For organisations where credential leakage is the primary concern — especially those handling customer data in regulated environments — Secret Protection at $19/committer is the cost-effective entry point. A 500-developer organisation with 400 active committers pays $91,200 per year for this tier.

GitHub Code Security — $30 per active committer/month

Code Security adds static application security testing (SAST) via CodeQL, dependency review to catch vulnerable open-source components before merge, security campaigns that allow security teams to prioritise and track remediation across repositories, and Copilot Autofix — GitHub's AI-assisted fix suggestion for code vulnerabilities. Code Security is inclusive of everything in Secret Protection. At $30/committer, the same 400-active-committer enterprise pays $144,000 per year. The $52,800 incremental cost over Secret Protection is justified primarily by the value of CodeQL SAST and Copilot Autofix, not by the dependency review tooling alone. When reviewing overall Microsoft licensing spend, enterprises should also evaluate how Microsoft 365 E5 Security add-ons interact with GHAS to avoid redundant coverage.

Copilot Autofix and the Security Developer Productivity Case

Copilot Autofix is the primary differentiator that moves GHAS from a detection tool to a remediation platform. When CodeQL identifies a vulnerability — a SQL injection risk, an insecure deserialization pattern, or a cross-site scripting exposure — Copilot Autofix proposes a context-aware fix that the developer can review and apply without leaving their pull request workflow. GitHub's own measurements across early adopters show that developers accept Autofix suggestions without modification in approximately 65% of cases, and Autofix reduces the mean time to fix critical vulnerabilities from 9 days to under 1 day in active deployments.

The business case for the $11/committer premium over Secret Protection therefore rests on two numbers: how many critical vulnerabilities your engineering teams generate per month, and what the loaded cost of developer remediation time is. At an average loaded cost of £85–£110/hour for a senior developer, a single avoided remediation session of 3–4 hours covers 6–10 months of the Copilot Autofix increment for one committer. The economic argument strengthens in proportion to repository count and commit velocity. Organisations evaluating Microsoft Copilot licensing more broadly should note that Copilot Autofix operates independently of GitHub Copilot Business and Enterprise — they are separate SKUs serving separate workflows.

Controlling Active Committer Count to Reduce GHAS Cost

The most direct lever for reducing GitHub Advanced Security enterprise licensing cost is managing which repositories have GHAS features enabled. GHAS billing only counts committers to repositories where Advanced Security is active — not to all repositories in the enterprise. Many organisations enable GHAS enterprise-wide during a rollout and never revisit the enablement scope. This results in active committer counts that include infrequent contributors to legacy repositories, archived projects, or internal tooling that carries no meaningful security risk.

Practical steps that reduce active committer counts by 10–30% in typical enterprise environments include: disabling GHAS on archived or read-only repositories, removing enablement from internal documentation and config repositories that contain no application code, auditing committer overlap across GHAS-enabled repositories (each unique committer uses one licence regardless of how many repositories they touch), and reviewing the 90-day window monthly rather than annually to identify natural volume reduction opportunities.

For volume/subscription billing — the model available under GitHub Enterprise agreements — organisations commit to a minimum licence count for a defined period. Overshooting that count triggers overage charges at list price. We recommend modelling committer counts across 12 months using GitHub's billing API before fixing a subscription volume, and including a 10–15% buffer above the trailing 3-month average. The Microsoft Vendor Management Toolkit includes templates for tracking GitHub licensing usage alongside other Microsoft workloads.

Negotiating GHAS in Your Microsoft Enterprise Agreement

GitHub Advanced Security is procured independently of Microsoft 365 and Azure, but it sits within the Microsoft family and is subject to EA negotiation dynamics. For enterprises purchasing 250+ GHAS committer licences annually, discounts of 15–25% off list price are achievable on subscription billing. Multi-year commitments (2–3 years) with 500+ committer volumes have yielded 25–35% discounts in documented transactions. Microsoft's approach to EA pricing changes in late 2025 — which eliminated volume discount tiers for Microsoft 365 — does not formally apply to GitHub products, which remain separately negotiable.

GitHub's fiscal year ends January 31. Quarter-end windows (April 30, July 31, October 31) represent prime negotiation points where account teams have authority to approve incremental concessions. Presenting a competitive alternative — Snyk, Veracode, or Checkmarx for SAST; GitGuardian or Nightfall for secrets — materially strengthens the position. Enterprises that have already consolidated on Microsoft Azure and are growing their MACC spend have additional leverage: GitHub increments can be framed as part of a broader Microsoft commitment growth conversation. Book a call with Redress Compliance to prepare your negotiation position before your next GitHub renewal.