We were a Microsoft and Github Enterprise ecosystem (GitHub Enterprise On-Premise as well as Cloud) shop with huge implementation running close to 60+K GitHub repositories for tens of thousands of applications being developed by tens of thousands of developers across a few hundreds of teams. I was tasked with determining the value of GitHub Advanced Security (GHAS), since this was a separate license than the GitHub Enterprise license we had deployed. To evaluate, some pilot licenses were provided to our organization through our client relationship with GitHub. My background is security and I was leading the DevSecOps program with SAST, SCA and IAST tools such as Checkmarx, Coverity, Mend, Snyk and Contrast, while different groups also utilized SonarQube for code quality (which is not a competing comprehensive security platform) deployed at enterprise levels at different times in about a decade. My exhaustive evaluation and research led me into writing a dedicated book on GHAS spanning about 110+ pages back in October 2024. This was particularly important as Copilot access was witnessed with acceleration among the developers, and thus being a security SME and DevSecOps Program Lead, AI concerns were the forefront on my radar.
GHAS is not just a one-time security check; it's designed for continuous security, integrating seamlessly into your development workflow and providing comprehensive coverage throughout the software development lifecycle. GHAS seamlessly integrates with your CI/CD pipeline to automate security analysis and empower developers to build secure software from the start. This integration allows for continuous security scanning and ensures that vulnerabilities are identified and addressed early in the development process. This comprehensive approach ensures that code is regularly scanned and vulnerabilities are addressed at multiple stages, from the moment a developer starts writing code to ongoing monitoring of the entire repository.
By understanding the GHAS scanning process and tailoring it to your specific CI/CD environment and development practices, organizations can effectively integrate security into your pipeline and empower developers to build secure software from the start.
While GHAS boasts strong SCA capabilities through its Dependency Review feature, it's important to understand that its current implementation doesn't heavily rely on AI in the same way that some dedicated SCA tools do. However, AI plays a subtle yet growing role, and its potential for future enhancements is significant.
GHAS leverages AI in some aspects of its SAST capabilities, particularly in secret scanning. However, its core code analysis relies on semantic analysis and CodeQL queries. While AI has the potential to further enhance GHAS's SAST capabilities in the future, it's important to be aware of its current limitations and potential weaknesses.
Auto-PRs are a valuable feature of GHAS that can help streamline dependency management and improve security posture. However, it's essential to understand their limitations and use them judiciously in appropriate scenarios. By carefully evaluating the suitability of Auto-PRs for our specific projects, organizations can effectively leverage this feature to automate security updates and maintain a secure codebase.
In a nutshell, GHAS is pretty solid when your ecosystem is GitHub & GitHub Actions, and thus a good direction to move into. In this scenario, acquiring GHAS Enterprise license and implementing it would be a natural extension of their existing workflow. They can easily enable GHAS and configure code scanning to run automatically as part of their CI/CD pipeline. This will help them find and fix security vulnerabilities early and effectively in the development process, reducing the risk of security breaches. While it is effectively powerful in Secrets scanning, however, being wary about its limitations in both SAST and SCA, particularly in evolutionary and revolutionary nature of AI, it has potential to improve. With the fierce competition among AI technology leaders like OpenAI, Anthropic, Google, and Microsoft, who are all advancing their autonomous coding language models, developers utilizing vibe-coding face a major security risk. This threat is not easily detectable by even the most advanced security tools available today.
Choose GHAS if:
• Accuracy and low false positives are critical.
• You need customization and explainability of findings.
• Deep integration with GitHub ecosystem is essential.
My best rating would be: 8 out of 10 (it would be 7 out of 10, if AI is considered a core feature)
Visit haroonmansoori.com for a consulting or implementation discussion.
I remember that some time back I visited the website peerspot.com and did research about application security tools, GitHub Advanced Security and SonarQube Server. I do not have any advice for people that are only looking to use GitHub Advanced Security at this time. My company name is Newt. My title is Delivery Head. My email address is archana.s@newtglobalcorp.com. On a scale of 1-10, I rate GitHub Advanced Security a 9.
I would definitely recommend GitHub Advanced Security to other development teams. It is my favorite solution. I rate this solution nine out of ten because of some missing features like the reporting feature.
I would recommend GitHub Advanced Security to other users. The secret scanning feature has capabilities that utilize AI, such as searching for additional patterns and secret detection. I rate GitHub Advanced Security an eight out of ten.
I would rate this product eight out of ten. GitHub Advanced Security should also put more emphasis on developing a software bill of materials, so that one can see what's being used without searching through different repositories.
I primarily use GitHub Advanced Security in our company's development workflow because once the code is developed, we run the product before pushing it to the staging phase to check for vulnerabilities. Some of GitHub Advanced Security's features that are really effective for identifying vulnerabilities stem from the fact that it is easy for us to integrate it with the existing codes, especially since all our codes are already on GitHub. GitHub Advanced Security can be used to check for vulnerabilities. The tool's easy integration capability is one of its advantageous features. GitHub Advanced Security's role in offering protection to the sensitive data within our company's projects since many of the developers tend to use secret keys and directly into the code, but GitHub Advanced Security analyzes such areas and helps us find out all the secret keys which are stored in the code, after which we remove it. The aforementioned area is a very good feature of the product. My company needs only two people to take care of the maintenance part, so it is not very difficult to maintain the product. The integration of the tool with our CI/CD pipelines is possible since my company has integrated into the Azure platform through GitHub's repository. The product's alerts or insights led to security improvement or prevention of a breach when my company received alerts related to security keys. I rate the overall product a nine out of ten.
DevOps Lead at a computer software company with 5,001-10,000 employees
Real User
Top 5
2024-01-09T16:03:00Z
Jan 9, 2024
It is a user-friendly tool for those new to security, offering ease of use and integration within an organization. However, another specialized tool may be required for more advanced security needs, especially concerning data security testing (DST) and potentially information security management systems (ISMS). I rate GitHub Advanced Security a ten out of ten.
Technical Program Manager at a healthcare company with 10,001+ employees
Real User
Top 5
2023-11-06T09:42:17Z
Nov 6, 2023
For organizations heavily invested in Microsoft's suite of products and operating as a sort of automation hub, GitHub Advanced Security stands out as the de facto choice. Its seamless integration with the developer environment and the broader suite of tools makes it the go-to solution. Overall, I would rate it nine out of ten.
GitHub Advanced Security secures data by scanning for vulnerabilities in dependencies, secret scanning, and protecting sensitive information. It integrates seamlessly, reducing reliance on multiple tools and optimizing vulnerability detection.GitHub Advanced Security is designed to enhance security awareness by offering comprehensive tools for secret scanning, code analysis, and SCSS dependency checks. AI-driven features deliver accurate security insights while minimizing false positives. It...
We were a Microsoft and Github Enterprise ecosystem (GitHub Enterprise On-Premise as well as Cloud) shop with huge implementation running close to 60+K GitHub repositories for tens of thousands of applications being developed by tens of thousands of developers across a few hundreds of teams. I was tasked with determining the value of GitHub Advanced Security (GHAS), since this was a separate license than the GitHub Enterprise license we had deployed. To evaluate, some pilot licenses were provided to our organization through our client relationship with GitHub. My background is security and I was leading the DevSecOps program with SAST, SCA and IAST tools such as Checkmarx, Coverity, Mend, Snyk and Contrast, while different groups also utilized SonarQube for code quality (which is not a competing comprehensive security platform) deployed at enterprise levels at different times in about a decade. My exhaustive evaluation and research led me into writing a dedicated book on GHAS spanning about 110+ pages back in October 2024. This was particularly important as Copilot access was witnessed with acceleration among the developers, and thus being a security SME and DevSecOps Program Lead, AI concerns were the forefront on my radar.
GHAS is not just a one-time security check; it's designed for continuous security, integrating seamlessly into your development workflow and providing comprehensive coverage throughout the software development lifecycle. GHAS seamlessly integrates with your CI/CD pipeline to automate security analysis and empower developers to build secure software from the start. This integration allows for continuous security scanning and ensures that vulnerabilities are identified and addressed early in the development process. This comprehensive approach ensures that code is regularly scanned and vulnerabilities are addressed at multiple stages, from the moment a developer starts writing code to ongoing monitoring of the entire repository.
By understanding the GHAS scanning process and tailoring it to your specific CI/CD environment and development practices, organizations can effectively integrate security into your pipeline and empower developers to build secure software from the start.
While GHAS boasts strong SCA capabilities through its Dependency Review feature, it's important to understand that its current implementation doesn't heavily rely on AI in the same way that some dedicated SCA tools do. However, AI plays a subtle yet growing role, and its potential for future enhancements is significant.
GHAS leverages AI in some aspects of its SAST capabilities, particularly in secret scanning. However, its core code analysis relies on semantic analysis and CodeQL queries. While AI has the potential to further enhance GHAS's SAST capabilities in the future, it's important to be aware of its current limitations and potential weaknesses.
Auto-PRs are a valuable feature of GHAS that can help streamline dependency management and improve security posture. However, it's essential to understand their limitations and use them judiciously in appropriate scenarios. By carefully evaluating the suitability of Auto-PRs for our specific projects, organizations can effectively leverage this feature to automate security updates and maintain a secure codebase.
In a nutshell, GHAS is pretty solid when your ecosystem is GitHub & GitHub Actions, and thus a good direction to move into. In this scenario, acquiring GHAS Enterprise license and implementing it would be a natural extension of their existing workflow. They can easily enable GHAS and configure code scanning to run automatically as part of their CI/CD pipeline. This will help them find and fix security vulnerabilities early and effectively in the development process, reducing the risk of security breaches. While it is effectively powerful in Secrets scanning, however, being wary about its limitations in both SAST and SCA, particularly in evolutionary and revolutionary nature of AI, it has potential to improve. With the fierce competition among AI technology leaders like OpenAI, Anthropic, Google, and Microsoft, who are all advancing their autonomous coding language models, developers utilizing vibe-coding face a major security risk. This threat is not easily detectable by even the most advanced security tools available today.
Choose GHAS if:
• Accuracy and low false positives are critical.
• You need customization and explainability of findings.
• Deep integration with GitHub ecosystem is essential.
My best rating would be: 8 out of 10 (it would be 7 out of 10, if AI is considered a core feature)
Visit haroonmansoori.com for a consulting or implementation discussion.
I remember that some time back I visited the website peerspot.com and did research about application security tools, GitHub Advanced Security and SonarQube Server. I do not have any advice for people that are only looking to use GitHub Advanced Security at this time. My company name is Newt. My title is Delivery Head. My email address is archana.s@newtglobalcorp.com. On a scale of 1-10, I rate GitHub Advanced Security a 9.
I would definitely recommend GitHub Advanced Security to other development teams. It is my favorite solution. I rate this solution nine out of ten because of some missing features like the reporting feature.
I would recommend GitHub Advanced Security to other users. The secret scanning feature has capabilities that utilize AI, such as searching for additional patterns and secret detection. I rate GitHub Advanced Security an eight out of ten.
I would rate this product eight out of ten. GitHub Advanced Security should also put more emphasis on developing a software bill of materials, so that one can see what's being used without searching through different repositories.
I would recommend it. I'd give it an eight out of ten. If the price were better, I would recommend it even more and give it a higher rating.
I primarily use GitHub Advanced Security in our company's development workflow because once the code is developed, we run the product before pushing it to the staging phase to check for vulnerabilities. Some of GitHub Advanced Security's features that are really effective for identifying vulnerabilities stem from the fact that it is easy for us to integrate it with the existing codes, especially since all our codes are already on GitHub. GitHub Advanced Security can be used to check for vulnerabilities. The tool's easy integration capability is one of its advantageous features. GitHub Advanced Security's role in offering protection to the sensitive data within our company's projects since many of the developers tend to use secret keys and directly into the code, but GitHub Advanced Security analyzes such areas and helps us find out all the secret keys which are stored in the code, after which we remove it. The aforementioned area is a very good feature of the product. My company needs only two people to take care of the maintenance part, so it is not very difficult to maintain the product. The integration of the tool with our CI/CD pipelines is possible since my company has integrated into the Azure platform through GitHub's repository. The product's alerts or insights led to security improvement or prevention of a breach when my company received alerts related to security keys. I rate the overall product a nine out of ten.
It is a user-friendly tool for those new to security, offering ease of use and integration within an organization. However, another specialized tool may be required for more advanced security needs, especially concerning data security testing (DST) and potentially information security management systems (ISMS). I rate GitHub Advanced Security a ten out of ten.
For organizations heavily invested in Microsoft's suite of products and operating as a sort of automation hub, GitHub Advanced Security stands out as the de facto choice. Its seamless integration with the developer environment and the broader suite of tools makes it the go-to solution. Overall, I would rate it nine out of ten.
I rate GitHub Advanced Security a seven out of ten.