About billing for GitHub Advanced Security

Learn about the licensing models for Advanced Security products and how the use of GitHub Secret Protection, GitHub Code Security, and GitHub Advanced Security licenses is calculated.

Who can use this feature?

Requires GitHub Team or GitHub Enterprise

In this article

GitHub makes a subset of Advanced Security features available, free of charge, to all public repositories on GitHub.com. In addition, you can get insight into your exposure to leaked secrets with a free secret risk assessment. See Viewing the secret risk assessment report for your organization.

You need pay to use Advanced Security features in private repositories. If you change the visibility of a public repository to private and don't pay for Advanced Security, Advanced Security features will be disabled for that repository.

License types for Advanced Security products

Licensing for Advanced Security products is flexible, making it easy for you to choose options that fit your business needs.

  • GitHub Secret Protection, which includes features that help you detect and prevent secret leaks, such as secret scanning and push protection.
  • GitHub Code Security, which includes features that help you find and fix vulnerabilities, like code scanning, premium Dependabot features, and dependency review.

For example, you might start by using GitHub Secret Protection across all repositories, and pilot GitHub Code Security in high-risk repositories. You pay only for the products you need, and expand as you see the benefits to the security of your code.

For more information, see feature summary and pricing information and About GitHub Advanced Security.

Billing models for Advanced Security products

Each active committer to at least one repository with an Advanced Security product enabled uses one license. A committer is considered active if one of their commits has been pushed to the repository within the last 90 days, regardless of when it was originally authored.

There are two different ways to pay for licenses.

  • Metered billing

    • Users can enable GitHub Secret Protection or GitHub Code Security independently.
    • Monthly bill for the number of licenses used by active committers.
    • No pre-defined license limit.
    • No overage state, you pay only for what you use.

  • Volume/subscription billing available for GitHub Enterprise plans only

    • Users must ask the sales team to set up billing.
    • Purchase a specific number of GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security licenses that last for a defined period, typically at least a year.
    • If the usage of Advanced Security by active committers exceeds the number of licenses purchased, you need to purchase additional licenses to cover this overage usage.

Managing committers and costs

With a GitHub Team plan, you manage committers and costs by controlling usage. The options available depend on your billing platform.

Your use of Advanced Security is billed per committer and enabled by repository. If you remove a committer from an organization, or if you disable all GitHub Secret Protection or GitHub Code Security features for a repository, the committers will remain billable until the end of the current monthly billing cycle. Prorated billing applies only when a committer starts partway through the month. For examples of how committers are tracked and billed, see Understanding usage.

You can control usage and costs with budgets and alerts. See Preventing overspending .

Note

When you enable GitHub Secret Protection or GitHub Code Security, there is a delay of up to two hours before the change is shown in the usage data on the "Billing & Licensing" tab.

Each license specifies a maximum number of accounts that can use Advanced Security. Each active committer to at least one repository with the product enabled consumes one license. When you remove a user from your organization account, the user's license is freed within 24 hours.

If you exceed your license limit, features controlled by Advanced Security licensing continue to work on all repositories where they are already enabled. However, you will not be able to enable GitHub Secret Protection or GitHub Code Security on any additional repositories. Any new repositories created in organizations where GitHub Secret Protection or GitHub Code Security are configured to be enabled automatically will be created with the products disabled.

As soon as you make licenses available, by disabling GitHub Secret Protection or GitHub Code Security in some repositories, or by increasing your license size, the options for enabling GitHub Secret Protection and GitHub Code Security will work again as normal.

You can enforce policies to allow or disallow the use of Advanced Security by organizations owned by your enterprise account. See Enforcing policies for code security and analysis for your enterprise.

Active and unique committers

The number of unique, active committers who use GitHub Secret Protection or GitHub Code Security controls your license use.

You can see the active and unique committers to an organization on the Global settings page for Advanced Security. Under "Secret Protection repositories" and "Code Security repositories" summary and repository-level details are reported. See Configuring global security settings for your organization.

  • Active committers is the number of committers who contributed to at least one organization-owned repository, and who use a license in your organization. That is, they are also an organization member, an external collaborator, or have a pending invitation to join your organization, and they are not a GitHub App bot. For information about differences between bot and machine accounts, see Differences between GitHub Apps and OAuth apps.
  • Unique committers is the number of active committers who contributed only to a repository, or to repositories in an organization. This number shows how many licenses you can free up by disabling GitHub Secret Protection or GitHub Code Security for that repository or organization.

If there are no unique committers to a repository or organization, all active committers also contribute to other repositories or organizations that use Advanced Security licenses. Disabling a product for that repository or organization would not free any licenses or lower your usage costs.

Billing platforms

In June 2024 GitHub introduced a new billing platform to provide greater insight and control over the use of paid products. All organizations are being migrated over to the new billing platform.

New billing platform

  1. In the upper-right corner of any page on GitHub, select your profile photo.
  2. For organizations, click Your organizations, then next to the organization, click Settings.

If your organization uses the new billing platform, there will be a Billing & Licensing option in the sidebar, see Using the new billing platform.

Original billing platform

Each organization on the original billing platform is contacted by GitHub in advance of their migration to the new billing platform. If you have not been contacted yet, then you probably use the original billing platform, see Using the billing platform.

Understanding usage

Users can contribute to multiple repositories or organizations. Usage is measured across the whole organization to ensure that each member uses one license regardless of how many repositories or organizations the user contributes to.

When you enable or disable GitHub Secret Protection or GitHub Code Security for one or more repositories, GitHub displays an overview of how this will change your usage.

  • Metered billing, showing an increase or reduction in the number of active committers using licenses.
  • Volume/subscription billing, showing the number of licenses used or freed by unique active committers.

The following example timeline demonstrates how the active committer count for Advanced Security products could change over time in an enterprise. For each month, you will find events, along with the resulting committer count and the effect on usage-based billing.

Note

A user is flagged as active when their commits are pushed to any branch of a repository, even if the commits were authored more than 90 days ago.

DateEvents during the monthTotal committersEffect on usage-based billing
April 15A member of your enterprise enables GitHub Secret Protection and GitHub Code Security for repository X. Repository X has 50 committers over the past 90 days.50Billing begins for 50 committers.
May 1Developer A leaves the team working on repository X. Developer A's contributions continue to count for 90 days.50No immediate change. Developer A continues to be billed until their contributions are inactive for 90 days.
August 1Developer A's contributions no longer count towards the licenses required, because 90 days have passed.50 - 1 =
49		Developer A is removed from the billing count, reducing the billable committers to 49.
August 15A member of your enterprise enables GitHub Secret Protection and GitHub Code Security for a second repository, repository Y. In the last 90 days, a total of 20 developers contributed to that repository. Of those 20 developers, 10 also recently worked on repo X and do not require additional licenses.49 + 10 =
59		Billing increases to 59 committers, accounting for the 10 additional unique contributors.
August 16A member of your enterprise disables GitHub Secret Protection and GitHub Code Security for repository X. Of the 49 developers who were working on repository X, 10 still also work on repository Y, which has a total of 20 developers contributing in the last 90 days.49 - 29 =
20		Billing for repository X continues until the end of the monthly billing cycle, but the overall billing count decreases to 20 committers for the next cycle.

Further reading