GitHub makes a subset of Advanced Security features available, free of charge, to all public repositories on GitHub.com. In addition, you can get insight into your exposure to leaked secrets with a free secret risk assessment. See Organization のシークレット リスク評価レポートの表示.
You need pay to use Advanced Security features in private repositories. If you change the visibility of a public repository to private and don't pay for Advanced Security, Advanced Security features will be disabled for that repository.
License types for Advanced Security products
Advanced Security consists of two main products:
- GitHub Secret Protection: secret scanning やプッシュ保護など、シークレットの漏洩の検出と防止に役立つ機能が含まれます。
- GitHub Code Security: code scanning、プレミアム Dependabot 機能、依存関係レビューなど、脆弱性の検出と修正に役立つ機能が含まれます。
Licensing for Advanced Security products is flexible, making it easy for you to choose options that fit your business needs. For example, you might start by using GitHub Secret Protection across all repositories, and pilot GitHub Code Security in high-risk repositories. You buy or pay only for the products you need, and expand as you see the benefits to the security of your code.
For more information, see feature summary and pricing information and GitHub Advanced Security について.
Billing models for Advanced Security products
Each active committer to at least one repository with an Advanced Security product enabled uses one license. A committer is considered active if one of their commits has been pushed to the repository within the last 90 days, regardless of when it was originally authored.
There are two different ways to pay for licenses.
-
Metered billing
- Users can enable GitHub Secret Protection or GitHub Code Security independently.
- Monthly bill for the number of licenses used by active committers.
- No pre-defined license limit.
- No overage state, you pay only for what you use.
-
Volume/subscription billing available for GitHub Enterprise plans only
- Purchase a specific number of GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security licenses that last for a defined period, typically at least a year.
- If the usage of Advanced Security by active committers exceeds the number of licenses purchased, you need to purchase additional licenses to cover this overage usage.
If you want to purchase volume/subscription-based licenses, contact your account manager in GitHub の営業チーム or contact GitHub Support.
Managing committers and costs
With a GitHub Team plan, you manage committers and costs by controlling usage. The options available depend on your billing platform.
Your use of Advanced Security is billed per committer and enabled by repository. If you remove a committer from an organization, or if you disable all GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security features for a repository, the committers will remain billable until the end of the current monthly billing cycle. Prorated billing applies only when a committer starts partway through the month. For examples of how committers are tracked and billed, see Understanding usage.
You can control usage and costs with budgets and alerts. See 「Setting up budgets to control spending on metered products」 .
メモ
GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security を有効にしたとき、[Billing & Licensing] タブの使用状況データに変更が表示されるまでに最長 2 時間かかります。
Each license specifies a maximum number of accounts that can use Advanced Security. Each active committer to at least one repository with the product enabled consumes one license. When you remove a user from your organization account, the user's license is freed within 24 hours.
If you exceed your license limit, features controlled by Advanced Security licensing continue to work on all repositories where they are already enabled. However, you will not be able to enable GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security on any additional repositories. Any new repositories created in organizations where GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security are configured to be enabled automatically will be created with the products disabled.
As soon as you make licenses available, by disabling GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security in some repositories, or by increasing your license size, the options for enabling GitHub Secret Protection, GitHub Code Security, and GitHub Advanced Security will work again as normal.
You can enforce policies to allow or disallow the use of Advanced Security by organizations owned by your enterprise account. See エンタープライズのコード セキュリティと分析のためのポリシーの適用.
Active and unique committers
The number of unique, active committers who use GitHub Secret Protection or GitHub Code Security controls your license use.
You can see the active and unique committers to an organization on the Global settings page for Advanced Security. Under "Secret Protection repositories" and "Code Security repositories" summary and repository-level details are reported. See 組織のグローバル セキュリティ設定の構成.
- Active committers is the number of committers who contributed to at least one organization-owned repository, and who use a license in your organization. That is, they are also an organization member, an external collaborator, or have a pending invitation to join your organization, and they are not a GitHub App bot. For information about differences between bot and machine accounts, see GitHub Apps と OAuth アプリの違い.
- Unique committers is the number of active committers who contributed only to a repository, or to repositories in an organization. This number shows how many licenses you can free up by disabling GitHub Secret Protection or GitHub Code Security for that repository or organization.
メモ
When a repository is migrated to GitHub, GitHub Advanced Security only consumes licenses for commits and pushes made after migration, rather than considering all historic contributions from before the migration.
If there are no unique committers to a repository or organization, all active committers also contribute to other repositories or organizations that use Advanced Security licenses. Disabling a product for that repository or organization would not free any licenses or lower your usage costs.
Understanding usage
Users can contribute to multiple repositories or organizations. Usage is measured across the whole organization to ensure that each member uses one license regardless of how many repositories or organizations the user contributes to.
When you enable or disable GitHub Secret Protection or GitHub Code Security for one or more repositories, GitHub displays an overview of how this will change your usage.
- Metered billing, showing an increase or reduction in the number of active committers using licenses.
- Volume/subscription billing, showing the number of licenses used or freed by unique active committers.
The following example timeline demonstrates how the active committer count for Advanced Security products could change over time in an enterprise. For each month, you will find events, along with the resulting committer count and the effect on usage-based billing.
メモ
A user is flagged as active when their commits are pushed to any branch of a repository, even if the commits were authored more than 90 days ago.
| Date | Events during the month | Total committers | Effect on usage-based billing |
|---|---|---|---|
| April 15 | A member of your enterprise enables GitHub Secret Protection and GitHub Code Security for repository X. Repository X has 50 committers over the past 90 days. | 50 | Billing begins for 50 committers. |
| May 1 | Developer A switches teams and stops committing to repository X. Developer A's contributions continue to count for 90 days. | 50 | No immediate change. Developer A continues to be billed until their contributions are inactive for 90 days. |
| August 1 | Developer A's contributions no longer count towards the licenses required, because 90 days have passed. | 50 - 1 = 49 | Developer A is removed from the billing count, reducing the billable committers to 49. |
| August 15 | A member of your enterprise enables GitHub Secret Protection and GitHub Code Security for a second repository, repository Y. In the last 90 days, a total of 20 developers contributed to that repository. Of those 20 developers, 10 also recently worked on repo X and do not require additional licenses. | 49 + 10 = 59 | Billing increases to 59 committers, accounting for the 10 additional unique contributors. |
| August 16 | A member of your enterprise disables GitHub Secret Protection and GitHub Code Security for repository X. Of the 49 developers who were working on repository X, 10 still also work on repository Y, which has a total of 20 developers contributing in the last 90 days. | 49 - 29 = 20 | Billing for repository X continues until the end of the monthly billing cycle, but the overall billing count decreases to 20 committers for the next cycle. |