Domain 1: Describe GHAS Features and Functionality (15%) โ
โ Overview ยท Next Domain โ
Exam Tip
This domain tests your conceptual understanding of what GHAS is, what it includes, and who can use it. Expect questions on feature definitions, licensing requirements, and plan availability โ not deep configuration.
What is GitHub Advanced Security (GHAS)? โ
GitHub Advanced Security is a set of security features built into GitHub to help organizations find and fix vulnerabilities earlier in the development lifecycle (shift-left security).
GHAS includes three primary pillars:
| Pillar | Feature | What it does |
|---|---|---|
| Secret Scanning | Secret scanning | Detects exposed credentials, tokens, and API keys |
| Secret Scanning | Push protection | Blocks commits containing secrets before they're pushed |
| Supply Chain Security | Dependabot alerts | Notifies you of vulnerable dependencies |
| Supply Chain Security | Dependabot security updates | Auto-creates PRs to fix vulnerable dependencies |
| Supply Chain Security | Dependabot version updates | Auto-creates PRs to keep dependencies up to date |
| Supply Chain Security | Dependency review | Blocks PRs that introduce vulnerable dependencies |
| Code Scanning | CodeQL analysis | SAST โ finds security vulnerabilities in your source code |
| Code Scanning | SARIF upload | Lets you import third-party SAST results into GitHub |
GHAS Licensing and Availability โ
Public Repositories โ
- GHAS features are free for all public repositories on GitHub.com
- No license purchase required โ secret scanning, code scanning, and dependency review are enabled automatically
Private and Internal Repositories โ
| Plan | GHAS Available? | Notes |
|---|---|---|
| GitHub Free / Pro | โ | No GHAS on private repos |
| GitHub Team | โ | No GHAS on private repos |
| GitHub Enterprise Cloud (GHEC) | โ | Requires GHAS license add-on per active committer |
| GitHub Enterprise Server (GHES) | โ | Requires GHAS license; features available from GHES 3.0+ |
Exam Trap
GHAS is not included with GitHub Team. It requires GitHub Enterprise (GHEC or GHES) plus an additional Advanced Security license purchase. The exam often presents GitHub Team as an option โ it's always wrong for private-repo GHAS.
GHAS License Seat Model โ
- GHAS is licensed per active committer โ any user who commits to a private repository with GHAS enabled in the last 90 days
- Enabling GHAS on a repository doesn't require a seat for read-only contributors
- Org owners can view seat usage in: Org Settings โ Advanced Security โ Active committers
Feature-by-Feature Overview โ
Secret Scanning โ
- Scans the full history of a repository (including all branches and commits) for known secret formats
- Uses partner patterns (GitHub-verified patterns for AWS keys, Stripe API keys, etc.) and optionally custom patterns
- Sends alerts to repository admins and security managers when a secret is detected
- Optional: validity checking โ GitHub queries the service provider to check if a detected secret is still active
Push Protection โ
- Prevents a
git pushfrom succeeding if the pushed code contains a known secret - Works at the network level โ the push is rejected before the commit reaches the remote
- Developer sees an error explaining what was blocked and can bypass with a reason (if allowed by policy)
- Can be enforced at repo, org, or enterprise level
Dependabot Alerts โ
- Triggered when a repository's dependency is found in the GitHub Advisory Database (or NVD) with a known CVE
- Severity levels: Critical, High, Medium, Low (based on CVSS score)
- Available for all repositories (even without GHAS) if the dependency graph is enabled
Dependabot Security Updates โ
- Automatically opens a PR to update the vulnerable dependency to a safe version
- Requires: Dependabot alerts enabled + security updates feature enabled
- The PR includes the CVSS score, CVE details, and changelog notes
Dependabot Version Updates โ
- Scheduled PRs to update dependencies to their latest version (not necessarily security-driven)
- Configured via
.github/dependabot.yml
Dependency Review โ
- A GitHub Action that blocks PR merges if the PR introduces a new vulnerable dependency
- Works as a pull request check โ displays a diff of dependency changes including CVE details
- Requires GHAS license for private repositories
Code Scanning (CodeQL) โ
- Static Application Security Testing (SAST) โ analyzes source code for security vulnerabilities
- Uses CodeQL, a semantic code analysis engine originally developed by Semmle (acquired by GitHub)
- Supports: C, C++, C#, Go, Java, Kotlin, JavaScript/TypeScript, Python, Ruby, Swift
- Alerts include: CWE category, severity, location, and recommended fix
SARIF (Static Analysis Results Interchange Format) โ
- Standard JSON-based format for exchanging static analysis results
- Allows third-party tools (Snyk, Checkmarx, SonarCloud, Semgrep) to upload results into GitHub's code scanning UI
- Uploaded via the
github/codeql-action/upload-sarifaction
Security Overview โ
The Security Overview (available at org and enterprise level) provides a consolidated dashboard showing:
- Which repositories have GHAS features enabled
- Alert counts by feature and severity across the organization
- Trend data over time for tracking remediation progress
Available to: Organization owners, Security managers, Enterprise owners
Domain 1 Quick Quiz
1 / 5
โ
Which GitHub plans support GHAS on private repositories?
(Click to reveal)๐ก
GitHub Enterprise Cloud (GHEC) and GitHub Enterprise Server (GHES) with an Advanced Security license add-on. GitHub Free, Pro, and Team do NOT support GHAS on private repositories.