Skip to main content

About billing for GitHub Advanced Security

Learn how GitHub Advanced Security costs are calculated and how to get the most from your license.

Who can use this feature?

GitHub Advanced Security is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server. Some features of GitHub Advanced Security are also available for public repositories on GitHub. For more information, see "GitHub’s plans."

For information about GitHub Advanced Security for Azure DevOps, see Configure GitHub Advanced Security for Azure DevOps in Microsoft Learn.

Metered billing for GitHub Advanced Security

If you started a trial of GitHub Advanced Security during your GitHub Enterprise Cloud trial on or after August 1, 2024, or if your account is onboarded into metered billing outside of the trial, your billing will be usage-based. This means:

  • You pay for the number of licenses used each month.
  • This applies to both GitHub Enterprise Cloud and GitHub Advanced Security.

There are a few key differences between metered and volume billing for GitHub Advanced Security.

  • Metered billing:

    • Billed per active committer, with no pre-defined license limit.
    • No overage state, pay only for what you use.
  • Volume billing:

    • Purchase a defined number of licenses (e.g. 100 licenses).
    • If usage exceeds purchased licenses, you will need to purchase additional licenses to cover this overage usage.

Managing committers and repositories

GitHub Advanced Security is billed per committer and enabled by repository. If a committer is removed from an organization or enterprise, they are no longer billable as of the removal day. However, if you disable GitHub Advanced Security on a repository, the committers tied to that repository will remain billable until the end of the current monthly billing cycle. Prorated billing applies if a committer starts partway through the month. For an example of how this works, see "Understanding usage."

If you have further questions about using GitHub Advanced Security, you can contact your account manager in GitHub's Sales team.

Note

There is a delay of up to 2 hours in the GitHub Advanced Security usage data on the "Overview" page after enabling the feature.

About licenses for GitHub Advanced Security

Note that GitHub may apply a temporary authorization hold for the value of the usage-based costs in advance, which will appear as a pending charge in your account's payment method.

If you want to use GitHub Advanced Security features on any repository apart from a public repository on GitHub.com, you will need a GitHub Advanced Security license. For more information about GitHub Advanced Security, see "About GitHub Advanced Security."

Note

With security configurations, you can manage GitHub Advanced Security feature enablement and license usage for your organization. See "Managing your GitHub Advanced Security license usage."

You can set up a trial if you pay for GitHub Enterprise Cloud by credit card or PayPal, or if you are already taking part in a free trial of GitHub Enterprise Cloud. See "Setting up a trial of GitHub Advanced Security."

If you pay by invoice, contact GitHub's Sales team to discuss trialing GitHub Advanced Security for your enterprise.

For other billing-related questions, contact GitHub Support.

License size

Important

If you have access to usage-based billing for GitHub Advanced Security, you will pay for the licenses you use each month and will not have a license limit. See "About usage-based billing for licenses."

Each license for GitHub Advanced Security specifies a maximum number of accounts that can use these features. Each active committer to at least one repository with the feature enabled uses one license. A committer is considered active if one of their commits has been pushed to the repository within the last 90 days, regardless of when it was originally authored.

When you remove a user from your enterprise account, the user's license is freed within 24 hours.

If you are over your license limit, GitHub Advanced Security continues to work on all repositories where it is already enabled. However, in organizations where GitHub Advanced Security is enabled for new repositories, repositories will be created with the feature deactivated. In addition, the option to enable GitHub Advanced Security for existing repositories will not be available.

As soon as you free up some licenses, by deactivating GitHub Advanced Security for some repositories or by increasing your license size, the options for activating GitHub Advanced Security will work again as normal.

You can enforce policies to allow or disallow the use of Advanced Security by organizations owned by your enterprise account. See "Enforcing policies for code security and analysis for your enterprise."

For more information on viewing license usage, see "Viewing your GitHub Advanced Security usage."

Active committers and unique committers

We record and display two numbers of active committers for GitHub Advanced Security on GitHub.com:

  • Active committers is the number of committers who contributed to at least one private organization-owned repository or one user-owned repository when using GitHub Enterprise Cloud with Enterprise Managed Users, and who use a license in your enterprise. That is, they are also an organization member, an external collaborator, or have a pending invitation to join an organization in your enterprise, and they are not a GitHub App bot. For information about differences between bot and machine accounts, see "Differences between GitHub Apps and OAuth apps."
  • Unique to this repository/organization is the number of active committers who contributed only to this repository, or to repositories in this organization. This number shows how many licenses you can free up by deactivating GitHub Advanced Security for that repository or organization.

If there are no unique active committers, all active committers also contribute to other repositories or organizations that use GitHub Advanced Security. Deactivating the feature for that repository or organization would not free any licenses for GitHub Advanced Security.

Note

Users can contribute to multiple repositories or organizations. Usage is measured across the whole enterprise account to ensure that each member uses one license regardless of how many repositories or organizations the user contributes to.

When you activate or deactivate Advanced Security for repositories, GitHub displays an overview of changes to the use of your license. If you deactivate access to GitHub Advanced Security, any licenses used by unique active committers are freed up.

For more information on managing the number of committers, see "Managing your GitHub Advanced Security licensing."

Understanding usage

The following example timeline demonstrates how active committer count for GitHub Advanced Security could change over time in an enterprise. For each month, you will find events, along with the resulting committer count and the effect on usage-based billing.

DateEvents during the monthTotal committersEffect on usage-based billing
April 15A member of your enterprise enables GitHub Advanced Security for repository X. Repository X has 50 committers over the past 90 days.50Billing begins for 50 committers.
May 1Developer A leaves the team working on repository X. Developer A's contributions continue to count for 90 days.50No immediate change. Developer A continues to be billed until their contributions are inactive for 90 days.
August 1Developer A's contributions no longer count towards the licenses required, because 90 days have passed.50 - 1 =
49
Developer A is removed from the billing count, reducing the billable committers to 49.
August 15A member of your enterprise enables GitHub Advanced Security for a second repository, repository Y. In the last 90 days, a total of 20 developers contributed to that repository. Of those 20 developers, 10 also recently worked on repo X and do not require additional licenses.49 + 10 =
59
Billing increases to 59 committers, accounting for the 10 additional unique contributors.
August 16A member of your enterprise disables GitHub Advanced Security for repository X. Of the 49 developers who were working on repository X, 10 still also work on repository Y, which has a total of 20 developers contributing in the last 90 days.49 - 29 =
20
Billing for repository X continues until the end of the monthly billing cycle, but the overall billing count decreases to 20 committers for the next cycle.

Note

A user will be flagged as active when their commits are pushed to any branch of a repository, even if the commits were authored more than 90 days ago.

Getting the most out of GitHub Advanced Security

When you decide which repositories and organizations to prioritize for GitHub Advanced Security, you should review them and identify:

  • Codebases that are the most critical to your company's success. These are the projects for which the introduction of vulnerable code, hard-coded secrets, or insecure dependencies would have the greatest impact on your company.
  • Codebases with the highest commit frequency. These are the most actively developed projects, consequently there is a higher risk that security problems could be introduced.

When you have enabled GitHub Advanced Security for these organizations or repositories, assess which other codebases you could add without incurring billing for unique active committers. Finally, review the remaining important and busy codebases. If you want to increase the number of licensed active committers, contact GitHub's Sales team.

If your enterprise uses GitHub Advanced Security on both GitHub Enterprise Server and GitHub Enterprise Cloud, you can ensure users aren't consuming multiple licenses unnecessarily by synchronizing license usage between environments. GitHub Advanced Security is included in license sync in GitHub Enterprise Server version 3.12 and later. See "Syncing license usage between GitHub Enterprise Server and GitHub Enterprise Cloud."