Skip to main content

Enabling GitHub Advanced Security for your enterprise

You can configure GitHub Enterprise Server to include GitHub Advanced Security. This provides extra features that help users find and fix security problems in their code.

Who can use this feature?

GitHub Advanced Security is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server. For more information, see "GitHub’s plans."

For information about GitHub Advanced Security for Azure DevOps, see Configure GitHub Advanced Security for Azure DevOps in Microsoft Learn.

About enabling GitHub Advanced Security

GitHub Advanced Security helps developers improve and maintain the security and quality of code. For more information, see "About GitHub Advanced Security."

When you enable GitHub Advanced Security for your enterprise, repository administrators in all organizations can enable the features unless you set up a policy to restrict access. See "Enforcing policies for code security and analysis for your enterprise."

You can also enable or disable Advanced Security features via the API. For more information, see "REST API endpoints for secret scanning" in the REST API documentation.

For guidance on a phased deployment of GitHub Advanced Security, see "Introduction to adopting GitHub Advanced Security at scale."

Checking whether your license includes GitHub Advanced Security

  1. In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.

    Screenshot of the drop-down menu that appears when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is highlighted in a dark orange outline.

  2. On the left side of the page, in the enterprise account sidebar, click Settings.

  3. Under Settings, click License.

  4. If your license includes GitHub Advanced Security, the license page includes a section showing details of current usage.

Prerequisites for enabling GitHub Advanced Security

  1. Upgrade your license for GitHub Enterprise Server to include GitHub Advanced Security. For information about licensing, see "About billing for GitHub Advanced Security."

  2. Download the new license file. See "Downloading your license for GitHub Enterprise."

  3. Upload the new license file to GitHub Enterprise Server. See "Uploading a new license to GitHub Enterprise Server."

  4. Review the prerequisites for the features you plan to enable.

Enabling and disabling GitHub Advanced Security features

Warning: Changing this setting will cause user-facing services on GitHub Enterprise Server to restart. You should time this change carefully, to minimize downtime for users.

  1. From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .

  2. If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.

  3. In the " Site admin" sidebar, click Management Console.

  4. In the "Settings" sidebar, click Security.

  5. Under "Security," select the features that you want to enable and deselect any features you want to disable.

  6. Under the "Settings" sidebar, click Save settings.

    Note: Saving settings in the Management Console restarts system services, which could result in user-visible downtime.

  7. Wait for the configuration run to complete.

When GitHub Enterprise Server has finished restarting, you're ready to set up any additional resources required for newly enabled features. See "Configuring code scanning for your appliance."

Enabling or disabling GitHub Advanced Security features via the administrative shell (SSH)

You can enable or disable features programmatically on GitHub Enterprise Server. For more information about the administrative shell and command-line utilities for GitHub Enterprise Server, see "Accessing the administrative shell (SSH)" and "Command-line utilities."

For example, you can enable any GitHub Advanced Security feature with your infrastructure-as-code tooling when you deploy an instance for staging or disaster recovery.

  1. SSH into your GitHub Enterprise Server instance. If your instance comprises multiple nodes, for example if high availability or geo-replication are configured, SSH into the primary node. If you use a cluster, you can SSH into any node. Replace HOSTNAME with the hostname for your instance, or the hostname or IP address of a node. For more information, see "Accessing the administrative shell (SSH)."

    Shell
    ssh -p 122 admin@HOSTNAME
    
  2. Enable features for GitHub Advanced Security.

    • To enable code scanning, enter the following commands.

      Shell
      ghe-config app.minio.enabled true
      ghe-config app.code-scanning.enabled true
      
    • To enable secret scanning, enter the following command.

      Shell
      ghe-config app.secret-scanning.enabled true
      
    • To enable the dependency graph, enter the following command.

      Shell
      ghe-config app.dependency-graph.enabled true
      
  3. Optionally, disable features for GitHub Advanced Security.

    • To disable code scanning, enter the following commands.

      Shell
      ghe-config app.code-scanning.enabled false
      
      • Optionally, if you disable code scanning, you can also disable the internal MinIO service for GitHub Advanced Security. If Dependabot updates are enabled for the instance and you want to disable this service, you must also disable Dependabot updates. Disabling the service does not affect MinIO storage for GitHub Actions or GitHub Packages. For more information about Dependabot updates, see "Enabling Dependabot for your enterprise."

        • To disable Dependabot updates, enter the following command.

          Shell
          ghe-config app.dependabot.enabled false
          
        • To disable MinIO, enter the following command.

          Shell
          ghe-config app.minio.enabled false
          
    • To disable secret scanning, enter the following command.

      Shell
      ghe-config app.secret-scanning.enabled false
      
    • To disable the dependency graph, enter the following command.

      ghe-config app.dependency-graph.enabled false
      
  4. To apply the configuration, run the following command.

    Note: During a configuration run, services on your GitHub Enterprise Server instance may restart, which can cause brief downtime for users.

    Shell
    ghe-config-apply
    
  5. Wait for the configuration run to complete.