Adopting GitHub Advanced Security at scale

You can adopt GitHub Advanced Security at scale in your company following industry and GitHub best practices.

Before enabling code scanning and secret scanning, plan how GHAS should be rolled out across your enterprise.

In this phase you will prepare developers and collect data about your repositories to ensure your teams are ready and you have everything you need for pilot programs and rolling out code scanning and secret scanning.

You may benefit from beginning with a few high-impact projects and teams with which to pilot an initial rollout. This will allow an initial group within your company to get familiar with GHAS, learn how to enable and configure GHAS, and build a solid foundation on GHAS before rolling out to the remainder of your company.

You will create internal documentation and then communicate this to the consumers of GitHub Advanced Security.

You can leverage the available APIs to rollout code scanning programmatically by team and by language across your enterprise using the repository data you collected earlier.

For the final phase, you will focus on the rollout of secret scanning. Secret scanning is a more straightforward tool to rollout than code scanning, as it involves less configuration, but it's critical to have a strategy for handling new and old results.