This document helps answer the question "is this GHAS feature available in my version of GitHub Enterprise Server?".
The following tables include notable feature releases for GitHub Advanced Security. Each row represents a feature. The columns in the row indicate the level of support for each supported Enterprise Server release. Are your repositories hosted on github.com? All of these features are already available for you π.
- GitHub Advanced Security (GHAS) Feature Matrix - Contents - How do I read this document?
- Dependencies
Each section of this document represents a different capability of the GitHub security features. Each row in the tables represent a different feature of GHAS. The columns indicate if that feature is available in each version of GitHub Enterprise Server.
Cells with βοΈ indicate Public Preview support. β indicates General Availability.
| Version | 3.14 | 3.15 | 3.16 | 3.17 | 3.18 | 3.19 | 3.20 |
|---|---|---|---|---|---|---|---|
| Release date | 2024-08-06 | 2024-11-12 | 2025-02-25 | 2025-05-20 | 2025-10-14 | 2025-12-09 | 2026-03-17 |
| Deprecation date | 2025-08-27 | 2025-12-19 | 2026-03-11 | 2026-06-03 | 2026-10-14 | 2026-12-09 | 2027-03-17 |
| Notes | Notes | Notes | Notes | Notes | Notes | Notes |
Secret scanning identifies plain text credentials inside your code repository. Learn more about secret scanning
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.
Dependabot alerts tell you that your code depends on a package that is insecure.
| Feature | 3.14 | 3.15 | 3.16 | 3.17 | 3.18 | 3.19 | 3.20 |
|---|---|---|---|---|---|---|---|
| Dependabot alerts show vulnerable function calls | βοΈ | βοΈ | βοΈ | ||||
| Dependabot auto-triage rules | β | β | β | β | β | β | β |
| Security advisories can use the new CVSS 4.0 schema to calculate a base vulnerability score | β | β | β | β | β | β | |
| Added Exploit Prediction Scoring System (EPSS) to advisories to show estimated probability that a vulnerability will be exploited over the next 30 days | β | β | β | β | β | β | |
| EPSS scores for vulnerability prioritization in Dependabot alerts | β | β | β | β | |||
| Dependabot metrics page for prioritizing security fixes | β | β |
Dependency review helps you understand dependency changes and the security impact of these changes at every pull request.
| Feature | 3.14 | 3.15 | 3.16 | 3.17 | 3.18 | 3.19 | 3.20 |
|---|---|---|---|---|---|---|---|
| SBOM generated for a package now includes the package URL for more packages | β | β | β | β | β | β | β |
Security overview provides high-level summaries of the security status of an organization or enterprise and makes it easy to identify repositories that require intervention.
| Feature | 3.14 | 3.15 | 3.16 | 3.17 | 3.18 | 3.19 | 3.20 |
|---|---|---|---|---|---|---|---|
| Enablement trends dashboard is available | β | β | β | β | β | β | β |
| Enterprise level secret scanning metrics and enablement trend dashboards | β | β | β | β | β | β | β |
| Security overview dashboard group by tool | β | β | β | β | β | β | β |
| Security overview dashboard filter by security tool | βοΈ | β | β | β | β | β | β |
| CodeQL pull request alerts view | β | β | β | β | β | β | |
| Security overview dashboard adds SAST vulnerabilities summary table | β | β | β | β | β | ||
| Security overview dashboard adds Prevention metrics alongside Detection and Remediation metrics at both the organization and enterprise levels | β | β | β | β | β | ||
| Export CSV data from the "CodeQL pull request alerts" view | β | β | β | β | β | ||
| Security overview dashboard accessibility enhancements | β | β | β | β | β |
Security Configurations and Global Settings for Advanced Security configuration and policy enforcement at scale!
| Feature | 3.14 | 3.15 | 3.16 | 3.17 | 3.18 | 3.19 | 3.20 |
|---|---|---|---|---|---|---|---|
| Enable at scale - security configurations | β | β | β | β | β | β | |
| Enterprise-level security configurations | β | β | β | β | β | ||
| Security configurations for archived repositories | β | β | β | β | β | ||
| Advanced filtering for repository selection by security feature status | β | β | β | β | β | ||
| Security manager role can be assigned directly to individual users | β | β | β | β | β | ||
| Standalone SKUs for Code Security and Secret Protection | β | β | β | β | |||
| "Not set" option for security configurations | β | β | |||||
| Security configurations support default or advanced CodeQL setup | β | β | |||||
| Enterprise Security Manager role | βοΈ | ||||||
| Code scanning default setup can override Actions policies | β |
This section calls out the dependencies required to enable GitHub Advanced Security on GitHub Enterprise Server.
| Feature | GHAS license required? |
GitHub Actions required? |
GitHub Connect required? |
Documentation | Notes |
|---|---|---|---|---|---|
Security OverviewDescriptionKnow what needs attention throughout the entire SDLC |
No * | No | No | Feature Docs | * Features not needing a GHAS license will still show up |
Dependency GraphDescriptionParse manifest and lock files in your repository |
No | No | No | Feature Docs | Enabling this feature will reload some services on the appliance. |
Dependabot AlertsDescriptionKnow which of βοΈ have open CVEs |
No | No | Yes | Feature Docs | GitHub Connect dependency and data transmission details |
Dependabot Security UpdatesDescriptionOne-click "enable all" to send PRs updating βοΈ |
No | Yes | Yes | Feature Docs | Requires a runner with Docker and internet connectivity to open PRs (specs) As of GHES 3.8, will not require internet connectivity if private registry is configured |
Dependabot UpdatesDescriptionAllows Dependabot to process optional updates using~/.github/dependabot.yml file |
No | Yes | Yes | Feature Docs | Same requirements as βοΈ - this just allows the same "non-security" updates using the same flexible configuration file as GitHub.com |
Dependency ReviewDescriptionInspect dependencies at pull request, blocking merges that add more security vulnerabilities |
Yes | Yes | Yes | Feature Docs | Does not require the build to be moved into GitHub Actions, but needs a runner to inspect manifests. Dependency "snapshots" submitted through the dependency submission API for non-default branches are not supported on GitHub Enterprise Server. Checking for licenses is not supported on GitHub Enterprise Server because the API does not return license information. |
CodeQLDescriptionHighly accurate static analysis tool, flexible and extensible query language |
Yes | No * | No * | Feature Docs | * CodeQL can be installed in your existing build system (directions) and/or be used on GitHub Actions with self-hosted runners (directions) * GitHub Connect is not required, but it makes keeping the CodeQL queries up-to-date easier. * codeql-action-sync-tool is the offline updater without Connect. * Code Scanning default setup requires runners with the code-scanning label applied. |
Upload SARIF files from other toolsDescriptionView security results from other tools using SARIF file uploads |
Yes | No | No | Feature Docs | Many other tools support the SARIF interchange format. This feature provides a single pane of glass into the entire codebase. |
Secret scanningDescriptionLook at the present and all history for secrets, including partner patterns and custom regex |
Yes | No | No | Feature Docs | |
Push protection for secretsDescriptionBlock commits containing partner patterns and custom regex from GitHub, preventing compromise |
Yes | No | No | Feature Docs | Bare metal hypervisors may require an additional CPU flag, as outlined here |