GitHub Advanced Security (GHAS) is Microsoft's application security platform for GitHub Enterprise — providing code scanning (powered by CodeQL), secret scanning, dependency review, and security advisories. It is sold as an add-on to GitHub Enterprise Cloud (GHEC) or GitHub Enterprise Server (GHES) and is priced on an "active committer" model that is fundamentally different from per-user subscription pricing.
The active committer model is the source of most GHAS commercial problems. An organisation purchases GHAS for a stated number of active committers — and pays overages when actual active committer counts exceed purchased quantities. For enterprises with dynamic development teams, large contractor populations, or open source contribution activities, active committer counts can spike materially beyond expectations, with the resulting overage charges arriving quarterly and without advance warning.
The Active Committer Pricing Model: How It Actually Works
GHAS pricing is based on a per-active-committer-per-month rate. As of 2026, the standalone list price for GHAS is approximately $49/active committer/month for GHEC or $19/active committer/month for GHES (server-side scanning only). Through an EA, discounts of 15–30% are achievable at sufficient scale.
The mechanism that creates overspend risk: GHAS counts active committers across all repositories where GHAS is enabled, using a rolling 90-day window. If your organisation has 500 developers but 200 of them are contractors who commit sporadically — and all of them commit at some point in any 90-day period — your active committer count may be 650–700 despite having only 500 "permanent" developers. For an organisation that budgeted for 500 active committers at $49/month, a 30% overrun represents $7,350/month or approximately £72,000/year in unexpected expenditure.
The Committer Count Variables
Before purchasing GHAS, model your active committer count across these dimensions:
- Permanent developers: The baseline. Every full-time developer who commits code to GHAS-enabled repositories is an active committer.
- Contractors and consultants: If contractors commit code to your private repositories, they count. For organisations with 20–30% contractor developer populations, this is a significant variable.
- Bots and automated accounts: Many CI/CD pipelines use service accounts that commit code (version bumps, automated dependency updates, generated file commits). These can count as active committers if not specifically excluded. Dependabot, for example, generates commits that may count as active committer activity unless properly attributed.
- Open source contributors: If you have internal repositories where external contributors make commits (hybrid open-source projects, public forks from internal repos), those contributors count.
- Infrequent committers: Developers who commit rarely (data scientists, DevOps engineers, architects who occasionally fix IaC) still count in any quarter where they make a commit.
GHAS vs Azure DevOps Advanced Security: The Double-Purchase Problem
Microsoft introduced Azure DevOps Advanced Security (ADO AdvSec) in 2023 — a similar application security scanning product built into Azure DevOps Pipelines and Repos. ADO AdvSec provides code scanning (GitHub CodeQL under the hood), secret scanning, and dependency scanning for Azure DevOps repositories, using the same active committer pricing model as GHAS.
For organisations that use both GitHub Enterprise and Azure DevOps, the overlap question is critical: do you need both GHAS and ADO AdvSec, or can one cover your security scanning requirements?
| Dimension | GitHub Advanced Security | ADO Advanced Security |
|---|---|---|
| Repository Coverage | GitHub Enterprise Cloud/Server repositories only | Azure DevOps Repos only |
| Code Scanning Engine | CodeQL (proprietary, very strong) | CodeQL (same engine) |
| Secret Scanning | Yes — extensive partner pattern library | Yes — narrower pattern library |
| Dependency Review | Yes — GitHub Advisory Database | Yes — same underlying data |
| Pricing | ~$49/active committer/month (GHEC) | ~$49/active committer/month |
| GitHub Copilot Autofix | Yes (with GitHub Copilot for Enterprise) | No |
| Security Overview Dashboard | Enterprise-wide (GHEC) | ADO-scoped only |
| Push Protection | Yes — real-time secret blocking | Not available |
The conclusion: if your organisation uses both GitHub and Azure DevOps as source control platforms, you need both products to achieve full coverage. But if your development standardisation strategy is moving toward GitHub (as most organisations in the Microsoft ecosystem are), the Azure DevOps security scanning requirement diminishes over time, and purchasing both products for an extended period is double-spend that a clear migration timeline can eliminate.
For organisations primarily on Azure DevOps with GitHub as a secondary platform: purchase ADO AdvSec for the ADO repositories and GHAS only for the GitHub repositories that genuinely require it — not as a blanket enterprise deployment. The financial consequence of buying GHAS at enterprise scale when most of your code is in ADO can be £100,000+/year in unnecessary spend.
EA Negotiation Strategy for GHAS
GHAS can be included in an EA, and doing so provides several commercial advantages over standalone or CSP procurement. The negotiation approach requires specific preparation.
Establishing the Right Baseline Committer Count
Before negotiating GHAS in an EA, conduct a precise active committer audit. Pull the last 90 days of commit data from your GitHub Enterprise instance (the GitHub Enterprise admin console provides committer reports), categorise by permanent staff, contractors, bots, and sporadic committers, and build a committer forecast for the EA term. The goal is to commit to a quantity that covers your typical active committer population with a reasonable buffer (typically 10–15%), without over-committing to a number that inflates your EA spend unnecessarily.
Microsoft will propose a committer count based on your current GitHub Enterprise seat count. That proposal will almost always be higher than your actual active committer population — because GitHub Enterprise seat count and active GHAS committer count are different things. A 500-seat GitHub Enterprise instance may have only 280–350 active committers if a portion of seats are viewers, wiki editors, or project management users who do not commit code.
GHAS Discount Structure in the EA
GHAS discounts in an EA typically follow the overall deal discount framework but with a specific GHAS product line negotiation. At 200–499 active committers, expect 15–20% below list pricing. At 500–999 committers, 20–25%. Above 1,000 committers, 25–35% is achievable with appropriate negotiation. The competitive landscape (Snyk, Veracode, Checkmarx, SonarQube) provides genuine leverage for organisations above 300 committers — these are credible alternatives with different pricing models (per-project or flat-rate, not per-committer) that can be used as anchors in the negotiation.
Avoiding the Perpetual Overage Problem
In an EA GHAS purchase, negotiate for overage handling provisions. The standard GHAS agreement bills overages at list price per additional active committer per month, charged retroactively for the overage period. For an EA inclusion, negotiate: (1) annual overage reconciliation rather than quarterly, (2) EA pricing applied to overage committers (not list), and (3) a reasonable headroom allowance (5–10% above committed quantity) at no additional charge. These provisions are obtainable at scale and significantly reduce the administrative burden and cost of managing active committer spikes.
Deployment and Governance: Controlling the Committer Count
Uncontrolled GHAS deployment is the primary cause of overspend. Enabling GHAS on every repository the moment you purchase it is the commercial equivalent of provisioning every user in your organisation on the most expensive licence tier without evaluating whether they need it. A structured deployment approach is both commercially and operationally sensible.
Repository Tiering for GHAS Enablement
Not every repository needs GHAS enabled. A three-tier approach is commercially rational:
- Tier 1 — Always enable: Production application repositories, repositories containing customer data processing code, public-facing APIs, repositories with high-sensitivity business logic, and any repository in a regulated environment. GHAS is the right tool here; the security value clearly justifies the active committer cost.
- Tier 2 — Evaluate and enable where justified: Internal tooling repositories, data pipeline code, infrastructure-as-code repositories, test automation code. Enable GHAS where the security risk profile is meaningful; consider whether internal repositories without external data exposure genuinely require the full CodeQL scan suite.
- Tier 3 — Do not enable: Documentation repositories, wiki repositories, archived repositories, configuration-only repositories, and repositories containing only non-executable content. Enabling GHAS on these adds active committers without providing security value.
Contractor and External Contributor Management
Contractors who contribute to GHAS-enabled repositories count as active committers. The commercial implication: every contractor who commits code during a quarter increases your GHAS active committer count for that quarter. For organisations with 20%+ contractor developer populations, this is a material variable. Governance options include: maintaining separate private repositories for contractor work (with GHAS disabled until output is reviewed and merged to production repos), using GitHub's guest access model for contractors rather than full membership, or factoring contractor populations into the GHAS committed quantity with explicit quarterly monitoring.
Monthly Committer Monitoring
GHAS provides active committer reporting in the GitHub Enterprise admin console (for GHEC) and in the Management Console (for GHES). For EA GHAS purchasers with committed quantities, monthly committer monitoring should be a standard IT finance task — the equivalent of M365 licence reconciliation. Review the active committer count monthly; investigate spikes; identify and categorise new committers; and adjust governance if the trend toward your committed ceiling becomes a concern. Catching an overrun trend three months before the anniversary is worth ten times more than discovering it in the overage invoice.
GHAS vs Third-Party Alternatives: When to Consider Something Else
GHAS is not the only application security scanning solution. For organisations with specific requirements, or those seeking alternatives to use as negotiation leverage, the competitive landscape is worth understanding.
Snyk: Strong developer-first AppSec platform with excellent open source dependency scanning and developer IDE integration. Pricing is per developer (not active committer), which can be commercially advantageous for organisations with high active committer spike risk. Snyk Code (SAST) and Snyk Container (container image scanning) fill GHAS CodeQL's territory.
Checkmarx One: Enterprise SAST and SCA platform with per-scan or per-developer pricing models. Strong in regulated industries (financial services, healthcare) with compliance reporting that GHAS does not natively provide.
Veracode: SaaS-based AppSec with dynamic analysis capabilities GHAS lacks. Per-application pricing in some configurations avoids the active committer overage problem.
SonarQube/SonarCloud: Popular SAST alternative with instance-based pricing for Server (flat-rate for self-hosted) and lines-of-code-based pricing for Cloud. For organisations where CodeQL's language support matches their primary tech stack, SonarQube's pricing model is often significantly cheaper for large developer populations.
In an EA negotiation, the credible alternative that most effectively generates GHAS pricing leverage is Snyk — it has meaningful GitHub integration, strong developer adoption momentum, and a pricing model that is directly comparable to GHAS at the enterprise level. Entering an EA negotiation with a Snyk proof-of-concept evaluation completed and priced provides real negotiating pressure on GHAS list pricing.
Developer Security Licensing Advisory
We help enterprise organisations model their GHAS active committer count, negotiate GHAS in EA renewals, evaluate GHAS vs ADO AdvSec deployment strategies, and govern active committer counts to prevent overage spend. Our advisors have no GitHub or GHAS partner relationship — we optimise for your cost, not Microsoft's revenue.
GHAS Committer Audit
Determine your actual active committer population before committing to a GHAS quantity. Most organisations discover their real count is 20–30% lower than Microsoft's proposed figure.
Start the AuditEA Developer Security Negotiation
If GHAS is in your upcoming EA renewal, we structure the negotiation — committer count, discount rate, overage provisions, and competitive benchmark.
Learn MoreGHAS vs ADO AdvSec Analysis
For organisations with both GitHub and Azure DevOps, we model the cost and coverage implications of each deployment strategy — avoiding the double-purchase trap.
Request AnalysisSummary
GitHub Advanced Security is a technically strong application security product with a commercially complex pricing model. The active committer model creates material overspend risk for organisations that deploy it without governance — particularly those with contractor populations, automated commit pipelines, or indiscriminate repository-level enablement. Managing GHAS well requires: a pre-purchase active committer audit, a repository tiering strategy for enablement, contractor governance, monthly committer monitoring, and negotiated EA terms that include overage protections and EA-rate pricing for incremental committers.
For organisations evaluating GHAS for the first time, the competitive alternative analysis (Snyk, Checkmarx, SonarQube) should precede the EA commitment — both as a commercial sanity check and as negotiation leverage. GHAS is not the only credible option in its space, and entering the negotiation with a benchmarked alternative consistently produces better pricing than accepting Microsoft's standard EA rate. See our full developer licensing EA optimisation guide for the complete framework.