Open source compliance doesn't change your Microsoft licence count — but it drives significant Microsoft licensing spend. Every enterprise that takes open source security seriously ends up purchasing GitHub Advanced Security (GHAS) for dependency scanning and secret detection. At $49/active committer/month, a 500-developer team spending $294,000/year on GHAS alone makes OSS compliance one of the largest line items in developer toolchain budgets. Understanding how open source obligations interact with Microsoft's tooling and EA structure is essential to controlling these costs.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →The Intersection of Open Source and Microsoft Licensing
There are four primary points where open source compliance obligations generate Microsoft licensing costs:
| Compliance Obligation | Microsoft Tool Required | Licence Cost | Alternatives |
|---|---|---|---|
| Dependency vulnerability scanning | GitHub Advanced Security (Dependabot + CodeQL) | $49/active committer/month (GHAS) | Snyk, FOSSA, Black Duck |
| Secret scanning in code/history | GitHub Advanced Security (Secret Scanning) | Included in GHAS | Trufflehog, GitGuardian |
| SBOM generation | GitHub Dependency Graph + SBOM export | Included in GitHub Enterprise Cloud | Syft, SPDX tools |
| Licence policy enforcement | GitHub Advanced Security (Dependency Review) | Included in GHAS | FOSSA, TLDR Legal, WhiteSource |
| Container image scanning | Microsoft Defender for Containers | Included in Defender for Cloud or $0.0093/core-hour | Trivy, Aqua, Prisma Cloud |
| Code quality / OSS licence violations | Azure DevOps Dependency Scanning extension | Free (OSS) or commercial options from Marketplace | SonarQube, Checkmarx |
The key observation is that GHAS is not required for basic OSS dependency scanning — Dependabot alerts are available free with GitHub Enterprise Cloud, without GHAS. GHAS adds CodeQL code scanning (finds security vulnerabilities within your proprietary code), advanced secret scanning (enterprise partners, custom patterns), and dependency review in PR checks. Many enterprises pay for GHAS when they actually only need Dependabot, overspending by $49/user/month unnecessarily.
GitHub Advanced Security Licensing Deep-Dive
GHAS is the primary Microsoft/GitHub tool for open source security, and its licensing model is frequently misunderstood. The GitHub Advanced Security licensing guide covers the full model, but the key points for OSS compliance decisions are:
The Active Committer Definition
GHAS is billed per "active committer" — a unique GitHub user who has committed to at least one private GHAS-enabled repository in the past 90 days. This definition creates several cost management opportunities:
- Contractor and vendor accounts: External contributors who commit to private repos count as billable committers. A project with 10 external contractors each making one commit/month adds $490/month in GHAS costs for those 10 accounts — often not budgeted.
- Bot accounts: Automated commit accounts (CI bots, release bots, dependency update bots like Dependabot itself) do not count as GHAS committers. Verify your bot accounts are properly classified.
- Selective enablement: You can enable GHAS per-repository. Only repositories with GHAS enabled contribute to committer count. Separate critical repositories (production services, customer-data adjacent) that genuinely need GHAS from internal tooling repositories where Dependabot alerts (free) suffice.
- Shared accounts: If multiple developers share a single GitHub account (a violation of GitHub's ToS, but common in legacy setups), they count as 1 committer. Normalising to individual accounts before GHAS purchase can increase committer count and cost — audit this before signing GHAS agreements.
GHAS Pricing and EA Negotiation
| Procurement Path | List Price | EA Discount Range | Notes |
|---|---|---|---|
| Direct (github.com billing) | $49/committer/month | 0–5% | No volume pricing available |
| GitHub Enterprise Cloud (EA extension) | $49/committer/month | 15–25% | Standard EA volume discounting |
| MACC-linked GitHub Enterprise | $49/committer/month | 20–30% | Azure Commit spend linkage possible |
| GitHub Enterprise Cloud (3-year EA) | $49/committer/month | 25–35% | Best pricing available; requires volume commitment |
At 500 committers on a 3-year EA with 30% discount, GHAS costs $17,150/month ($205,800/year) vs $294,000/year at list price. The savings from EA negotiation justify specialist negotiation support for any organisation with 200+ GHAS committers.
Get an Independent Second Opinion
Before you commit to GitHub Advanced Security or expand your developer toolchain licences, speak with an adviser who has no commercial relationship with Microsoft or GitHub.
Request a Consultation →SBOM Requirements and Microsoft's Position
The Software Bill of Materials (SBOM) has moved from best practice to regulatory requirement. US Executive Order 14028 (May 2021) mandated SBOM requirements for software sold to federal agencies. The EU Cyber Resilience Act (2024–2027 implementation) extends similar requirements to commercial software sold in Europe. Both frameworks require machine-readable SBOMs in SPDX or CycloneDX formats.
Microsoft SBOM Tooling
GitHub provides two SBOM capabilities:
GitHub Dependency Graph + SBOM export: Available free with all GitHub plans including GitHub Enterprise Cloud. The Dependency Graph automatically detects dependencies in supported package manifests (npm, Maven, Gradle, pip, NuGet, RubyGems, Cargo, Go Modules, etc.) and generates SPDX-format SBOMs via the GitHub API or the GitHub UI (Insights → Dependency Graph → Export SBOM). This covers the majority of SBOM generation requirements for GitHub-hosted code at no additional cost.
GitHub Advanced Security Dependency Review: Part of GHAS, this adds dependency review in pull requests — blocking PRs that introduce new vulnerable or licence-restricted dependencies. It does not generate SBOMs directly but enforces dependency policy at the point of change. GHAS is not required solely for SBOM compliance.
Microsoft SBOM Tool (open source): Microsoft publishes the "SBOM Tool" as an open source project (github.com/microsoft/sbom-tool). It generates SBOMs for packages and components independent of GitHub, supporting scenarios where code is not hosted on GitHub (Azure DevOps, on-premises repositories). No licence cost.
Azure DevOps SBOM Support
Azure DevOps does not have native SBOM generation equivalent to GitHub Dependency Graph. For Azure DevOps-based development pipelines, SBOM generation requires either the Microsoft SBOM Tool (free, OSS) integrated as a pipeline task, or third-party tools like Anchore, Aqua, or Black Duck integrated via Azure DevOps Marketplace extensions (costs vary by vendor).
Open Source Licence Compliance and Enterprise Risk
Open source licence compliance is a legal risk, not a Microsoft licensing risk — but it drives Microsoft tooling spend. The categories of concern for enterprises:
Copyleft Licence Categories
| Licence Type | Examples | Obligation | Enterprise Risk Level |
|---|---|---|---|
| Permissive | MIT, Apache 2.0, BSD | Attribution only | Low — attribution is easy to maintain |
| Weak copyleft | LGPL v2.1/v3, MPL 2.0 | Share modifications to the LGPL/MPL component; proprietary code can link without sharing | Medium — requires licence tracking for LGPL files |
| Strong copyleft (GPL) | GPL v2, GPL v3 | Any software that links to or distributes GPL code must also be GPL (share all source) | High for distributed software; lower for internal tools |
| Network copyleft | AGPL v3 | GPL obligations triggered by network access, not just distribution — SaaS providers must share source | Very High for SaaS products |
| Proprietary with restrictions | SSPL, BSL 1.1 | Varies — often prohibits competing cloud deployments | High for cloud service providers |
Microsoft's own products increasingly include components under permissive licences. .NET 6+ is MIT-licenced. VS Code is MIT-licenced. Azure SDK libraries are MIT or Apache 2.0. This does not create compliance obligations for EA customers — Microsoft's EULA governs commercial use of Microsoft products regardless of component licences — but it matters for customers forking or modifying Microsoft OSS.
The Microsoft IP Indemnification Question
Standard Microsoft EA includes IP indemnification for Microsoft-produced software. GitHub Copilot's IP indemnification (introduced mid-2023) covers code suggestions that match training data in the Copilot Business and Enterprise tiers. However, Microsoft's IP indemnification does not extend to open source components that Copilot suggests from its training corpus — the legal risk for GPL-contaminated Copilot suggestions remains with the customer.
Practically, this means enterprises using GitHub Copilot should enable the "public code filter" (which blocks Copilot suggestions that exactly match public code, including open source) and maintain code review processes specifically checking for OSS licence contamination in AI-suggested code. See our GitHub Copilot Enterprise licensing guide for the full IP indemnification framework.
Competitive Alternatives to GHAS for OSS Compliance
GHAS is not the only enterprise option for open source security and compliance. The competitive landscape matters for EA negotiations — documenting viable alternatives gives you negotiation leverage:
| Tool | Primary Strength | Approximate Cost | GitHub Integration |
|---|---|---|---|
| Snyk | Developer-first SCA and SAST, excellent IDE integration | $25–98/developer/month | Native GitHub integration |
| Black Duck (Synopsys) | Most comprehensive OSS licence compliance, enterprise M&A use cases | $50,000–200,000+/year | CI/CD integration |
| FOSSA | Licence compliance focus, legal-grade reporting | $20–60/developer/month | GitHub/GitLab/Bitbucket |
| Veracode SCA | Policy enforcement, compliance reporting for regulated industries | $30–80/developer/month | CI/CD integration |
| Dependabot (free) | Automated dependency PRs, vulnerability alerts | Free with any GitHub plan | Native GitHub |
The existence of Dependabot (free) and mature OSS tools like Trivy, Grype, and OWASP Dependency-Check means GHAS is not required for basic dependency vulnerability management. GHAS is genuinely differentiated for CodeQL-based semantic code analysis finding logic vulnerabilities within proprietary code. If your OSS compliance need is primarily dependency scanning and SBOM generation, evaluate whether free tools plus Dependabot meet your requirements before committing to GHAS at $49/committer/month.
📄 Free Guide: Microsoft Developer & DevOps Licensing Guide 2026
Complete coverage of GHAS licensing, GitHub Actions, Visual Studio, and developer toolchain EA negotiation benchmarks.
Download Free Guide →EA Negotiation: Developer Toolchain as a Package
The most effective negotiation strategy for OSS compliance tooling is to bundle it with the broader developer toolchain renewal. Microsoft and GitHub view the developer toolchain as: GitHub Enterprise Cloud + GHAS + GitHub Copilot + Azure DevOps. Each component has list pricing with room for EA negotiation, but the biggest discounts come from committing to the full stack.
The negotiation framework for a 500-developer organisation:
- Anchor the conversation on total spend: GitHub Enterprise Cloud ($21/user/month) + GHAS ($49/committer/month) + Copilot Business ($19/user/month) = $89/developer/month or $534,000/year at list. This is a significant number that gives you legitimate grounds to request 20–30% package discount.
- Selective GHAS enablement as a negotiation counter: Offer to enable GHAS on all repositories (vs selective enablement) in exchange for a volume discount. Microsoft's goal is universal GHAS adoption — use this as leverage.
- Phased Copilot deployment commitment: Commit to Copilot on 50% of GHAS-licenced committers in year 1, 80% in year 2, in exchange for a 3-year GHAS rate lock.
- Competitive alternative documentation: Snyk at $25–35/developer/month is meaningfully cheaper than GHAS at $49/committer/month for comparable SCA functionality. Document this as a genuine alternative path — Microsoft will respond with pricing flexibility to retain the account.
For the complete EA negotiation framework for developer tooling, see our developer licensing EA optimisation guide and the Microsoft Developer & DevOps EA licensing complete guide.
Frequently Asked Questions
Does using open source software affect my Microsoft EA licensing?
Indirectly. Open source usage doesn't change your Microsoft licence count, but open source compliance obligations (SBOM, dependency scanning, vulnerability tracking) drive the need for tools like GitHub Advanced Security, which carries EA licensing costs. GHAS charges per active committer — typically $49/user/month — making OSS compliance tooling one of the largest hidden costs in developer licensing.
What is GitHub Advanced Security and how is it licensed?
GitHub Advanced Security (GHAS) provides code scanning (CodeQL), secret scanning, and dependency review. It is licensed per "active committer" — a unique committer who has made at least 1 commit to a GHAS-enabled private repository in the last 90 days. List price is $49/active committer/month. EA discounts of 20–30% are common at 100+ committer scale.
What is Microsoft's position on GPL-licenced components?
Microsoft has no specific EA provision covering GPL contamination risk in customer code. GPL licence obligations are a legal matter between the customer and the GPL licence terms — not a Microsoft licensing issue. However, GHAS dependency scanning can identify GPL components in your codebase, and legal counsel should assess distribution implications.
Are SBOM requirements affecting Microsoft product purchases?
Yes. US Executive Order 14028 and EU Cyber Resilience Act require SBOMs for software sold to government and increasingly commercial markets. This drives demand for GitHub Advanced Security and GitHub Dependency Graph capabilities, both of which have EA licence cost implications.
Can Microsoft's own products contain open source components?
Yes. Azure services, .NET, VS Code, and many Microsoft products incorporate open source libraries. Microsoft's EULA governs commercial use of Microsoft products regardless of component licences, so this does not create compliance obligations for EA customers — but it matters for security due diligence and customers modifying Microsoft OSS.
Related Developer & DevOps Licensing Guides
- Microsoft Developer & DevOps EA Licensing: Complete Guide
- GitHub Advanced Security Licensing Guide
- GitHub Copilot Enterprise Licensing Guide
- GitHub Enterprise Licensing Complete Guide
- Developer Licensing EA Optimisation
- GitHub Actions Minutes & Storage Licensing
- Azure DevOps Parallel Jobs Licensing Guide