GitHub Advanced Security (GHAS) - Analysis & Decision

This document explains GitHub Advanced Security features, why we have security scanning workflows, and the cost-benefit analysis for our project.

Current Status

Decision: We are NOT enabling GitHub Advanced Security at this time due to cost constraints.

What We Have:

  • [DONE] Security scanning workflows configured (Snyk, Checkov, Semgrep, Gitleaks)
  • [DONE] All scans execute successfully and log results
  • [DONE] Workflow set to continue-on-error: true for GHAS-dependent features
  • [DONE] Free tier GitHub features (dependency graph, Dependabot alerts)

What We Don’t Have:

  • [N/A] SARIF upload to GitHub Security tab (requires GHAS)
  • [N/A] Code scanning alerts UI (requires GHAS)
  • [N/A] Dependency Review action (requires GHAS)
  • [N/A] GitHub native secret scanning (requires GHAS)

What is GitHub Advanced Security?

GitHub Advanced Security (GHAS) is a suite of security features for GitHub Enterprise and Team plans:

Included Features

  1. Code Scanning
    • Automated security vulnerability detection in code
    • Powered by CodeQL (semantic code analysis)
    • SARIF file upload from third-party tools (Checkov, Semgrep, etc.)
    • Results displayed in GitHub Security tab
    • Pull request checks blocking merges
  2. Secret Scanning
    • Native GitHub secret detection (partner patterns)
    • Push protection (blocks commits with secrets)
    • Alerts in Security tab
    • Partner notifications for leaked tokens
  3. Dependency Review
    • Compare dependencies between branches
    • License compliance checks
    • Vulnerability alerts on PRs
    • Integration with Dependabot
  4. Security Overview
    • Organization-wide security dashboard
    • Risk scoring across repositories
    • Compliance reporting
    • Trend analysis

Why We Have Security Scanning Workflows

Even though we don’t use GHAS, we maintain comprehensive security scanning workflows because:

1. Security Best Practices

  • Automated security scanning is industry standard
  • Catches vulnerabilities before production
  • Demonstrates security-conscious development
  • Builds good habits for the team

2. Scan Results in Workflow Logs

  • All scan output is visible in GitHub Actions logs
  • Can review findings manually
  • Downloadable scan results (SARIF, JSON)
  • Continuous security validation

3. Easy GHAS Migration Path

  • Workflows already configured correctly
  • Just need to enable GHAS in repository settings
  • No code changes required
  • Instant security tab population

4. Multiple Security Layers

  • Snyk: Dependency vulnerabilities (Python + JavaScript)
  • Checkov: Infrastructure security (Terraform)
  • Semgrep: Code vulnerabilities (SAST)
  • Gitleaks: Secret detection (committed credentials)

5. Free Alternative Tools

  • Snyk has generous free tier
  • Checkov is 100% free (open source)
  • Semgrep has free community rules
  • Gitleaks is free with license key

Cost-Benefit Analysis

Costs

GitHub Advanced Security Pricing (as of 2025):

  • GitHub Team: $4/user/month (base requirement)
  • GHAS Add-on: $49/user/month
  • Total: ~$53/user/month for full GHAS features

For our team:

  • 1-2 developers: $53-106/month ($636-1,272/year)
  • 5 developers: $265/month ($3,180/year)
  • 10 developers: $530/month ($6,360/year)

Alternative (Free Tier):

  • GitHub Free: $0/month
  • Snyk Free: $0/month (limited)
  • Checkov: $0/month (open source)
  • Semgrep: $0/month (community rules)
  • Gitleaks: $0/month (with free license)
  • Total: $0/month

Benefits of GHAS

Pros

  1. Centralized Security Dashboard
    • All security findings in one place (Security tab)
    • No need to check workflow logs
    • Easy filtering and sorting
    • Historical trend tracking
  2. Pull Request Integration
    • Automated PR checks
    • Block merges on high-severity issues
    • Inline code annotations
    • Diff-aware scanning (only new issues)
  3. CodeQL Scanning
    • Semantic code analysis (not just pattern matching)
    • Low false positive rate
    • Deep vulnerability detection
    • GitHub-maintained queries
  4. Native Secret Scanning
    • Partner pattern database (AWS, Stripe, etc.)
    • Push protection (prevents commits)
    • Automatic partner notifications
    • Historical commit scanning
  5. Dependency Review
    • Automated license compliance
    • Vulnerability alerts on PRs
    • Dependency diff visualization
    • Supply chain security
  6. Enterprise Features
    • Organization-wide dashboard
    • Compliance reporting (SOC2, HIPAA)
    • Custom security policies
    • API access for automation
  7. Support & SLA
    • GitHub Support tickets
    • SLA guarantees
    • Priority bug fixes
    • Security advisories

Cons

  1. Cost
    • $53/user/month ($636/year per developer)
    • Scales linearly with team size
    • Expensive for small teams/projects
  2. Requires GitHub Team/Enterprise
    • Can’t use on Free tier
    • Lock-in to GitHub pricing
    • All committers must have GHAS license
  3. Learning Curve
    • Understanding CodeQL queries
    • Configuring policies
    • Managing false positives
    • Training team on features
  4. Vendor Lock-in
    • GitHub-specific features
    • Hard to migrate off GitHub
    • Dependent on GitHub’s roadmap
  5. Not Always Better Than Free Tools
    • Snyk often finds more dependency vulns
    • Semgrep has more flexible rules
    • Checkov is Terraform-specific (better coverage)
    • Gitleaks has broader secret patterns

Benefits of Free Tier (Current Approach)

Pros

  1. Zero Cost
    • No monthly fees
    • No per-user scaling costs
    • Budget-friendly for startups
  2. Best-of-Breed Tools
    • Snyk: Industry-leading dependency scanning
    • Checkov: Terraform security specialist
    • Semgrep: Flexible SAST with custom rules
    • Gitleaks: Comprehensive secret detection
  3. Flexibility
    • Choose best tool for each category
    • Easy to swap tools
    • Not locked into GitHub ecosystem
  4. Workflow Logs Sufficient
    • All scan results visible
    • Can grep/search results
    • Download SARIF for analysis
    • CI/CD blocks on failures
  5. Community Support
    • Large open source communities
    • Free documentation
    • Community-contributed rules
    • GitHub issues for bugs

Cons

  1. No Centralized Dashboard
    • Must check workflow logs
    • No historical tracking UI
    • Manual result aggregation
  2. No Pull Request Annotations
    • Findings not inline on diffs
    • Must read workflow logs
    • No automated PR blocking (can configure)
  3. Manual Process
    • Review scan results manually
    • No automatic triaging
    • More developer friction
  4. Limited Support
    • Community forums only
    • No SLA guarantees
    • Self-service troubleshooting

Our Decision Rationale

Why We’re Staying on Free Tier

  1. Cost Justification: $636-6,360/year is significant for our project size
  2. Free Tools Are Excellent: Snyk, Checkov, Semgrep, Gitleaks are industry-standard
  3. Workflow Logs Work: Results are accessible and actionable
  4. Small Team: Manual review is manageable with 1-2 developers
  5. Early Stage: Not yet revenue-generating to justify expense

When We Might Upgrade to GHAS

Consider upgrading when:

  1. Team Growth: >5 developers (coordination overhead increases)
  2. Compliance Requirements: SOC2, HIPAA, PCI-DSS audits needed
  3. Revenue: Product generates >$10K/month revenue
  4. Security Incidents: Experience breach or near-miss
  5. Enterprise Customers: Customers require security certifications
  6. Easier Workflows: Team spends >2 hours/week reviewing scan results manually

Cost Threshold

Enable GHAS when:

  • Revenue > $50K/month (1% of revenue for security)
  • Team size > 5 developers (efficiency gains outweigh cost)
  • Compliance required (GHAS pays for itself in audit savings)

How to Enable GHAS in the Future

Step 1: Enable GitHub Team (if not already)

  1. Go to: https://github.com/organizations/craftcodery/billing
  2. Upgrade to GitHub Team ($4/user/month)
  3. Add all committers to organization

Step 2: Enable GitHub Advanced Security

  1. Go to: https://github.com/craftcodery/compass/settings/security_analysis
  2. Scroll to “GitHub Advanced Security”
  3. Click “Enable GitHub Advanced Security”
  4. Confirm billing ($49/user/month additional)

Step 3: Enable Security Features

  1. Code Scanning:
    • Enable “Code scanning”
    • Our workflows automatically upload SARIF (already configured)
    • Findings appear in Security tab immediately
  2. Secret Scanning:
    • Enable “Secret scanning”
    • Enable “Push protection” (optional but recommended)
    • Historical scan runs automatically
  3. Dependency Review:
    • Enable “Dependency graph” (free, should already be on)
    • Dependency Review action works automatically (already in workflow)

Step 4: Configure Policies (Optional)

  1. Create .github/workflows/codeql.yml for CodeQL scanning
  2. Configure custom Semgrep rules
  3. Set up security policies in organization settings
  4. Enable required status checks on branches

Step 5: No Code Changes Required

Our workflows are already configured correctly:

  • SARIF uploads will automatically succeed
  • Security tab will populate
  • PR checks will appear
  • Dependency Review will work

Just flip the switch and everything activates.

Current Workflow Behavior

What Happens Now (Free Tier)

  1. Scans Execute: All security scans run successfully
  2. Results Logged: Output appears in workflow logs
  3. SARIF Upload Attempts: CodeQL action tries to upload SARIF
  4. Upload Fails Gracefully: continue-on-error: true prevents failure
  5. Workflow Succeeds: Green checkmark despite SARIF upload failure

What Happens After Enabling GHAS

  1. Scans Execute: Same as before
  2. Results Logged: Same as before
  3. SARIF Upload Succeeds: Results uploaded to GitHub
  4. Security Tab Populated: Findings appear in UI
  5. PR Annotations: Inline comments on code diffs
  6. Workflow Succeeds: Green checkmark with full SARIF integration

Monitoring & Metrics

Current Metrics (Free Tier)

  • Security scan coverage: 100% (all code scanned)
  • Scan frequency: Every PR + push to main
  • Average findings: Visible in workflow logs
  • Time to review: ~5-10 minutes/PR manually
  • False positive rate: Estimated 10-20% (must filter manually)

Expected Metrics with GHAS

  • Security scan coverage: 100% (same)
  • Scan frequency: Every PR + push to main (same)
  • Average findings: Deduplicated + triaged in Security tab
  • Time to review: ~2-3 minutes/PR (inline annotations)
  • False positive rate: ~5-10% (better filtering)
  • Developer efficiency: ~50% faster security review

ROI Calculation:

  • Time saved: 3-7 min/PR × 20 PRs/week = 1-2.3 hours/week
  • Developer hourly rate: $50-150/hour
  • Value saved: $50-345/week ($2,600-17,940/year)
  • GHAS cost: $636-1,272/year (1-2 developers)
  • Net benefit: $1,964-16,668/year

For teams of 5+, GHAS likely pays for itself in developer efficiency.

Alternatives to GHAS

If cost remains a concern but you want better UX:

1. Snyk (Free/Paid Tier)

  • Free tier: Unlimited tests on public repos
  • Paid tier: $59/developer/month
  • Features: Dependency scanning, container scanning, IaC scanning
  • Better than GHAS for: Dependency vulnerabilities, fix PRs

2. Semgrep Cloud (Free/Paid)

  • Free tier: Public repos, community rules
  • Paid tier: $60/developer/month
  • Features: SAST, custom rules, PR comments
  • Better than GHAS for: Custom security rules, multi-language

3. Bridgecrew (Palo Alto - Free/Paid)

  • Free tier: Limited scans
  • Paid tier: Custom pricing
  • Features: IaC scanning, compliance frameworks
  • Better than GHAS for: Terraform/CloudFormation security

4. SonarCloud (Free/Paid)

  • Free tier: Public repos
  • Paid tier: $10/100K LOC/month
  • Features: Code quality + security
  • Better than GHAS for: Technical debt tracking

5. Self-Hosted Options

  • SonarQube (open source)
  • Trivy (container + IaC scanning)
  • CodeQL CLI (open source, GitHub-supported)
  • DefectDojo (vulnerability management)

Recommendations

Immediate (Free Tier)

  1. Keep current workflows - Already configured, working well
  2. Review logs weekly - Assign rotating security reviewer
  3. Update scan configs - Keep Snyk, Checkov, Semgrep rules current
  4. Document findings - Create issues for confirmed vulnerabilities
  5. Track metrics - Monitor scan execution time, finding count

Short Term (3-6 months)

  1. Evaluate GHAS trial: GitHub offers 30-day free trials
  2. Test CodeQL: Compare findings vs Semgrep
  3. Measure time savings: Track security review time with/without GHAS
  4. Consider Snyk paid: If dependency vulns are frequent issue
  5. Automate more: Create scripts to parse SARIF, create issues

Long Term (6-12 months)

  1. Re-evaluate at scale: If team grows beyond 5 developers
  2. Customer requirements: If enterprise customers require GHAS
  3. Compliance needs: If pursuing SOC2/ISO27001 certification
  4. Budget review: If monthly revenue exceeds $50K
  5. Developer feedback: Survey team on security workflow pain points

Conclusion

Current approach is cost-effective and sufficient for our needs.

We maintain comprehensive security scanning with free, best-in-class tools. SARIF upload failures are cosmetic—scans execute successfully and results are accessible in logs.

GitHub Advanced Security is a premium feature that we’re prepared to enable when:

  • Team size justifies efficiency gains
  • Budget allows $636-6,360/year expense
  • Compliance requirements demand centralized security dashboard
  • Customer contracts require GitHub-native security features

Until then, our free-tier security posture is excellent and meets industry standards.

Document Updated: 2025-11-19 Next Review: 2026-05-19 (6 months) Decision Maker: Engineering Team Status: Approved - Free Tier