GitHub offers a multitude of features designed to enhance and preserve the integrity of your code. Features like the dependency graph and Dependabot alerts are incorporated into all subscription plans. Dependency graph identifies all your project’s dependencies, including the ecosystems and packages it depends on and the repositories and packages that depend on it. For each dependency, you can see the license information and vulnerability severity. Dependabot alerts notify you when your code relies on a package that has security vulnerabilities and even generates pull requests to update the vulnerable dependencies. Utilizing a package with vulnerabilities can make your system an easy target for bad actors seeking to compromise it. Other GitHub security features are available using GitHub Advanced Security. 

GitHub Advanced Security (GHAS) is a suite of security features provided by GitHub to enhance the security of your code. Most of GitHub Advanced Security features are free for public GitHub repositories, however, you will need a GitHub Advanced Security license for private repositories. 

GitHub Advanced Security has the following security feature:

• Code scanning - Use CodeQL or a third-party tool to find potential security vulnerabilities and coding errors in your code.
  • GitHub: About code scanning
• CodeQL CLI - Run CodeQL processes locally on software projects or to generate code scanning results for upload to GitHub.
  • GitHub: About CodeQL CLI
• Secret scanning - Detect secrets, for example keys and tokens, that have been checked into private repositories. 
  • GitHub: About Secret scanning
• Custom auto-triage rules - Help you manage your Dependabot alerts at scale. With custom auto-triage rules you have control over the alerts you want to ignore, snooze, or trigger a Dependabot security update for.
  • GitHub: Dependabot alerts
  • GitHub: Customizing auto-triage rules to prioritize Dependabot alerts  
• Dependency review - Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request.
  • GitHub: About dependency review

GitHub Advanced Security is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server. Some features of GitHub Advanced Security are also available for public repositories on GitHub.com.

See below table summarizing the availability of GitHub Advanced Security features.

To read more about GitHub Advanced Security, and how you can enable for your enterprise check out GitHub Docs: Managing GitHub Advanced Security for your enterprise.

For those using Azure DevOps, GitHub Advanced Security for Azure DevOps adds GitHub Advanced Security's suite of security features to Azure Repos. This includes Secret Scanning push protection, Secret scanning repo scanning, Dependency Scanning and Code Scanning. Learn how to configure GitHub Advanced Security for Azure DevOps.