Managing Unexpected GitHub Advanced Security Activations

GitHub's security features help keep your code and secrets secure in repositories and across organizations. Some features such as Code Security or Secret Protection are available for use on public repositories, and are available for purchase to be used on private and internal repositories.

This article is to serve as a guide to help reconcile any repositories that may have accidentally had GHAS features enabled for them, and to explain how to set policies to govern which organizations and repositories can use GHAS functionality.

This guide will walk you through:

  1. Identifying repositories with GHAS features enabled
  2. Managing which repositories have GHAS features enabled
  3. Setting policies to manage which organizations and repositories may have GHAS functionality available for use

⚠️ This applies to GHAS metered billing only and excludes self-hosted plans.


Required Permissions

To complete all steps in this guide, you'll need the appropriate administrative access:

GitHub Plan Recommended Role Why This Role?
🏢 Enterprise Enterprise Owner Full access to enterprise policies, billing reports, and organization management
👥 Team Organization Owner Complete organization control including billing, security configurations, and policies

💡 Pro Tip: While lower-level roles (like Security Manager or Repository Admin) can perform some individual tasks, having the highest level of access ensures you can complete the entire process without permission roadblocks.



🏢 For GitHub Enterprise Customers (3 Steps)

Step 1: Identifying repositories with Advanced Security Enabled

💡 Choose ONE method below - Pick the approach that works best for your workflow.

Usage Report via Enterprise UI

  1. In the top-right corner of GitHub, click your profile photo.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. Click Billing & licensing to display an overview.

  4. For metered usage, click Usage.

    a. To display only Advanced Security usage within the graph, click the search bar, then click Product. Within the list of products displayed, click GHAS.

    b. To further filter the usage graph, use the dropdown menus:

    • To view usage by SKU, select the Group dropdown, then click SKU. This will allow you to view usage for both GitHub Secret Protection and GitHub Code Security.
    • To filter by time, select Time Frame, then click a time period.
    • Below the graph, you can see a more granular overview of the usage. Click the arrow next to a specific date to see a nested table with usage per SKU, units, price/unit, gross amount (the amount actually used), and billed amount (the amount you are charged).

    c. To download the data, click ⬇️ Get usage report.

  5. For license consumption, click ⚖️ Licensing.

    • Under "GitHub Advanced Security," click the ⬇️ Download CSV report dropdown and then click either Code Security or Secret Protection.
Security Coverage Page

  1. In the top-right corner of GitHub, click your profile photo.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. Click Security to display an overview.

  4. Click Coverage to view the Security Coverage Page

  5. Click into the filter bar, add filter advanced-security:enabled and optionally -is:public since public repositories don't incur charges for Advanced Security.

  6. You'll now see a filtered view of all repositories that have either Code Scanning or Secret Protection enabled.

  7. Click Export CSV to export a filtered CSV with a list of all repos and their associated organizations that have Advanced Security applied.

REST API

  1. Permissions required: You must be an owner or security manager for the organization to retrieve the full list of repositories from the API. For more information, see Managing security managers in your organization.

  2. Use the List Organization Repositories API endpoint to retrieve a list of repositories that belong to your organization.

  3. The security_and_analysis block in the response will display whether Advanced Security is enabled on each repository.

  4. Repeat this process for each organization within your enterprise to get a comprehensive list of all repositories with Advanced Security enabled.

Step 2: Disabling GHAS functionality

💡 Choose ONE approach below based on your scale and requirements. Consider the trade-offs for each method.

Individual repository approach

🎯 Best for: Small number of repositories

⚠️ Important Considerations:

  • Most straightforward approach with no side effects
  • Can be tedious and difficult to scale if many repositories have GHAS enabled
  • Recommended when only a handful of repositories need attention

For each repository identified in Step 1:

  1. Navigate to the repository.

  2. Select ⚙️ SettingsAdvanced Security

  3. Scroll to GitHub Advanced Security section

  4. Click Disable

Organization-level approach

🎯 Best for: Multiple repositories within a single organization

💡 Choose ONE method below - Use Global Settings for disabling GHAS repo by repo or Security Configurations to apply security settings at scale.

Global Settings:

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click ⚙️ Settings.

  3. Navigate to Advanced SecurityGlobal settings

  4. Scroll down and find the section named GitHub Advanced Security repositories

  5. For each repository you wish to disable GHAS for, click '...'Disable GitHub Advanced Security

Security Configurations:

⚠️ Important Considerations:

  • Better for scale than individual repository changes
  • Important: Applying a security configuration will overwrite any existing security configurations on the repository
  • Review existing configurations before applying changes

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click ⚙️ Settings.

  3. Navigate to Advanced SecurityConfigurations

  4. Click New configuration

  5. Give it a clear name such as "Disable GHAS Features"

  6. Set GitHub Advanced Security FeaturesDisabled

  7. Configure other non-GHAS security features under 'Dependency Scanning' and 'Policy' that you wish to apply to repositories with this configuration ('Not set' preserves existing repo settings for that particular feature)

  8. Click Save configuration

  9. Apply to the repositories identified in Step 1

Enterprise-wide approach (Broad Impact - Review Carefully)

Enterprise Security Configurations:

⚠️ Important Considerations:

  • Easiest approach for broad changes across multiple organizations
  • Important: Be aware of existing security configurations at the organization level that may be overridden! You will not have visibility into organization security configurations and which repositories they're applied to at the enterprise level.
  • These changes have broad impact - ensure you understand the scope before applying.
  • We strongly recommend communicating with affected organization and repository admins before applying enterprise-wide changes.

  1. In the top-right corner of GitHub, click your profile photo.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. Navigate to ⚙️ SettingsAdvanced Security

  4. Click New configuration

  5. Give it a clear name such as "Disable GHAS Features"

  6. Set GitHub Advanced Security FeaturesDisabled

  7. Configure other non-GHAS security features under 'Dependency Scanning' and 'Policy' that you wish to apply to repositories with this configuration ('Not set' preserves existing repo settings for that particular feature)

  8. Click Save configuration

  9. Click Apply to → All Repositories

Step 3: Setting policies to control future activations

Enterprise Policy Controls

  1. In the top-right corner of GitHub, click your profile photo.

  2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.

  3. Navigate to PoliciesAdvanced Security

  4. Configure the following settings:

    • Availability: ('Not available' prevents GHAS from being enabled anywhere within your Enterprise)
    • If you wish to enable GHAS, but want to restrict repository admins from being able to enable these features, scroll down and set these policies accordingly:
    • Repository Admins can Enable or Disable GitHub Advanced Security: 'Not allowed'
    • Repository Admins can Enable or Disable Secret Protection: 'Not allowed'



👥 For GitHub Team Customers (3 Steps)

Step 1: Identifying repositories with Advanced Security Enabled

💡 Choose ONE method below - Pick the approach that works best for your workflow.

Usage Report via Organization UI

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click ⚙️ Settings.

  3. In the Access section of the sidebar click Billing and licensing to display an overview.

  4. For metered usage, in the sidebar click Usage.

    a. To display only Advanced Security usage within the graph, click the search bar, then click Product. Within the list of products displayed, click GHAS.

    b. To further filter the usage graph, use the dropdown menus:

    • To view usage by SKU, select the Group dropdown, then click SKU. This will allow you to view usage for both GitHub Secret Protection and GitHub Code Security.
    • To filter by time, select Time Frame, then click a time period.
    • Below the graph, you can see a more granular overview of the usage. Click the arrow next to a specific date to see a nested table with usage per SKU, units, price/unit, gross amount (the amount actually used), and billed amount (the amount you are charged).

    c. To download the data, click ⬇️ Get usage report.

Security Coverage Page

  1. In the top-right corner of GitHub, click your profile photo.

  2. Depending on your environment, click Your organizations, or click Your organizations then click the organization you want to view.

  3. Click Security to display an overview.

  4. Click Coverage to view the Security Coverage Page

  5. Click into the filter bar, add filter advanced-security:enabled and optionally -is:public since public repositories don't incur charges for Advanced Security.

  6. You'll now see a filtered view of all repositories that have either Code Scanning or Secret Protection enabled.

  7. Click Export CSV to export a filtered CSV with a list of all repos that have Advanced Security applied within the organization.

REST API

  1. Permissions required: You must be an owner or security manager for the organization to retrieve the full list of repositories from the API. For more information, see Managing security managers in your organization.

  2. Use the List Organization Repositories API endpoint to retrieve a list of repositories that belong to your organization.

  3. The security_and_analysis block in the response will display whether Advanced Security is enabled on each repository.

Step 2: Disabling GHAS functionality

💡 Choose ONE approach below based on your scale and requirements. Consider the trade-offs for each method.

Individual repository approach

🎯 Best for: Small number of repositories

⚠️ Important Considerations:

  • Most straightforward approach with no side effects
  • Can be tedious and difficult to scale if many repositories have GHAS enabled
  • Recommended when only a handful of repositories need attention

For each repository identified in Step 1:

  1. Navigate to the repository

  2. Select ⚙️ SettingsAdvanced Security

  3. Scroll to GitHub Advanced Security

  4. Click Disable

Organization-wide approach

💡 Choose ONE method below - Use Global Settings for disabling GHAS repo by repo or Security Configurations to apply security settings at scale

Global Settings:

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click ⚙️ Settings.

  3. Navigate to Advanced SecurityGlobal settings

  4. Scroll down and find the section named GitHub Advanced Security repositories

  5. For each repository you wish to disable GHAS for, click '...'Disable GitHub Advanced Security

Security Configurations:

⚠️ Important Considerations:

  • Better for scale than individual repository changes
  • Important: Applying a security configuration will overwrite any existing security configurations on the repository
  • Review existing configurations before applying changes

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click ⚙️ Settings.

  3. Navigate to Advanced SecurityConfigurations

  4. Click New configuration

  5. Give it a clear name such as "Disable GHAS Features"

  6. Set GitHub Advanced Security FeaturesDisabled

  7. Configure other non-GHAS security features under 'Dependency Scanning' and 'Policy' that you wish to apply to repositories with this configuration ('Not set' preserves existing repo settings for that particular feature)

  8. Click Save configuration

  9. Apply to the repositories identified in Step 1

Step 3: Setting a configuration to control future activations

Organization Security Configuration

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click ⚙️ Settings.

  3. Navigate to Advanced SecurityConfigurations

  4. Create a preventive configuration:

    • Click New configuration
    • Provide a clear name to describe the configuration.
    • Provide a clear description.
    • Set GitHub Advanced Security FeaturesDisabled
    • Configure other non-GHAS security features under 'Dependency Scanning' and 'Policy' that you wish to apply to repositories with this configuration ('Not set' preserves existing repo settings for that particular feature)
    • Select Use as default for newly created repositories if you wish to have this configuration applied to all new repositories. (Recommended if you want to prevent accidental activations by repository admins)
    • Set Configuration enforcementEnforce (Enforce means repository admins cannot change the applied settings)

  5. Apply this configuration to existing repositories to prevent accidental enablement



❓ Frequently Asked Questions

Q: Why am I still seeing charges showing up after I've disabled GHAS on my repositories?

A: Your use of Advanced Security is billed per committer and enabled by repository. If you remove a committer from an organization, or if you disable all GitHub Secret Protection, GitHub Code Security, or GitHub Advanced Security features for a repository, the committers will remain billable until the end of the current monthly billing cycle. Prorated billing applies only when a committer starts partway through the month.