Enable GHES GHAS Trial

Helpful Resources

• GHES GHAS Enablement Quickstart Guide PDF
• GHES GHAS Feature Matrix (Targeted GHES Release for each GHAS feature)

Prerequisites

Calculate your Active Committer count

First, we'll need to know how many seats will be needed to generate the trial license. Since it's licensed by active committers in the past 90 days on repos it's enabled on, it's usually not the same number of people in the organizations that'll participate. A GitHub Enterprise Server administrator will need to put the complete list of organizations and/or repositories for the applications selected into the page below, which will generate the seat count (documentation).

https://<ghes-fqdn>/stafftools/ghas_committers

Ensure you are meeting minimum GHES infrastructure requirements

The recommended infrastructure requirements for each deployment environment can be found here.

Enable GHES GitHub Advanced Security (GHAS) Trial

NOTE: Before the expiration date of your GHAS Trial, you will need to redownload and reapply your standard GHES license file. This is necessary to ensure continuity of business.

1. Work with your dedicated GitHub Account Manager to discuss GHAS Trial scope and timeline.

2. Once processed on the GitHub side, your GHAS Trial License will become available in your Enterprise Account under Enterprise Licensing in your associated GitHub Enterprise Cloud Enterprise:

   https://github.com/enterprises/<enterprise-name>/enterprise_licensing

   

3. Download GHES w/ GHAS enabled trial license.

4. Apply/Upload trial license to GHES instance.

5. Enable GitHub Advanced Security features via the management console. (WARNING: this will restart the appliance to apply GHAS features)

• Enable secret scanning, as outlined here. Note this requires checking that a CPU flag is available and enabling the feature in the management console.
• Enable the dependency graph, as outlined here.
• If you wish to use Dependabot updates to automatically send pull requests to update out-of-date dependencies, enable the feature as outlined here.
• If you wish to use Dependabot updates and dependency review, you must enable GitHub Actions (if not already done) as outlined here and create a self-hosted runner for it as outlined here.
• If you wish to utilize Default CodeQL Setup (GHES 3.9+), assign the code-scanning label to your self-hosted runner. For more information about using labels with self-hosted runners, see "Using labels with self-hosted runners".

If the CPU flag isn't present, this will require a reboot after making it available to the VM in the hypervisor. If it is already present, then a reboot is not needed but services will be reloaded after enabling secret scanning. Either way, some user disruption will happen to enable it.

Individual Feature Enablement

Dependabot (SCA)

Dependabot has portions included with your GHE and portions unlocked by Advanced Security.

• Included: Dependency Graph, Dependabot Alerts, Dependabot Security Updates, Security Overview (GHES 3.7+)
• Added with Advanced Security: Dependency Review

Full overview of these different features found here.

To enable the included features:

1. Enable GitHub Connect

2. Enable Dependency Graph

3. Enable Dependabot Alerts for the Enterprise

4. Enable Dependabot Updates (includes Security + Version updates)

   • REQUIRES enabling GitHub Actions

5. Managing self-hosted runners for Dependabot Security Updates

   To enable GHAS features:

6. Configure Dependency Review

CodeQL (SAST)

About Code Scanning with CodeQL

CodeQL works as-is, without internet connectivity. It can run either within GitHub Actions using self-hosted runners (link) or integrate into a 3rd party CI system (link), so how the final architecture looks is up to your team.

It does not require GitHub Connect or internet connectivity, although it's handy to keep the code queries up to date (for running within GitHub Actions). The codeql-action-sync-tool is how to update the queries without internet access. While not strictly required if runners are connected to the internet, it's recommended to run this at least once on each upgrade because the CodeQL binaries are not shipped in the GitHub Enterprise Server appliance due to their size. With internet access and without the binaries on your GHES appliance, each runner will download and install CodeQL if needed from GitHub.com, which can be wasteful of your upstream bandwidth and compute time (especially for ephemeral runners).

If you're using your own CI system, updating the code query pack looks like updating any other software on your build agents. You can find more information about this in our documentation.

Secret Scanning

About Secret Scanning

Secret Scanning works as-is, without internet connectivity. It needs an Advanced Security license, as well as a particular CPU flag to be made available to the VM, as outlined in the docs.