Skip to content

Latest commit

 

History

History
220 lines (195 loc) · 34.5 KB

GHAS-on-GHES-feature-matrix.md

File metadata and controls

220 lines (195 loc) · 34.5 KB

GitHub Advanced Security (GHAS) Feature Matrix

This document helps answer the question "is this GHAS feature available in my version of GitHub Enterprise Server?".

The following tables include notable feature releases for GitHub Advanced Security. Each row represents a feature. The columns in the row indicate the level of support for each supported Enterprise Server release. Are your repositories hosted on github.com? All of these features are already available for you 👍.

Contents

How do I read this document?

Each section of this document represents a different capability of the GitHub security features. Each row in the tables represent a different feature of GHAS. The columns indicate if that feature is available in each version of GitHub Enterprise Server.

Cells with ☑️ indicate beta support. ✅ indicates full support.

Release notes

Version 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14
Release date 2022-02-15 2022-05-10 2022-07-26 2022-10-25 2023-02-07 2023-06-08 2023-08-08 2023-11-14 2024-02-13 2024-06-18 2024-08-06
Deprecation date 2023-03-23 2023-06-29 2023-08-16 2023-11-08 2024-03-07 2024-06-29 2024-08-29 2024-12-05 2025-03-05 2025-07-18 2025-08-27
Release notes Release notes Release notes Release notes Release notes Release notes Release notes Release notes Release notes Release Notes Release Notes

Secret scanning

Secret scanning identifies plain text credentials inside your code repository. Learn more about secret scanning

Feature 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14
Partner pattern count 155 169 173 173 183 200 218 233 249 274 274
User defined (custom) patterns
Enterprise level API for secret scanning
Secret scanning push protection
Dry runs for secret scanning push protection (repo level)
Secret scanning support for archived repos
Custom pattern events in the audit log
Push protection events in the audit log
Push protection in the web editor
Enable secret scanning at the enterprise level
Dry runs for secret scanning custom patterns (org level)
Email notification for push protection bypass
Custom links in push protection notification
View secret scanning enablement status at the org-level via API
Enable secret scanning at the enterprise level using the REST API
Add comment when dismissing a secret scanning alert in UI or API
Custom pattern creation at the enterprise level
Custom pattern alert metrics
Validity checks for GitHub Tokens
Secret scanning scans issues
Push protection metrics in security overview
Non-provider patterns ☑️ ☑️ ☑️
User-space secret scanning
Push Protection Bypass ☑️
Detect secrets leaked in discussions and in pull request titles, bodies, and comments ☑️
Push protection on file upload ☑️
Audit log events for non-provider patterns

Code scanning

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.

Feature 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14
CodeQL "toolcache" Installed Version 2.7.6 2.11.6 2.12.7 2.12.7 2.12.7 2.12.7 2.13.5 2.14.6 2.15.5 2.16.5 2.17.6
Language support: Python, Javascript, Java, Go, C/C++, C#, Typescript
Ruby Support ☑️ ☑️ ☑️ ☑️
Apple M1 support for CodeQL ☑️ ☑️ ☑️ ☑️
Org-wide code scanning alerts via the REST API
Add comments when dismissing alerts
Code scanning alert comments in the pull request conversation tab
Users can publish CodeQL packs to the container registry
CodeQL query filters to exclude individual queries
Enterprise-wide code scanning alerts via the REST API
Filter API results by severity
Kotlin language support ☑️ ☑️ ☑️ ☑️ ☑️ ☑️ ☑️
Default CodeQL setup
Default CodeQL setup via API
"Enable all" functionality at the org level (API and UI)
Tool status page
View org-level enablement status via the API
CodeQL default setup supports compiled languages
Choose which language to enable or disable in CodeQL default setup
Filter code scanning alerts by path and language
CodeQL supports C# 11
CodeQL supports Swift programming language ☑️ ☑️ ☑️ ☑️ ☑️
Default setup automatically adds new repo languages
Choose query suite with default setup
Weekly scan with default setup
CodeQL supports custom model packs
CodeQL supports Java code using Project Lombok
Default setup automatically includes all CodeQL supported languages
CodeQL threat models for detecting relevant alerts ☑️ ☑️
Code Scanning merge protection rulesets ☑️
CodeQL threat models for default setup ☑️
CodeQL model packs for organization/repo ☑️
CodeQL can scan Java projects without a build ☑️

Supply-chain security

Dependabot Alerts

Dependabot alerts tell you that your code depends on a package that is insecure.

Feature 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14
Dependabot Alerts
Go modules support
Poetry support
Cargo support
Reopen dismissed alerts
Dependabot alerts show vulnerable function calls ☑️ ☑️ ☑️ ☑️ ☑️ ☑️ ☑️ ☑️ ☑️
Dependabot Alert timeline
Bulk Editing of Alerts
Add comment when dismissing dependabot alert
Dev Dependencies label
View Dependabot enablement status via org-level API
Receive alerts for vulnerable GitHub Actions
Dependabot alert webhooks
Dependabot alerts REST API endpoint for repository org and enterprise ☑️
Export SBOM from dependency graph
Dependabot can parse and update Gradle version catalogs in settings.gradle
Dependabot has full support for pnpm
Dependabot auto-triage rules

Dependabot Updates

Feature 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.11 3.12 3.13 3.14
Dependabot Updates ☑️
Actions authors can automatically update dependencies within workflow files
Dart and Flutter (using Pub) support for updates
Automatically pause pull request activity after 90 days of inactivity
Grouped version updates
Open pull requests for Swift and Gradle dependencies
REST API displays enablement status for Dependabot updates
Dependabot supports devcontainer.json files
Viewing Dependabot job logs
Dependabot access to Cargo private registries
Dependabot pauses scheduled jobs after 15 failures.
Dependabot grouped security updates
Private registry support for target-branch configuration

Dependency Graph, Dependency Review and snapshot submission API

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request.

Feature 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14
Dependency Review
Enforcement Action
Dependency Submission API
Dependency Review supports transitive dependencies
Dependency Review supports dependencies from Dependency Submission API
SBOM generated for a package now includes the package URL for more packages

Security Overview

Security overview provides high-level summaries of the security status of an organization or enterprise and makes it easy to identify repositories that require intervention.

Feature 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14
Security Overview
Organization view ☑️
Enterprise view ☑️ ☑️
Organization-level Code Scanning Alert View
Organization-level Dependabot Alert View
Enterprse-level view of Dependabot alerts
Enterprse-level view of code scanning alerts
Enterprse-level view of secret scanning alerts
Coverage and Risk Security Overview pages ☑️ ☑️
Filter alerts by repo topic
Filter alerts by team
Enable GHAS features in security overview
Enterprise-level security coverage and risk dashboards
Enablement trends dashboard is available
Enterprise level secret scanning metrics and enablement trend dashboards
Security overview dashboard group by tool
Security overview dashboard filter by security tool ☑️

Administration

Feature 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14
Security Managers Role
Manage Security Managers role via the API
Licensing for committers only after the migration date
Create and assign custom organization roles

Dependencies

This section calls out the dependencies required to enable GitHub Advanced Security on GitHub Enterprise Server.

Feature GHAS license
required?
GitHub Actions
required?
GitHub Connect
required?
Documentation Notes
Security Overview

DescriptionKnow what needs attention throughout the entire SDLC
No * No No Feature Docs * Features not needing a GHAS license will still show up
Dependency Graph

DescriptionParse manifest and lock files in your repository
No No No Feature Docs Enabling this feature will reload some services on the appliance.
Dependabot Alerts

DescriptionKnow which of ☝️ have open CVEs
No No Yes Feature Docs GitHub Connect dependency and data transmission details
Dependabot Security Updates

DescriptionOne-click "enable all" to send PRs updating ☝️
No Yes Yes Feature Docs Requires a runner with Docker and internet connectivity to open PRs (specs)

As of GHES 3.8, will not require internet connectivity if private registry is configured
Dependabot Updates

DescriptionAllows Dependabot to process optional updates using ~/.github/dependabot.yml file
No Yes Yes Feature Docs Same requirements as ☝️ - this just allows the same "non-security" updates using the same flexible configuration file as github.com
Dependency Review

DescriptionInspect dependencies at pull request, blocking merges that add more security vulnerabilities
Yes Yes Yes Feature Docs Does not require the build to be moved into GitHub Actions, but needs a runner to inspect manifests
CodeQL

DescriptionHighly accurate static analysis tool, flexible and extensible query language
Yes No * No * Feature Docs * CodeQL can be installed in your existing build system (directions) and/or be used on GitHub Actions with self-hosted runners (directions)

* GitHub Connect is not required, but it makes keeping the CodeQL queries up-to-date easier.

* codeql-action-sync-tool is the offline updater without Connect.

* Code Scanning default setup requires runners with the code-scanning label applied.
Upload SARIF files from other tools

DescriptionView security results from other tools using SARIF file uploads
Yes No No Feature Docs Many other tools support the SARIF interchange format. This feature provides a single pane of glass into the entire codebase.
Secret scanning

DescriptionLook at the present and all history for secrets, including partner patterns and custom regex
Yes No No Feature Docs
Push protection for secrets

DescriptionBlock commits containing partner patterns and custom regex from GitHub, preventing compromise
Yes No No Feature Docs Bare metal hypervisors may require an additional CPU flag, as outlined here