This document helps answer the question "is this GHAS feature available in my version of GitHub Enterprise Server?".
The following tables include notable feature releases for GitHub Advanced Security. Each row represents a feature. The columns in the row indicate the level of support for each supported Enterprise Server release. Are your repositories hosted on github.com? All of these features are already available for you 👍.
- GitHub Advanced Security (GHAS) Feature Matrix - Contents - How do I read this document?
- Dependencies
Each section of this document represents a different capability of the GitHub security features. Each row in the tables represent a different feature of GHAS. The columns indicate if that feature is available in each version of GitHub Enterprise Server.
Cells with ☑️ indicate beta support. ✅ indicates full support.
Version | 3.4 | 3.5 | 3.6 | 3.7 | 3.8 | 3.9 | 3.10 | 3.11 | 3.12 | 3.13 | 3.14 |
---|---|---|---|---|---|---|---|---|---|---|---|
Release date | 2022-02-15 | 2022-05-10 | 2022-07-26 | 2022-10-25 | 2023-02-07 | 2023-06-08 | 2023-08-08 | 2023-11-14 | 2024-02-13 | 2024-06-18 | 2024-08-06 |
Deprecation date | 2023-03-23 | 2023-06-29 | 2023-08-16 | 2023-11-08 | 2024-03-07 | 2024-06-29 | 2024-08-29 | 2024-12-05 | 2025-03-05 | 2025-07-18 | 2025-08-27 |
Release notes | Release notes | Release notes | Release notes | Release notes | Release notes | Release notes | Release notes | Release notes | Release Notes | Release Notes |
Secret scanning identifies plain text credentials inside your code repository. Learn more about secret scanning
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.
Dependabot alerts tell you that your code depends on a package that is insecure.
Feature | 3.4 | 3.5 | 3.6 | 3.7 | 3.8 | 3.9 | 3.10 | 3.11 | 3.12 | 3.13 | 3.14 |
---|---|---|---|---|---|---|---|---|---|---|---|
Dependabot Alerts | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Go modules support | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Poetry support | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Cargo support | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||
Reopen dismissed alerts | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||
Dependabot alerts show vulnerable function calls | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ||
Dependabot Alert timeline | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Bulk Editing of Alerts | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Add comment when dismissing dependabot alert | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Dev Dependencies label | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
View Dependabot enablement status via org-level API | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Receive alerts for vulnerable GitHub Actions | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Dependabot alert webhooks | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Dependabot alerts REST API endpoint for repository org and enterprise | ☑️ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||||
Export SBOM from dependency graph | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||||
Dependabot can parse and update Gradle version catalogs in settings.gradle |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||||
Dependabot has full support for pnpm | ✅ | ✅ | ✅ | ✅ | |||||||
Dependabot auto-triage rules | ✅ | ✅ | ✅ |
Feature | 3.4 | 3.5 | 3.6 | 3.7 | 3.8 | 3.9 | 3.10 | 3.11 | 3.11 | 3.12 | 3.13 | 3.14 |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Dependabot Updates | ☑️ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Actions authors can automatically update dependencies within workflow files | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||||
Dart and Flutter (using Pub) support for updates | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||||
Automatically pause pull request activity after 90 days of inactivity | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||||
Grouped version updates | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||||||
Open pull requests for Swift and Gradle dependencies | ✅ | ✅ | ✅ | ✅ | ✅ | |||||||
REST API displays enablement status for Dependabot updates | ✅ | ✅ | ✅ | ✅ | ✅ | |||||||
Dependabot supports devcontainer.json files |
✅ | ✅ | ✅ | |||||||||
Viewing Dependabot job logs | ✅ | ✅ | ✅ | |||||||||
Dependabot access to Cargo private registries | ✅ | |||||||||||
Dependabot pauses scheduled jobs after 15 failures. | ✅ | |||||||||||
Dependabot grouped security updates | ✅ | |||||||||||
Private registry support for target-branch configuration | ✅ |
Dependency review helps you understand dependency changes and the security impact of these changes at every pull request.
Feature | 3.4 | 3.5 | 3.6 | 3.7 | 3.8 | 3.9 | 3.10 | 3.11 | 3.12 | 3.13 | 3.14 |
---|---|---|---|---|---|---|---|---|---|---|---|
Dependency Review | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Enforcement Action | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||
Dependency Submission API | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Dependency Review supports transitive dependencies | ✅ | ✅ | ✅ | ✅ | |||||||
Dependency Review supports dependencies from Dependency Submission API | ✅ | ✅ | ✅ | ✅ | |||||||
SBOM generated for a package now includes the package URL for more packages | ✅ |
Security overview provides high-level summaries of the security status of an organization or enterprise and makes it easy to identify repositories that require intervention.
Feature | 3.4 | 3.5 | 3.6 | 3.7 | 3.8 | 3.9 | 3.10 | 3.11 | 3.12 | 3.13 | 3.14 |
---|---|---|---|---|---|---|---|---|---|---|---|
Security Overview | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Organization view | ☑️ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Enterprise view | ☑️ | ☑️ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |
Organization-level Code Scanning Alert View | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |
Organization-level Dependabot Alert View | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |
Enterprse-level view of Dependabot alerts | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ||
Enterprse-level view of code scanning alerts | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Enterprse-level view of secret scanning alerts | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Coverage and Risk Security Overview pages | ☑️ | ☑️ | ✅ | ✅ | ✅ | ✅ | ✅ | ||||
Filter alerts by repo topic | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||||
Filter alerts by team | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||||
Enable GHAS features in security overview | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||||
Enterprise-level security coverage and risk dashboards | ✅ | ✅ | ✅ | ✅ | ✅ | ||||||
Enablement trends dashboard is available | ✅ | ✅ | |||||||||
Enterprise level secret scanning metrics and enablement trend dashboards | ✅ | ||||||||||
Security overview dashboard group by tool | ✅ | ||||||||||
Security overview dashboard filter by security tool | ☑️ |
Feature | 3.4 | 3.5 | 3.6 | 3.7 | 3.8 | 3.9 | 3.10 | 3.11 | 3.12 | 3.13 | 3.14 |
---|---|---|---|---|---|---|---|---|---|---|---|
Security Managers Role | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Manage Security Managers role via the API | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | |||
Licensing for committers only after the migration date | ✅ | ✅ | ✅ | ||||||||
Create and assign custom organization roles | ✅ |
This section calls out the dependencies required to enable GitHub Advanced Security on GitHub Enterprise Server.
Feature | GHAS license required? |
GitHub Actions required? |
GitHub Connect required? |
Documentation | Notes |
---|---|---|---|---|---|
Security OverviewDescriptionKnow what needs attention throughout the entire SDLC |
No * | No | No | Feature Docs | * Features not needing a GHAS license will still show up |
Dependency GraphDescriptionParse manifest and lock files in your repository |
No | No | No | Feature Docs | Enabling this feature will reload some services on the appliance. |
Dependabot AlertsDescriptionKnow which of ☝️ have open CVEs |
No | No | Yes | Feature Docs | GitHub Connect dependency and data transmission details |
Dependabot Security UpdatesDescriptionOne-click "enable all" to send PRs updating ☝️ |
No | Yes | Yes | Feature Docs | Requires a runner with Docker and internet connectivity to open PRs (specs) As of GHES 3.8, will not require internet connectivity if private registry is configured |
Dependabot UpdatesDescriptionAllows Dependabot to process optional updates using~/.github/dependabot.yml file |
No | Yes | Yes | Feature Docs | Same requirements as ☝️ - this just allows the same "non-security" updates using the same flexible configuration file as github.com |
Dependency ReviewDescriptionInspect dependencies at pull request, blocking merges that add more security vulnerabilities |
Yes | Yes | Yes | Feature Docs | Does not require the build to be moved into GitHub Actions, but needs a runner to inspect manifests |
CodeQLDescriptionHighly accurate static analysis tool, flexible and extensible query language |
Yes | No * | No * | Feature Docs | * CodeQL can be installed in your existing build system (directions) and/or be used on GitHub Actions with self-hosted runners (directions) * GitHub Connect is not required, but it makes keeping the CodeQL queries up-to-date easier. * codeql-action-sync-tool is the offline updater without Connect. * Code Scanning default setup requires runners with the code-scanning label applied. |
Upload SARIF files from other toolsDescriptionView security results from other tools using SARIF file uploads |
Yes | No | No | Feature Docs | Many other tools support the SARIF interchange format. This feature provides a single pane of glass into the entire codebase. |
Secret scanningDescriptionLook at the present and all history for secrets, including partner patterns and custom regex |
Yes | No | No | Feature Docs | |
Push protection for secretsDescriptionBlock commits containing partner patterns and custom regex from GitHub, preventing compromise |
Yes | No | No | Feature Docs | Bare metal hypervisors may require an additional CPU flag, as outlined here |