Ensuring Development Quality: How to Verify GitHub Advanced Security (GHAS) Status

As GitHub Enterprise environments grow, ensuring robust security measures like GitHub Advanced Security (GHAS) is paramount for maintaining high development quality. However, administrators often face challenges in verifying whether these critical features are actually enabled and active across their organizations and repositories. A recent discussion on the GitHub Community forum highlighted this very confusion, offering clear guidance for admins navigating their enterprise settings.

The Challenge: Verifying GHAS Activation

The original post by Rod-at-DOH, a GitHub Administrator managing a GitHub.com Enterprise license with two organizations, perfectly encapsulated a common dilemma. Despite reviewing the Billing and Licensing page and seeing products like Actions, Codespaces, and Packages, GHAS was conspicuously absent from the list. The presence of an unfamiliar product, "Spark," further added to the uncertainty, leading to the fundamental question: "How can I tell if we have GHAS enabled?"

This query underscores a crucial aspect of managing modern development platforms: visibility into security tooling directly impacts an organization's ability to track and improve its software KPIs related to security posture and code health.

The Solution: A Multi-Level Verification Approach

Community experts Pratikrath126 and MasteraSnackin quickly provided comprehensive answers, detailing a multi-layered approach to verify GHAS status. This method ensures a thorough development overview of security configurations from the top-level enterprise down to individual repositories.

1. Enterprise Level Verification

The first step is to confirm GHAS is part of your overall enterprise license. This is the foundational check:

• Billing & Licensing Page: Navigate to your enterprise's Billing & Licensing page. Look for a dedicated section or entry explicitly named "GitHub Advanced Security" (or sometimes "Code Security" / "Secret Protection"). This section should display allocated seats and usage.
• Contact GitHub Account Team: If GHAS is not listed on your billing page, it's essential to contact your GitHub account team. They can confirm whether GHAS is included in your enterprise license agreement and assist with activation if necessary.

2. Organization Level Verification

Even if GHAS is licensed at the enterprise level, policies can restrict its availability to specific organizations:

• Enterprise Settings → Policies → Code Security: As an Enterprise admin, check here to confirm that Advanced Security is allowed for the specific organizations you intend to protect. An enterprise-level policy can override the license and prevent GHAS features from being enabled at the organization level.
• Organization Settings → Security & Analysis: Within each relevant GitHub Organization, go to its settings. If GHAS is enabled and permitted, you will see toggles for features like Code scanning, Secret scanning, and Dependabot alerts. These toggles indicate that the organization has the capability to utilize GHAS features.

3. Repository Level Verification

Finally, confirm that GHAS features are active for individual repositories:

• Repository Settings → Security & Analysis / Advanced Security: For each repository you wish to secure, navigate to its settings. Look for the "Security & analysis" or "Advanced Security" section. Here, you should see the status of Advanced Security features (e.g., code scanning, secret scanning). If you encounter an error message indicating that Advanced Security must be enabled, it signifies that GHAS is not yet active for that specific repository, even if licensed at higher levels.

Clarifying "Spark"

A helpful clarification from MasteraSnackin addressed the "Spark" entry on the Metered usage page. "Spark" is identified as a separate AI-apps product and is entirely unrelated to GitHub Advanced Security. This distinction is crucial for administrators to avoid confusion when reviewing their billing details.

Conclusion

Successfully verifying and enabling GitHub Advanced Security across your enterprise, organizations, and repositories is a critical step in bolstering your overall development quality and security posture. By following these structured verification steps, GitHub administrators can gain a clear development overview of their security landscape, ensuring that valuable security features are actively contributing to better code and more resilient software. This proactive approach helps in consistently meeting and improving key software KPIs related to security and code health.