GHAS-on-GHES-feature-matrix.md

GitHub Advanced Security (GHAS) Feature Matrix

This document helps answer the question "is this GHAS feature available in my version of GitHub Enterprise Server?".

The following tables include notable feature releases for GitHub Advanced Security. Each row represents a feature. The columns in the row indicate the level of support for each supported Enterprise Server release. Are your repositories hosted on github.com? All of these features are already available for you 👍.

Contents

• Secret scanning
• Code scanning
• Supply-chain security
  • Dependabot alerts
  • Dependabot security updates
  • Dependency review and submission api
• Security Overview
• Administration
• Dependencies

How do I read this document?

Each section of this document represents a different capability of the GitHub security features. Each row in the tables represent a different feature of GHAS. The columns indicate if that feature is available in each version of GitHub Enterprise Server.

Cells with ☑️ indicate beta support. ✅ indicates full support.

Release notes

• Releases of GitHub Enterprise Server

Version	3.4	3.5	3.6	3.7	3.8	3.9	3.10
Release date	2022-02-15	2022-05-10	2022-07-26	2022-10-25	2023-02-07	2023-06-08	2023-08-08
Deprecation date	2023-03-23	2023-06-29	2023-08-16	2023-11-08	2024-03-07	2024-06-29	2024-08-29
	Release notes	Release notes	Release notes	Release notes	Release notes	Release notes	Release notes

Secret scanning

Secret scanning identifies plain text credentials inside your code repository. Learn more about secret scanning

• Secret scanning documentation
• Secret scanning API documentation

Feature	3.4	3.5	3.6	3.7	3.8	3.9	3.10
Partner pattern count	155	169	173	173	183	200	218
User defined (custom) patterns	✅	✅	✅	✅	✅	✅	✅
Enterprise level API for secret scanning	✅	✅	✅	✅	✅	✅	✅
Secret scanning push protection		✅	✅	✅	✅	✅	✅
Dry runs for secret scanning push protection (repo level)		✅	✅	✅	✅	✅	✅
Secret scanning support for archived repos		✅	✅	✅	✅	✅	✅
Custom pattern events in the audit log		✅	✅	✅	✅	✅	✅
Push protection events in the audit log			✅	✅	✅	✅	✅
Push protection in the web editor			✅	✅	✅	✅	✅
Enable secret scanning at the enterprise level				✅	✅	✅	✅
Dry runs for secret scanning custom patterns (org level)				✅	✅	✅	✅
Email notification for push protection bypass				✅	✅	✅	✅
Custom links in push protection notification				✅	✅	✅	✅
View secret scanning enablement status at the org-level via API				✅	✅	✅	✅
Enable secret scanning at the enterprise level using the REST API					✅	✅	✅
Add comment when dismissing a secret scanning alert in UI or API					✅	✅	✅
Custom pattern creation at the enterprise level						✅	✅
Custom pattern alert metrics							✅

Code scanning

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.

• Code scanning documentation
• Code scanning API documentation

Feature	3.4	3.5	3.6	3.7	3.8	3.9	3.10
CodeQL "toolcache" Installed Version	2.7.6	2.11.6	2.11.7	2.11.7	2.11.7	2.11.7	2.13.5
Language support: Python, Javascript, Java, Go, C/C++, C#, Typescript	✅	✅	✅	✅	✅	✅	✅
Ruby Support	☑️	☑️	☑️	☑️	✅	✅	✅
Apple M1 support for CodeQL	☑️	☑️	☑️	☑️	✅	✅	✅
Org-wide code scanning alerts via the REST API		✅	✅	✅	✅	✅	✅
Add comments when dismissing alerts			✅	✅	✅	✅	✅
Code scanning alert comments in the pull request conversation tab				✅	✅	✅	✅
Users can publish CodeQL packs to the container registry				✅	✅	✅	✅
CodeQL query filters to exclude individual queries				✅	✅	✅	✅
Enterprise-wide code scanning alerts via the REST API				✅	✅	✅	✅
Filter API results by severity					✅	✅	✅
Kotlin language support					☑️	☑️	☑️
Default CodeQL setup						✅	✅
Default CodeQL setup via API						✅	✅
"Enable all" functionality at the org level (API and UI)						✅	✅
Tool status page						✅	✅
View org-level enablement status via the API						✅	✅
CodeQL default setup supports compiled languages							✅
Choose which language to enable or disable in CodeQL default setup							✅
Filter code scanning alerts by path and language							✅
CodeQL supports C# 11							✅
CodeQL supports Swift programming language							☑️

Supply-chain security

Dependabot Alerts

Dependabot alerts tell you that your code depends on a package that is insecure.

• Dependabot alerts documentation
• Dependabot alerts API

Feature	3.4	3.5	3.6	3.7	3.8	3.9	3.10
Dependabot Alerts	✅	✅	✅	✅	✅	✅	✅
Go modules support	✅	✅	✅	✅	✅	✅	✅
Poetry support	✅	✅	✅	✅	✅	✅	✅
Cargo support			✅	✅	✅	✅	✅
Reopen dismissed alerts			✅	✅	✅	✅	✅
Dependabot alerts show vulnerable function calls			☑️	☑️	☑️	☑️	☑️
Dependabot Alert timeline				✅	✅	✅	✅
Bulk Editing of Alerts				✅	✅	✅	✅
Add comment when dismissing dependabot alert				✅	✅	✅	✅
Dev Dependencies label				✅	✅	✅	✅
View Dependabot enablement status via org-level API				✅	✅	✅	✅
Receive alerts for vulnerable GitHub Actions				✅	✅	✅	✅
Dependabot alert webhooks				✅	✅	✅	✅
Dependabot alerts REST API endpoint for repository org and enterprise					☑️	✅	✅
Export SBOM from dependency graph						✅	✅
Dependabot can parse and update Gradle version catalogs in settings.gradle						✅	✅

Dependabot Updates

Feature	3.4	3.5	3.6	3.7	3.8	3.9	3.10
Dependabot Updates	☑️	✅	✅	✅	✅	✅	✅
Actions authors can automatically update dependencies within workflow files					✅	✅	✅
Dart and Flutter (using Pub) support for updates					✅	✅	✅
Automatically pause pull request activity after 90 days of inactivity						✅	✅
Dependabot updates supports pnpm							✅

Dependency Review and submission API

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request.

• Dependency review docs
• Dependency review API docs

Feature	3.4	3.5	3.6	3.7	3.8	3.9	3.10
Dependency Review	✅	✅	✅	✅	✅	✅	✅
Enforcement Action			✅	✅	✅	✅	✅
Dependency Submission API				✅	✅	✅	✅

Security Overview

Security overview provides high-level summaries of the security status of an organization or enterprise and makes it easy to identify repositories that require intervention.

• Security Overview documentation

Feature	3.4	3.5	3.6	3.7	3.8	3.9	3.10
Security Overview	✅	✅	✅	✅	✅	✅	✅
Organization view	☑️	✅	✅	✅	✅	✅	✅
Enterprise view		☑️	☑️	✅	✅	✅	✅
Organization-level Code Scanning Alert View		✅	✅	✅	✅	✅	✅
Organization-level Dependabot Alert View		✅	✅	✅	✅	✅	✅
Enterprse-level view of Dependabot alerts			✅	✅	✅	✅	✅
Enterprse-level view of code scanning alerts				✅	✅	✅	✅
Enterprse-level view of secret scanning alerts				✅	✅	✅	✅
Coverage and Risk Security Overview pages					☑️	☑️	✅
Filter alerts by repo topic						✅	✅
Filter alerts by team						✅	✅
Enable GHAS features in security overview						✅	✅
Enterprise-level security coverage and risk dashboards							✅

Administration

Feature	3.4	3.5	3.6	3.7	3.8	3.9	3.10
Security Managers Role	✅	✅	✅	✅	✅	✅	✅
Manage Security Managers role via the API				✅	✅	✅	✅

Dependencies

This section calls out the dependencies required to enable GitHub Advanced Security on GitHub Enterprise Server.

Feature	GHAS license required?	GitHub Actions required?	GitHub Connect required?	Documentation	Notes
Security Overview Description Know what needs attention throughout the entire SDLC	No *	No	No	Feature Docs	* Features not needing a GHAS license will still show up
Dependency Graph Description Parse manifest and lock files in your repository	No	No	No	Feature Docs	Enabling this feature will reload some services on the appliance.
Dependabot Alerts Description Know which of ☝️ have open CVEs	No	No	Yes	Feature Docs	GitHub Connect dependency and data transmission details
Dependabot Security Updates Description One-click "enable all" to send PRs updating ☝️	No	Yes	Yes	Feature Docs	Requires a runner with Docker and internet connectivity to open PRs (specs) As of GHES 3.8, will not require internet connectivity if private registry is configured
Dependabot Updates Description Allows Dependabot to process optional updates using ~/.github/dependabot.yml file	No	Yes	Yes	Feature Docs	Same requirements as ☝️ - this just allows the same "non-security" updates using the same flexible configuration file as GitHub.com
Dependency Review Description Inspect dependencies at pull request, blocking merges that add more security vulnerabilities	Yes	Yes	Yes	Feature Docs	Does not require the build to be moved into GitHub Actions, but needs a runner to inspect manifests
CodeQL Description Highly accurate static analysis tool, flexible and extensible query language	Yes	No *	No *	Feature Docs	* CodeQL can be installed in your existing build system (directions) and/or be used on GitHub Actions with self-hosted runners (directions) * GitHub Connect is not required, but it makes keeping the CodeQL queries up-to-date easier. * codeql-action-sync-tool is the offline updater without Connect. * Code Scanning default setup requires runners with the code-scanning label applied.
Upload SARIF files from other tools Description View security results from other tools using SARIF file uploads	Yes	No	No	Feature Docs	Many other tools support the SARIF interchange format. This feature provides a single pane of glass into the entire codebase.
Secret scanning Description Look at the present and all history for secrets, including partner patterns and custom regex	Yes	No	No	Feature Docs
Push protection for secrets Description Block commits containing partner patterns and custom regex from GitHub, preventing compromise	Yes	No	No	Feature Docs	Bare metal hypervisors may require an additional CPU flag, as outlined here