GitHub Advanced Security API
GitHub Advanced Security (GHAS) exposes a comprehensive REST and GraphQL API surface for three integrated security products: Code Scanning (CodeQL SAST plus third-party SARIF-based scanners), Secret Scanning (detection of 200+ secret types across commits and PRs), and the Dependency Review API / Dependabot Alerts (SCA for known CVEs in package manifests). The Code Scanning API allows querying alerts (with CodeQL rule details, CWE, severity, location, state), uploading SARIF results from any scanner, and managing alert dismissal state. The Secret Scanning API surfaces detected secrets (with secret type, validity status for live/active secrets, commit/PR source), manages alert triage, and exposes push protection bypass events. The Dependency Review API shows vulnerable dependencies introduced by a specific PR diff, and the Dependabot Alerts API exposes all known CVE alerts across a repository with CVSS scores, fix versions, and auto-fix status. All three APIs use the standard GitHub REST auth model (GitHub Apps, OAuth Apps, or PATs) and return well-documented JSON with consistent pagination using link headers. GHAS is included free for public repositories and requires a paid GHAS license for private repositories.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
HTTPS enforced everywhere. Fine-grained PATs and GitHub Apps provide repository-specific, permission-scoped access — significantly better than classic PATs. GitHub Apps are the gold standard: short-lived installation tokens (1 hour), auditable, revocable per installation. Security data (code vulnerabilities, exposed secrets, CVEs) is highly sensitive — use minimum required permission scopes. Webhook payloads are HMAC-SHA256 signed. SOC2 Type II, ISO27001, FedRAMP Moderate certified. Secret scanning validity checking actively contacts secret issuers (Stripe, AWS, GitHub itself) to verify liveness — a powerful feature that requires careful handling as it confirms attacker-controlled secrets are live.
⚡ Reliability
Best When
Your organization hosts code on GitHub (particularly GitHub Enterprise) and wants a tightly integrated security pipeline with no additional SaaS vendors — GHAS provides free SAST (CodeQL), secret scanning, and Dependabot alerts natively within GitHub Actions and the GitHub UI.
Avoid When
Your code is hosted on GitLab, Bitbucket, or Azure DevOps, or you need runtime security beyond static analysis and dependency scanning.
Use Cases
- • Fetching all open Code Scanning alerts across an organization's private repos to build a security posture dashboard
- • Polling for new secret scanning detections and triggering automatic credential rotation when a live secret is found
- • Checking the Dependency Review API on every PR to block merges that introduce new critical CVEs
- • Uploading SARIF results from Semgrep, Trivy, or Checkov via the Code Scanning upload API to centralize all findings in GitHub
- • Querying Dependabot alerts by CVSS score to prioritize patching order across hundreds of repositories
- • Building a secret scanning bypass dashboard to track when developers override push protection and validate the justification
- • Automating code scanning alert dismissal for known false-positive patterns using the alert state update API
Not For
- • Non-GitHub repositories (GitLab, Bitbucket, Azure DevOps) — GHAS is GitHub-only
- • Runtime application security monitoring or DAST
- • Organizations wanting a vendor-neutral security data platform — all data is GitHub-resident
- • Binary analysis, container runtime security, or SIEM event correlation
Interface
Authentication
Three auth patterns: Personal Access Tokens (PATs) — classic PATs require 'security_events' scope; fine-grained PATs (preferred) allow per-repo/per-org access with explicit 'Code scanning alerts: read/write', 'Secret scanning alerts: read/write', and 'Dependabot alerts: read' permissions. OAuth Apps use 'security_events' scope. GitHub Apps (preferred for automation) use installation tokens with repository-specific permissions — more secure than PATs because tokens are short-lived (1 hour), installation-scoped, and auditable. For agents, use a GitHub App with the minimum required permissions: 'Code scanning alerts: read', 'Secret scanning alerts: read', 'Dependabot alerts: read'. SARIF upload requires 'security_events: write'. Organization-level APIs for bulk queries require 'Organization code scanning alerts: read' or owner-level access.
Pricing
For public repositories, the full GHAS API is free — this is a significant advantage for open-source security automation. Private repository GHAS requires GitHub Enterprise licensing. Dependabot alerts are free for all repositories (public and private) even without GHAS license — only Code Scanning and Secret Scanning require GHAS for private repos.
Agent Metadata
Known Gotchas
- ⚠ Code Scanning API requires GHAS to be enabled for the repository — making API calls against a repository without GHAS returns 404 (not 403), which can be misinterpreted as the repository not existing; agents must handle 404 on /repos/{owner}/{repo}/code-scanning/alerts by checking GHAS enablement separately
- ⚠ SARIF upload is asynchronous — POST /repos/{owner}/{repo}/code-scanning/sarifs returns a sarif_id immediately, but alerts are not available until processing completes; poll GET /repos/{owner}/{repo}/code-scanning/sarifs/{sarif_id} for 'complete' status before querying alerts, typically 10-120 seconds depending on SARIF size
- ⚠ GitHub Apps installation tokens expire after 1 hour — agents using GitHub Apps for auth must track token expiry and request a new installation token before the current one expires; the token does not return an expiry header on each response, so agents must track the issue_time + 3600 seconds
- ⚠ Secondary rate limits (abuse detection) are separate from the primary rate limit and not reflected in X-RateLimit headers — they trigger when an agent makes too many requests in a short burst or makes many mutation requests; secondary rate limit errors return 403 with 'You have exceeded a secondary rate limit' and require backing off for the duration specified in the Retry-After header
- ⚠ Secret scanning alerts include a 'validity' field (active, inactive, unknown) for supported secret types where GitHub has verified the secret against the issuing provider — agents should prioritize 'active' secrets for immediate rotation; however, 'unknown' validity does NOT mean the secret is invalid, only that GitHub cannot verify it
- ⚠ The Dependency Review API (GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}) requires the dependency graph to be enabled for the repository — this is a repository-level setting, not an org-level setting; agents performing org-wide PR security checks must handle per-repo dependency graph enablement status
- ⚠ Organization-level code scanning alerts API (GET /orgs/{org}/code-scanning/alerts) requires the authenticating identity to have 'security manager' role or owner access to the organization — standard member PATs/Apps cannot query org-wide alerts even with 'security_events' scope; agents must request elevated organization permissions
- ⚠ Alert dismissal via API accepts 'won't fix', 'false positive', and 'used in tests' as dismissal reasons — these are free-text enums that are case-sensitive; agents generating dismissal reasons from LLM output must validate the exact string against the enum before submission to avoid 422 validation errors
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for GitHub Advanced Security API.
Scores are editorial opinions as of 2026-03-06.