GitHub Advanced Security Reviews

I'm working with software development nowadays. As a process, we are using the dependent bot alerts and the code scanning for Java, and some of the code scanning is happening. Security secrets in case they use it in the code is getting an alert. We are using GitHub for version control, container services, and CI/CD pipelines. All our codes are here and we are using GitHub Actions. We are also seeing that GitHub Advanced Security.

We have an option to set alerts, but we haven't configured that because we are using admin logins for all our privileged activities. There are no mailboxes, so we actually don't want to bombard ourselves with a lot of emails on the alerts.

GitHub Advanced Security's secret scanning is good. The Dependabot alerts are good. We are using GitHub for version control, container services, and CI/CD pipelines. All our codes are here and we are using GitHub Actions. We are also seeing that GitHub Advanced Security.

We used additional third-party solutions, but we replaced them with GitHub Advanced Security, even though I do not have a very good opinion about GitHub Advanced Security. Even though it is an inline product, I'm not seeing user-friendly things in GitHub Advanced Security.

Dependent bots and the secret detection are good compared to others. However, code scanning is not finding very good results based on pipeline where it will scan and do code scanning. While build, before building and deploying the code, we want to block or do an advanced model, but it is not supporting. During deployment, code scanning is not good.

It is a little complicated. It is not a straightforward method we can complete. We need expertise to get the full benefit, and troubleshooting sometimes requires going through that.

The security overview dashboard is not really clear. It's not showing centralized information; each repo is showing, but if you compare it with competitors, it is not that great.

Mainly in the centralized dashboard, enterprise level needs to improve. A centralized way where we can get that overall view is needed, and we want that code scanning and blocking deployments based on security. There are AI improvements, but however, it is not so easy to configure. It is multiple windows we need to go through and make changes or configure that. A few things we need to enable going into settings, and a few things we can find out in security. One product where security means the security dashboard should cover everything, but it is going here and there in many places.

I have been working with GitHub Advanced Security for more than three years, but at that time I was doing infrastructure level administration. Right now I'm heavily using GitHub Advanced Security.

I would rate the stability of GitHub Advanced Security around six.

Positive

As for scalability, we're not able to get the full-fledged use of the security product, so I cannot suggest. However, I can give around six.

GitHub directly does not support in the traditional sense. It's like a forum. They support but over email only.

Positive

We used additional third-party solutions, but we replaced them with GitHub Advanced Security.

I prefer Checkmarx as a main competitor for GitHub Advanced Security. It is good, and I am using Checkmarx. Even now this Wiz product is good; we are also using that. Wiz product is good, but Checkmarx is really good.

Dependent bots and the secret detection are good compared to others. However, code scanning is not finding very good results based on pipeline where it will scan and do code scanning. While build, before building and deploying the code, we want to block or do an advanced model, but it is not supporting.

The security overview dashboard is not really clear. It's not showing centralized information; each repo is showing, but if you compare it with competitors, it is not that great. My overall rating for GitHub Advanced Security is six.

I use GitHub Advanced Security. I work with GitHub. I am an implementer of GitHub. For migrations, my clients and I typically use GitHub Advanced Security.

The best features of GitHub Advanced Security are its flexibility and the multiple options it has compared to other tools.

I utilize the Dependabot alerts. The Dependabot alerts are good.

The security overview dashboard is good.

An area of GitHub Advanced Security that has room for improvement is customization.

I have been working with GitHub Advanced Security for three to four years.

I would rate customer service a seven on a scale from 1 to 10.

The reason it's not a 10 out of 10 is that there is no direct contact and sometimes my requests take a longer time for acknowledgment.

The initial setup of GitHub Advanced Security was easy for me.

I have seen return on investment from this tool.

There are time savings as a way to see the return on investment.

I think the pricing of this tool is good.

I remember that some time back I visited the website peerspot.com and did research about application security tools, GitHub Advanced Security and SonarQube Server.

I do not have any advice for people that are only looking to use GitHub Advanced Security at this time.

My company name is Newt. My title is Delivery Head. My email address is archana.s@newtglobalcorp.com.

On a scale of 1-10, I rate GitHub Advanced Security a 9.

I use GitHub Advanced Security for source code analysis and code scanning. It is integrated within my development environment and is beneficial for organizations where all development is within GitHub.

GitHub Advanced Security is a very developer-friendly solution that is integrated within my development environment. This integration allows me to work seamlessly without leaving my workflow, which is beneficial for organizations using GitHub. However, it is less useful for organizations with diversified development environments. The product is scalable.

GitHub Advanced Security should look into API security issues, which they currently do not. Additionally, open-source security vulnerabilities are not getting updated in a timely manner. 

There are features in GitHub Advanced Security that cannot be used within Microsoft, which is strange since they are the same company. It should also focus on developing a software bill of materials (SBOM) to see all open software used in one place.

I have used GitHub Advanced Security for four years.

I have not experienced any performance or stability issues with GitHub Advanced Security. It is good and stable.

GitHub Advanced Security is scalable, however, there are limitations. Check Point reports findings more efficiently than GitHub, so GitHub needs to enhance its engines.

The initial setup of GitHub Advanced Security was straightforward. My team did not handle this, as it was managed by the development team. I never received any complaints or heard of challenges with enabling it.

I would rate this product eight out of ten. 

GitHub Advanced Security should also put more emphasis on developing a software bill of materials, so that one can see what's being used without searching through different repositories.

I use it for Azure DevOps, for example. This tool focuses on the security of the code. It performs code analysis to identify security issues, such as hard-coded secrets and passwords, potential SQL injection points, and duplicated components.

SonarQube, on the other hand, focuses more on overall code quality and best practices, using a different approach that often results in more findings for the developer to handle. 

GitHub Advanced Security uses artificial intelligence in the backend, specifically CodeQL, to analyze code and provide fewer but more reliable findings, so there are less false positives. This allows developers to concentrate on the most relevant issues.

Both tools have their uses, with GitHub Advanced Security being purely security-focused and SonarQube concentrating on code quality. Many software companies use both tools for comprehensive code analysis. Somehow, they complement each other. 

We also use the secret scanning feature of GitHub. 

It finds hardcoded secrets directly in the code and points them out immediately. Then, I can go back to the developers and let them know. 

I can even block the commit in the repository so they cannot commit until they fix the issue.

AI in the backend:

CodeQL uses AI algorithms, so it reduces false positives. For example, in a SQL injection, it finds the user input flow of the code instead of looking for hardcoded SQL statements. It looks at where parameters can be created and filled with data. If it ends on a path where it comes from a user, then you really get an SQL injection. If it's just a parameter populated through something else, there is no danger. 

This is one difference between SonarQube and GitHub Advanced Security. It gives you fewer false positives, so you don't waste time figuring out if it's a real security issue or a false alarm.

Maybe make it compatible with more programming languages. Have a customized ruleset where the end-user can create their own rules for scanning. 

Also, support for container stuff, like when the code is running or built in a container, to offer more flexibility. The tool is pretty new, so maybe they will improve.

I never had  any technical issues with GitHub Advanced Security, like downtime.

It is a good fit for small and medium businesses. 

I have contacted GitHub for support with other tools.

The initial setup is easy. It's straightforward and integrated into Azure DevOps.

It took maybe a few hours, max two hours. It was quick.

Security may have no price. But it surely improves the overall security of the software. You find issues in the early stage of software development and don't need to perform extensive penetration tests as often. 

You still have to do the penetration test, but maybe once a year, not every big release. If your code is secure by design, then it's good.

The pricing is a little expensive. It has a pricing model of, like $50 per developer that commits into the repository. So, if you have a large development team with many people committing to the repository, it could easily be 20 to 30 people. Multiply that by $50 per month, and it's already $1000 a month, just for this tool. In my opinion, it's a little expensive.

I find it a little overpriced. It can easily cost $10,000 to $12,000 dollars a year, which is a bit much for a software company. There is room for improvement in the price.

The price could be lower.

I evaluated SonarQube and GitHub Advanced Security.

We work with both SonarQube and GitHub Advanced Security for DevOps. We compare them both to see which is better suited for our needs. 

SonarQube is mostly focused on code quality and compatibility, with a small subset for security. GitHub Advanced Security is purely focused on security. 

There are two different approaches that these tools take.

I would recommend it. I'd give it an eight out of ten. If the price were better, I would recommend it even more and give it a higher rating.

I use GitHub Advanced Security for conducting source code security scanning for the software that I develop.

The most valuable feature is the flexibility to customize the rules. It is also integrated directly within my developer workflow, so I use GitHub and see the output of vulnerabilities within GitHub. The secret scanning feature is also good and unique to GitHub.

The reporting feature might need improvement. While it integrates seamlessly with my workflow, it doesn't provide management with oversight, such as statistics and the number of vulnerabilities. Management is not familiar with logging into GitHub, so a reporting feature that allows export to PDF would be beneficial.

I have approximately two years of experience with GitHub Advanced Security.

GitHub Advanced Security is highly stable. I did not face any issues with the stability.

GitHub Advanced Security is ten out of ten scalable. It only requires a single click to enable it for any repository I have.

GitHub provides high-quality technical support. I have not faced any issues, possibly because I did not need to contact them often. Based on my experience, I would rate them ten out of ten.

Positive

I previously used Veracode before switching to GitHub Advanced Security. I switched because GitHub allows greater customizability and integration of custom code quality criteria. Additionally, GitHub had a lower false positive rate compared to Veracode, which had a higher false positive rate.

The initial setup is straightforward if I use GitHub, a SaaS platform. Once I purchase the license, enabling the feature is easy.

I did not observe a direct ROI, but I pay per developer, which I find quite high.

The pricing for GitHub Advanced Security is quite high, especially compared to other solutions.

I would definitely recommend GitHub Advanced Security to other development teams. It is my favorite solution. I rate this solution nine out of ten because of some missing features like the reporting feature.

Positive

I use the solution in my company to develop web applications and mobile apps. In my company, we use GitHub Advanced Security to check the vulnerabilities in the codes.

The deployment part of the product is an area of concern that needs to be made easier from an improvement perspective.

In my company, the actual implementation phase takes time, though the tool is able to give us reports. It is not easy for our company's teams to understand what changes are to be made to the product. If there are some guidelines on how to make the changes in GitHub Advanced Security and how to address the vulnerabilities, then it would be a better tool.

In general, the implementation part of the product is an area of concern where improvements are required.

I have been using GitHub Advanced Security for two years. I am a customer of the product.

It is a stable solution.

It is a scalable solution as it can handle new applications along with the analysis part.

Around 500 people in my company use the product.

The solution's technical support is good.

The support is available in the form of emails from a location which is outside India, making it difficult for my company in India to manage the product.

I rate the technical support an eight out of ten.

Positive

I haven't used any solutions that were similar to GitHub Advanced Security.

The product's initial setup phase was easy.

The solution can be deployed in a week. My company is still working on the development side since we did not have the resources to work in the area of security. In general, my company took around six months to complete an analysis of the code.

My company has around five engineers to implement the solution in our company. I would say that we are short of five engineers at the moment. Around ten engineers are required to take care of the implementation part.

My company is currently doing some evaluations to figure out some similar tools to GitHub Advanced Security.

I primarily use GitHub Advanced Security in our company's development workflow because once the code is developed, we run the product before pushing it to the staging phase to check for vulnerabilities.

Some of GitHub Advanced Security's features that are really effective for identifying vulnerabilities stem from the fact that it is easy for us to integrate it with the existing codes, especially since all our codes are already on GitHub. GitHub Advanced Security can be used to check for vulnerabilities. The tool's easy integration capability is one of its advantageous features.

GitHub Advanced Security's role in offering protection to the sensitive data within our company's projects since many of the developers tend to use secret keys and directly into the code, but GitHub Advanced Security analyzes such areas and helps us find out all the secret keys which are stored in the code, after which we remove it. The aforementioned area is a very good feature of the product.

My company needs only two people to take care of the maintenance part, so it is not very difficult to maintain the product.

The integration of the tool with our CI/CD pipelines is possible since my company has integrated into the Azure platform through GitHub's repository.

The product's alerts or insights led to security improvement or prevention of a breach when my company received alerts related to security keys.

I rate the overall product a nine out of ten.

The main focus of our use case is to enhance the overall security mindset and to improve the developer experience. Prioritizing security, our primary objective is to ensure the accuracy of security findings, minimize noise, and optimize the identification of potential vulnerabilities.

The most valuable is the developer experience and the extensibility of the overall ecosystem. When I refer to extensibility, I mean the ability to incorporate custom queries using CodeQL, the engine powering GitHub Advanced Security. This customization allows for creating specific queries tailored to our domain, beyond the general rule set.

The current reporting features are limited and require improvement. Data is consolidated under the security tab, including secret scanning, and code vulnerabilities. This consolidation may lead to confusion, especially with many issues. A more refined approach, categorizing and emphasizing specific vulnerabilities, would be beneficial. Additionally, introducing robust reporting capabilities for tracking issue resolution progress would significantly enhance the platform's usability. Considering the current feature set, I am contemplating the potential inclusion of features, particularly those related to better integration with existing security tools. As a sizable organization, we already utilize specific security tools. While these tools can export data in a compatible format for integration with GitHub, there are challenges, especially with a diverse range of tools operating in the security space.

I have been working with it for a year now.

In terms of stability, I haven't encountered any downtime issues. From a developer's perspective, there have been instances where, during the execution of workflows, they faced challenges in understanding why a particular analysis didn't report certain vulnerabilities as expected. Regarding performance, the product and its features demonstrate satisfactory capabilities.

The platform is inherently scalable, allowing for smooth onboarding as we deploy licenses. As of now, we have expanded the user base to approximately 350.

We extensively collaborate with their professional services team for assistance. Our interactions have included submitting feature requests, raising queries, and addressing what we perceive as glitches, even if they may not align with the platform's perspective. Additionally, we've had discussions with their product managers to convey our expectations for these tools. The GitHub team has been responsive and accommodating throughout these interactions. I would rate it eight out of ten.

Positive

I have experience with Fortify, which operates in the same space, one notable difference is the issue of excessive noise. It tends to generate a high number of false positives, leading to potential confusion for developers. This noise can compromise the overall developer experience and erode trust in the tool's accuracy. Advanced Security, on the other hand, excels in addressing these issues. It has proven to be more adept at avoiding false positives and providing a more reliable vulnerability notification system, contributing to a smoother and more trustworthy developer experience.

The initial setup is relatively straightforward. Once an enterprise admin enables it, the responsibility shifts to individual repo admins to enable it on their respective repositories. Over the past year, there have been enhancements, such as the automatic generation of analysis files for certain languages, eliminating the need for users to write their files.

The deployment process, in my perspective, is influenced by factors like the build process. The most time-consuming aspect revolves around organizational procedures such as raising purchase orders. Once these administrative steps are completed, the actual enablement by GitHub is a relatively swift process, typically taking just a matter of hours. This streamlined activation is especially notable since our operations are in the cloud, making the transition smoother and more efficient.

The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth. This model requires constant adjustments and additional licensing requests, making it difficult to estimate usage from the start. A pay-per-use model, where charges align with actual usage, would be more ideal and flexible.

For organizations heavily invested in Microsoft's suite of products and operating as a sort of automation hub, GitHub Advanced Security stands out as the de facto choice. Its seamless integration with the developer environment and the broader suite of tools makes it the go-to solution. Overall, I would rate it nine out of ten.

My company is a partner. We help in product implementation for SaaS analytics. The solution is used for SaaS scans and secret scanning.

Dependency scanning is a valuable feature. The dependency review feature can be run as part of the CI pipeline. Secret scanning and push protection can block threats. It discovers the vulnerabilities. It helps identify the threats that are commonly seen in the industry.

CodeQL provides ease of use. It enables a high degree of customization. We can write our own queries and configure them in bulk for different projects. The tool provides APIs if we want to integrate it with any external system.

The customizations are a little bit difficult. We must know how to write queries. Training is a bit limited. GitHub needs to make it simpler for customization.

I have been using the solution for almost four years.

The tool is very stable.

We have more than 1000 users.

I have contacted support for on-premise configuration. The quality of support depends on the priority of the issue. I rate the support an eight or nine out of ten.

Positive

We were using multiple products before. We switched to GitHub because we are partners. We also help others to set up the solution.

The initial setup is very easy.

The solution is expensive.

The tool provides good reports. I recommend the product to others. It has a trial version. We can test all the features. Overall, I rate the product a nine out of ten.

We use GitHub Advanced Security to secure data for multiple applications. It ensures user passwords or sensitive information are not accidentally exposed in code or reports. It scans the project's dependencies and checks if they are up-to-date and free from known security vulnerabilities.

GitHub Advanced Security is part of the Azure DevOps ecosystem. So, all the dashboards and information stay in our environment. We are not required to integrate it with any external security solution.

There could be a centralized dashboard to view reports of all the projects on one platform.

I rate GitHub Advanced Security a seven out of ten.