How to Set Up Advanced Security for Public Repositories?

[davewichers]

Topic

Setting Up GitHub Advanced Security for Public Repositories

Question

Per: About licenses for GitHub Advanced Security, it says: "If you want to use GitHub Advanced Security features on any repository apart from a public repository on GitHub.com, ...".

However, this page, nor any other page I can find, explains how to enable GitHub Advanced Security on a public repository. Can someone either explain how, or point me to the proper page that does explain how? In my case, this is a personal project, not one in an organization.

[aashah]

Advanced Security is a paid set of products, so unfortunately that may not be available.

However, many of those security products are still offered for free public repositories. For example, Secret Scanning is available -- https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories

Most of the security product settings should appear on the same page, based on their availability. Lemme know if you were looking for a specific security product.

[davewichers]

Both employees of GitHub, via emails, and the above GitHub page says you can use GitHub Advanced Security on public / open source repos. But they don't explain HOW to enable it. That's what I'm looking for.

[aashah]

If you have paid for advanced security, it will be available from your repo settings > Code security and analysis > GitHub Advanced Security.

It is not available if your org or business has not purchased licenses.

The page you linked above is specifically about how Advanced Security is billed, not it's availability. What the documentation was trying to say is that contributions made to public repositories do not consume licenses, only contributions to private repositories. Advanced Security is still only available by purchasing licenses. You can see the subtext in the screenshot above say the same-ish thing.

[shaikhmubin02]

Enable Two-Factor Authentication (2FA): Enable 2FA for all collaborators to add an extra layer of security.

[davewichers]

I guess I should have been more clear in my question. I'm specifically interested in piloting the new Autofix feature. However, per: https://github.com/orgs/community/discussions/111094 (Code scanning autofix: Preview Feedback and Resources) - it says: "Fix suggestions are available on private repositories with a working code scanning configuration." And 2 weeks ago there was also the comment: "We do not plan on shipping it to open source at the moment." so I guess as of today, you can't enable Advanced Security Autofix on public repos. You have to either pay for it or use a 30-day trial on an organization which has 1 or more private repos.

GH also confirmed this: "Autofix is currently only available for private repositories owned by GHAS customers. We’re tracking the request to extend it to open source developers here."

[aashah]

Got it. Yeah that would have been helpful to specify...Like I mentioned in the other comment, some security products and their features have become available to open source repositories. Advanced Security however, is always a paid feature.