About trialing GitHub Advanced Security
You can trial GitHub Advanced Security independently, or working with an expert from GitHub or a partner organization. The primary audience for these articles is people who will plan and run their trial independently, typically small and medium-sized organizations.
Note
Although GitHub Advanced Security is free of charge during trials, you will be charged for any actions minutes that you use. That is, actions minutes used by the code scanning default setup or by any other workflows you run.
Existing GitHub Enterprise Cloud users
For more information, see Einrichten einer Testversion von GitHub Advanced Security in the GitHub Enterprise Cloud documentation.
Users on other GitHub plans
You can trial GitHub Advanced Security as part of a trial of GitHub Enterprise Cloud. For more information, see Eine Testversion von GitHub Enterprise einrichten in the GitHub Enterprise Cloud documentation.
When the trial ends
You can end your trial at any time by purchasing GitHub Advanced Security, and GitHub Enterprise if you don't already use it, or by canceling the trial. For more information, see What happens when the trial ends? in the GitHub Enterprise Cloud documentation.
Define your company goals
Before you start a trial of GitHub Advanced Security, you should define the purpose of the trial and identify the key questions you need to answer. Maintaining a strong focus on these goals will enable you to plan a trial that maximizes discovery and ensures that you have the information needed to decide whether or not to upgrade.
If your company already uses GitHub, consider what needs are currently unmet that GitHub Advanced Security might address. You should also consider your current application security posture and longer term aims. For inspiration, see Design Principles for Application security in the GitHub well-architected documentation.
| Example need | Features to explore during the trial |
|---|---|
| Enforce use of security features | Enterprise-level security configurations and policies, see Informationen zu Sicherheitskonfigurationen and Informationen zu Unternehmensrichtlinien |
| Protect custom access tokens | Custom patterns for secret scanning, delegated bypass for push protection, and validity checks, see Exploring your enterprise trial of secret scanning |
| Define and enforce a development process | Dependency review, auto-triage rules, rulesets, and policies, see Informationen zur Abhängigkeitsüberprüfung, Über Auto-Triage-Regeln von Dependabot, Informationen zu Regelsätzen, and Informationen zu Unternehmensrichtlinien |
| Reduce technical debt at scale | Code scanning and security campaigns, see Exploring your enterprise trial of code scanning |
| Monitor and track trends in security risks | Security overview, see Einblicke in die Sicherheit anzeigen |
If your company doesn't use GitHub yet, you are likely to have additional questions including how the platform handles data residency, secure account management, and repository migration. For more information, see Erste Schritte mit GitHub Enterprise Cloud.
Identify the members of your trial team
GitHub Advanced Security enables you to integrate security measures throughout the software development life cycle, so it's important to ensure that you include representatives from all areas of your development cycle. Otherwise you risk making a decision without having all the data you need. A trial includes 50 licenses which provides scope for representation from a wider range of people.
You may also find it helpful to identify a champion for each company need that you want to investigate.
Determine whether preliminary research is needed
If members of your trial team have not yet used the core features of GitHub Advanced Security, it may be helpful to add an experimentation phase in public repositories before you start a trial. Many of the primary features of code scanning and secret scanning can be used on public repositories. Having a good understanding of the core features will allow you to focus your trial period on private repositories, and exploring the additional features and control available with GitHub Advanced Security.
For more information, see Informationen zu Codescans, Informationen zur Lieferkettensicherheit, and Informationen zur Geheimnisüberprüfung.
Agree the organizations and repositories to test
Generally it is best to use an existing organization for a trial. This ensures that you can trial the features in repositories you know well and that accurately represent your coding environment. Once you start the trial, you may want to create additional organizations with test code to expand your explorations.
Be aware that deliberately insecure applications, such as WebGoat, may contain coding patterns that appear to be insecure, but which code scanning determines cannot be exploited. Code scanning typically generates fewer results for artificially insecure codebases than other static application security scanners.
Define the assessment criteria for the trial
For each company need or goal that you identify, determine what criteria you will measure to determine whether it is successfully met or not. For example, if one need is to enforce the use of security features, you might define a range of test cases for security configurations and policies to give you confidence that they enforce processes as you expect.