An organization admin or security manager starts the scan. The secret risk assessment reviews every repository in your organization, while the code security risk assessment scans up to 20 repositories you choose. GitHub emails you when your results are ready.
GitHub Security Risk Assessments
How exposed is your organization? Run a free assessment to find out.
GitHub risk assessments scan your repositories for exposed credentials and code vulnerabilities, giving your team the insight to understand current risk and prioritize what to address next.
Secret risk assessment
Scan your repositories for leaked credentials and see where secrets appear, which types are most common, and where protection can reduce risk.
Code security risk assessment
Scan up to 20 active repositories to identify vulnerabilities, understand risk by severity, and see where Copilot Autofix may help speed remediation.
What you’ll see in your results
A clear picture of your organization’s exposure, so you can understand where risk stands today, align on priorities, and make better business decisions.
How it works
Run the assessment
Review the results
Open the Code Security and Secret Protection tabs to review the results from each assessment. Secret Protection results appear as repositories are processed, while Code Security results are available after the full scan is complete.
Take the next step
Eligible enterprise admins can start a GitHub Advanced Security trial directly from the risk assessment. If you're not eligible for a self-serve trial, you can enable Secret Protection or Code Security directly from the assessment or talk to an expert at GitHub.
Your repositories. Your findings. Your call.
Test your actual code
Most security evaluations rely on benchmarks, demos, or coverage tables. The assessment analyzes your own repositories, so you can evaluate findings based on what your developers actually ship.
Decide with evidence, not assumptions
See findings in your own environment before deciding whether GitHub security products are the right fit.
Validate what’s working and find what isn’t
Quiet results give you evidence that your current practices are working. Specific findings—like credentials, vulnerabilities, or affected repositories—give you a fact-based case for action.
Decide on the facts
Run the assessment. Review the results. Decide what’s next.
Frequently asked questions
Which GitHub plans and roles can run a security risk assessment?
Organization owners and security managers on GitHub Team or GitHub Enterprise Cloud. The code security risk assessment ships in GitHub Enterprise Server 3.23.
How much does the GitHub security risk assessment cost?
Nothing. The assessment is free, including the GitHub Actions minutes used to run code scans. You won't be charged for GitHub Code Security or Secret Protection licenses during the assessment.
How long does a GitHub security risk assessment take to complete?
Most scans finish within 30 minutes. Larger or more complex organizations may take longer. GitHub emails you when the report is ready. The Secret Protection tab updates as repositories are scanned; the Code Security tab populates when the full scan completes.
How often can you run a GitHub security risk assessment?
Every 90 days. You can change which repositories are scanned each time.
What does the GitHub security risk assessment scan for?
For secrets, GitHub reviews your organization's repositories for exposed credentials across provider patterns and generic patterns. For code, GitHub scans up to 20 repositories using CodeQL, defaulting to those with the most commit activity in the last 90 days. You can change the selection before running the scan.
Will running a GitHub assessment affect my existing code scanning data?
No. The risk assessment uses a separate upload path and does not modify or interfere with existing code scanning alerts on your repositories.
What does it mean if the GitHub security risk assessment finds no issues?
That's a good sign. You'll have evidence that your current security practices are catching what matters. Re-run every 90 days to confirm the picture holds.
What can I do after reviewing my GitHub security risk assessment results?
Eligible enterprise admins can start a GitHub Advanced Security trial directly from the risk assessment. Depending on your eligibility, you can enable Secret Protection or Code Security, start a GitHub Advanced Security trial, or contact GitHub to speak with an expert.
Does GitHub share security risk assessment results with its sales teams?
Your results and contact details are shared with your account team only if you opt in, so they can follow up. If you don't opt in, your account team sees only that your organization ran an assessment. They don't receive your results or contact details.