Unexpected GitHub Security billing charges

[JamesBGra]

Select Topic Area

Question

Body

I am seeing charges for Code Security (3 licenses – $2.90) and
Secret Protection (3 licenses – $1.84).

I would like detailed clarification on:

1. Which organization or repositories are generating these charges
2. Which specific features are enabled (Code scanning, Secret scanning,
   Push protection, Dependabot, etc.)
3. Which users are counted as the 3 billable licenses
4. When these features were enabled and by whom
5. How I can disable or limit these features to avoid future charges

Please provide a repository-level and user-level breakdown of the usage.

[harshitak4]

Unexpected GitHub security charges can definitely be confusing, especially since some features are enabled at the organization level rather than per repository. I’ll break this down in a practical way.

Why you’re seeing these charges

The charges you listed (Code Security and Secret Protection) are typically related to GitHub Advanced Security (GHAS) features being enabled on one or more repositories within an organization. These features are billed per active committer, not per repository.

The “3 licenses” usually means three unique users have pushed commits to repositories where these security features are enabled during the billing period.

How to identify what’s generating the charges

Find the organization or repositories involved

Go to Organization Settings → Billing & plans

Open Usage or Security & analysis
This will show which organizations have Advanced Security enabled.

Check which security features are enabled
For each affected repository:

Go to Settings → Security & analysis

Look for:

Code scanning

Secret scanning

Secret scanning push protection

Dependency review / Dependabot alerts
Any of these can contribute to billing when Advanced Security is active.

Identify which users are being billed
GitHub counts active committers (users who pushed code) during the billing cycle. This can include:

Organization members

External collaborators

Bots (in some cases)
The billing page should list the number of active committers, though it doesn’t always show names.

When and by whom features were enabled
GitHub does not currently provide a detailed audit trail for who enabled GHAS in the UI. If you have audit log access:

Check Organization Settings → Audit log

Filter for security_configuration or advanced_security events

How to stop or reduce future charges

Disable Advanced Security on repositories where it’s not needed:

Repo Settings → Security & analysis

Limit the number of users who can push to those repos

Move sensitive or experimental repos to private projects without GHAS

Regularly review billing usage at the start of each billing cycle

Important note

GitHub Discussions can help explain how billing works, but for a precise repository-level and user-level breakdown, your best option is to contact GitHub Support directly. They can see billing data that isn’t exposed in the UI and can confirm exactly what triggered the charges.

[YussufEssam89]

Explanation of Code Security and Secret Protection Charges

You’re seeing these charges because GitHub Advanced Security (GHAS) features are enabled on one or more private repositories in your organization. Below are steps to see exactly where the charges come from and how to manage them.

---

1. Identify which organization or repositories are generating charges

To see which repositories have Advanced Security enabled:

• Go to Organization settings
• Navigate to Security → Code security and analysis
• Open Advanced Security → Repository enablement

or:

• Settings → Billing & plans → Cost management → Advanced Security

This page lists every repository currently incurring charges.

---

2. Identify which features are enabled

Billing is triggered when any of the following are enabled on a private repository:

• Code scanning
• Secret scanning
• Secret scanning push protection
• Dependency review with blocking
• Private vulnerability reporting

To check per repository:

• open the repository
• go to Settings → Code security and analysis

Each feature will show Enabled or Disabled.

Note: Dependabot alerts are free. Some Advanced Security scanning features are billable.

---

3. Identify which users make up the 3 billable licenses

The “3 licenses” correspond to active committers to repositories with Advanced Security enabled.

To see the exact users:

• Organization settings → Billing & plans
• Open Advanced Security
• View or export Active security committers

GitHub counts users who:

• pushed code in the last 90 days
• to a repository with Advanced Security enabled
• are counted once per organization (not per repo)

---

4. See when features were enabled and by whom

Use the Audit log:

• Organization settings → Audit log

Filter for events such as:

advanced_security.enable
code_scanning.enable
secret_scanning.enable
secret_scanning_push_protection.enable

This will show:

• which repository
• who enabled it
• when it was enabled

---

5. How to disable or limit these features to avoid future charges

Disable per repository

• Repository → Settings → Code security and analysis
• Turn off:
  • GitHub Advanced Security
  • Code scanning
  • Secret scanning
  • Push protection

Prevent auto-enabling on new repositories

• Organization → Code security and analysis
• Disable:
  • Enable by default for new repositories

Restrict via policy

You can restrict which repos or teams can enable Advanced Security.

Billing automatically stops once no active committers remain on enabled repos.

---

6. Repository-level and user-level breakdown reports

You can export CSV reports here:

• Organization settings → Billing & plans
• Advanced Security → Download usage report

The report includes:

• repositories incurring charges
• number of active security committers per repo
• feature enablement details

[doucsag]

this seems to be an AI response because its completely halucinated

[doucsag]

Same here, we've been billed for 3 months and yet we do not have advanced security enabled and neither is there anything in the auditlog.

[SlnkoEnergy]

facing same problem any solution

[wkkkis]

unexpected github security billing charges - what they usually mean

those line items are coming from GitHub Advanced Security–style features being enabled somewhere you have billing access to.

“Code Security” and “Secret Protection” are umbrella SKUs that typically map to things like:

• code scanning (codeql / third-party analyzers)
• secret scanning for private repos
• push protection
• dependabot security updates / alerts (in some plans)
• security dashboards

if you’re seeing “3 licenses,” that usually means three active committers in an org where those paid security features are turned on.

---

where the charges come from

github always bills at the org / enterprise level, not per-repo line items on the invoice.

to track it down:

1) find the org being charged

go to:

github.com/settings/billing → Billing & plans → Usage or Invoices

there you’ll see which organization generated the Code Security / Secret Protection charges.

if you’re an owner in multiple orgs, check each one.

---

2) see which repos have security features enabled

inside that org:

• go to Org settings → Security & analysis
• look for paid features:
  • code scanning
  • secret scanning
  • push protection
  • dependency review / advanced dependabot

some orgs enable these org-wide by default.

you can also open a specific repo:

Repo → Settings → Security & analysis

and see exactly what’s toggled.

---

3) who are the 3 billed users?

licenses usually count unique active committers in repos where Advanced Security is enabled during that billing period.

check:

Org settings → Billing → Usage → GitHub Advanced Security

there’s typically a breakdown showing:

• how many committers were counted
• which repos triggered usage
• date ranges

not always super granular per repo, but enough to identify suspects.

---

4) when / by whom it was enabled

this part is trickier.

enablement usually comes from:

• an org owner toggling it org-wide
• a repo admin enabling security analysis
• enabling a security policy template
• migrating plans

audit trail lives in:

Org settings → Audit log

filter for:

• security_analysis.enable
• advanced_security.enable
• secret_scanning.enable
• code_scanning.enable

that usually tells you who flipped the switch and when.

---

how to stop future charges

you’ve got a few levers:

disable org-wide

org → settings → security & analysis → turn off advanced features.

disable per repo

repo → settings → security & analysis → turn off the paid ones.

limit committers

since billing is per active committer:

• restrict write access
• move bots to separate orgs
• avoid enabling advanced security on repos with lots of contributors

---

important nuance

some security features are free for public repos but paid for private ones.

so the usual gotcha is:
someone enables secret scanning / code scanning org-wide, and suddenly three devs push to private repos → boom, licenses appear.

---

tl;dr

• those charges are from Advanced Security features enabled in an org you own
• billed per active committer, not per repo toggle
• check org billing usage page first
• audit log shows who enabled it
• disable at org or repo level to stop it
• public repos don’t trigger these charges

if the billing UI doesn’t show the detail you’re asking for, that’s when it’s time to open a github support ticket - they can give repo-level breakdowns even if the UI doesn’t expose everything.

[avendisianipar]

Any idea how to solved this issue @github ? :(