| title | shortTitle | allowTitleToDifferFromFilename | intro | type | topics | versions | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Planning a trial of {% data variables.product.prodname_GHAS %} |
Plan GHAS trial |
true |
Make the most of your trial so you can decide whether {% data variables.product.prodname_AS %} products meet your business needs. |
overview |
|
|
You can trial {% data variables.product.prodname_GHAS %} independently, or working with an expert from {% data variables.product.github %} or a partner organization. The primary audience for these articles is people who will plan and run their trial independently, typically small and medium-sized organizations.
[!NOTE] Although {% data variables.product.prodname_GHAS %} is free of charge during trials, you will be charged for any actions minutes that you use. That is, actions minutes used by the {% data variables.product.prodname_code_scanning %} default setup or by any other workflows you run.
{% data reusables.advanced-security.ghas-trial-availability %} For more information, see AUTOTITLE.
{% data reusables.advanced-security.ghas-trial-invoiced %}
You can trial {% data variables.product.prodname_GHAS %} as part of a trial of {% data variables.product.prodname_ghe_cloud %}. For more information, see AUTOTITLE{% ifversion fpt %} in the {% data variables.product.prodname_ghe_cloud %} documentation{% endif %}.
{% ifversion fpt %}
If you don't already use {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %}, you will need to upgrade your plan to continue using {% data variables.product.prodname_GH_cs_or_sp %} in private repositories when the trial ends.
{% data variables.product.prodname_GH_cs_and_sp %} are billed by usage of unique committers to repositories with {% data variables.product.prodname_cs_or_sp %} enabled. For more information, see AUTOTITLE.
{% elsif ghec %}
You can end your trial at any time by purchasing {% data variables.product.prodname_GH_cs_or_sp %}. If you don't already use {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %}, you will need to upgrade your plan. Alternatively, you can cancel the trial at any time.
{% endif %}
Before you start a trial, you should define the purpose of the trial and identify the key questions you need to answer. Maintaining a strong focus on these goals will enable you to plan a trial that maximizes discovery and ensures that you have the information needed to decide whether or not to upgrade.
If your company already uses {% data variables.product.github %}, consider what needs are currently unmet that {% data variables.product.prodname_cs_or_sp %} might address. You should also consider your current application security posture and longer term aims. For inspiration, see Design Principles for Application security in the {% data variables.product.github %} well-architected documentation.
{% rowheaders %}
| Example need | Features to explore during the trial |
|---|---|
| Enforce use of security features | Enterprise-level security configurations and policies, see AUTOTITLE and AUTOTITLE |
| Protect custom access tokens | Custom patterns for {% data variables.product.prodname_secret_scanning %}, delegated bypass for push protection, and validity checks, see AUTOTITLE |
| Define and enforce a development process | Dependency review, auto-triage rules, rulesets, and policies, see AUTOTITLE, AUTOTITLE, AUTOTITLE, and AUTOTITLE |
| Reduce technical debt at scale | {% data variables.product.prodname_code_scanning_caps %} and security campaigns, see AUTOTITLE |
| Monitor and track trends in security risks | Security overview, see AUTOTITLE |
{% endrowheaders %}
If your company doesn't use {% data variables.product.github %} yet, you are likely to have additional questions including how the platform handles data residency, secure account management, and repository migration. For more information, see AUTOTITLE.
{% data variables.product.prodname_GHAS %} enables you to integrate security measures throughout the software development life cycle, so it's important to ensure that you include representatives from all areas of your development cycle. Otherwise you risk making a decision without having all the data you need. A trial includes 50 licenses which provides scope for representation from a wide range of people.
You may also find it helpful to identify a champion for each company need that you want to investigate.
If members of your trial team have not yet used the core features of {% data variables.product.prodname_GHAS %}, it may be helpful to add an experimentation phase in public repositories before you start a trial. Many of the primary features of {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_secret_scanning %} can be used on public repositories. Having a good understanding of the core features will allow you to focus your trial period on private repositories, and exploring the additional features and control available with {% data variables.product.prodname_cs_and_sp %}.
For more information, see AUTOTITLE, AUTOTITLE, and AUTOTITLE.
{% ifversion secret-risk-assessment %}
Organizations on {% data variables.product.prodname_team %} and {% data variables.product.prodname_enterprise %} can run a free report to scan the code in their organization for leaked secrets. This can help you understand the current exposure of the repositories in your organization to leaked secrets, as well as see how many existing secret leaks could have been prevented by {% data variables.product.prodname_secret_protection %}. See AUTOTITLE.{% endif %}
Generally it is best to use an existing organization for a trial. This ensures that you can trial the features in repositories you know well and that accurately represent your coding environment. Once you start the trial, you may want to create additional organizations with test code to expand your explorations.
Be aware that deliberately insecure applications, such as WebGoat, may contain coding patterns that appear to be insecure, but which {% data variables.product.prodname_code_scanning %} determines cannot be exploited. {% data variables.product.prodname_code_scanning_caps %} typically generates fewer results for artificially insecure codebases than other static application security scanners.
For each company need or goal that you identify, determine what criteria you will measure to determine whether it is successfully met or not. For example, if one need is to enforce the use of security features, you might define a range of test cases for security configurations and policies to give you confidence that they enforce processes as you expect.