[CONTENT]
$
USD
Spotlight
COMMISSIONED BY GitHub, July 2025
Spotlight
COMMISSIONED BY GitHub, July 2025
GitHub commissioned Forrester Consulting to interview six decision-makers and conduct a Total Economic Impact™ (TEI) study to better understand the benefits, costs, and risks associated with GitHub Enterprise Cloud.1 This abstract will focus on the advanced security features of GitHub Advanced Security and its value to their organizations.
Forrester identified several use cases during the interviews that demonstrate how GitHub Advanced Security improved the interviewees' software development processes:
The food and beverage producer identified and blocked vulnerabilities early in development and eliminated the risk of exposing sensitive information in their codebase.
The financial services firm achieved more than 80% application coverage with Static Application Security Testing (SAST) and maintained a secure codebase through secret scanning and open source dependency management.
The retailer embedded security checks into their continuous integration and delivery (CI/CD) pipelines and maintained a secure development environment through secret scanning and CodeQL.
The manufacturing company identified and mitigated security risks with CodeQL and secret scanning and facilitated better collaboration and compliance with security standards.
By selecting GitHub Advanced Security, these organizations aimed to unify their security practices, embed security checks directly into their development workflows, and leverage advanced features like dependency scanning, CodeQL, and secret scanning to proactively identify and mitigate risks, ultimately enhancing their overall security posture and operational efficiency.
For more information on GitHub Enterprise Cloud, see “The Total Economic Impact™ Of GitHub Enterprise Cloud” a commissioned study conducted by Forrester Consulting on behalf of GitHub, July 2025.
Before adopting GitHub Advanced Security, the interviewees’ organizations faced challenges managing security and risk within their software development and DevOps environments. These challenges included fragmented security tools leading to inconsistent security practices and decentralized environments that made it difficult to enforce consistent practices and ensure compliance. Without integrated security measures, these organizations faced increased risks of security breaches, operational disruptions, and costly and damaging incidents, making it harder to ensure the integrity and security of their software products.
The interviewees’ organizations approached implementation with a clear security-first mindset. From the outset, they adopted GitHub Advanced Security to enforce secure coding practices across teams. This early integration ensured that security was not an afterthought but a foundational element of the development process. Embracing shift-left principles, the organizations embedded security checks directly into developer workflows, enabling real-time vulnerability detection and remediation. To further tailor GitHub to their enterprise environments, many organizations developed custom automations and integrations, aligning the platform with their specific security and compliance requirements. This proactive and embedded approach helped establish a robust and scalable security posture early in their GitHub journeys.
GitHub’s security features collectively helped developers and security teams work together to maintain a secure and compliant codebase. The following capabilities contributed to the impact of GitHub Advanced Security:
CodeQL. The CodeQL capability helped identify vulnerabilities in software code by performing semantic code analysis.
Code scanning. Interviewees highlighted code scanning as it integrated with GitHub Actions to embed security checks directly into CI/CD pipelines, offering contextual explanations and suggested fixes.
Secret scanning. Interviewees said that the secret scanning feature prevented the accidental inclusion of sensitive information in repositories.
Push protection. To guard against the inclusion of sensitive information by scanning for more than 200 token types and patterns, interviewees’ organizations used the push protection capability in GitHub Advanced Security. This proactive measure helped them avoid the time-consuming, error-prone, and risky task of remediating exposed secrets after they had been pushed to a repository.
Dependency scanning. This capability identified vulnerabilities and blocked pull requests with known issues.
Security overview. The security overview capability provided a comprehensive view of the security status across multiple repositories, helping the interviewees’ organizations prioritize remediation tasks.
The adoption of GitHub Advanced Security enhanced interviewees organizations’ security posture, reduced software development risks, and created efficiencies during the software development process. Interviewees reported the following impact:
Reduced risk. By integrating security directly into the development workflow, GitHub Advanced Security reduced the risk of security breaches and vulnerabilities. This proactive approach to security minimized the potential for costly and damaging incidents. The director of software engineering at the food and beverage company told Forrester: "GitHub Advanced Security and GitHub Actions together provide what is called a security-first approach to how we do software development and software engineering. Whenever we are coding or checking code, we scan for secrets, vulnerabilities, and binary dependencies that we may have. We ensure developers are doing everything in the integrated development environment (IDE)."
Improved security posture. GitHub Advanced Security's comprehensive security features, including dependency scanning, CodeQL, and secret scanning, helped the interviewees’ organizations identify and mitigate vulnerabilities early in the development process, ensuring that their codebases were secure. For one financial services firm, the ability to prevent secrets from being committed was key. Their VP of engineering shared: “GitHub Advanced Security does static code analysis and secret scanning. It’s the only place where we can actually prevent secrets from being committed, not just scan after the fact.” Another organization, the global food and beverage company, consolidated everything on GitHub Advanced Security. The director of software engineering for this organization explained: “We went all in. We do dependency scanning, CodeQL scanning for vulnerabilities, and binary scanning. If a build would result in a security vulnerability, we block the PR. That ensures that every time we’re deploying something, we know it’s free of security vulnerabilities.”
Enhanced collaboration. GitHub Advanced Security facilitated better collaboration between internal teams and external partners, streamlining the onboarding process and ensuring that all parties adhered to the same security standards. The technology director at a retail company said, " We have seen examples where engineers from different parts of the organization collaborate on projects, which was not possible before due to siloed systems.”
Increased developer productivity. The integration of security tools into the development environment allowed developers to focus on writing code without being interrupted by security checks. This led to increased productivity and a more efficient development process. At the food and beverage company, GitHub Advanced Security reduced tool sprawl and integrated security into a single platform, thereby allowing developers to stay in their IDEs and maintain focus. The director of software engineering at this organization said: “The less you have to worry about switching context or picking the right tool ... you can stay in your IDE, stay focused, and stay in the zone. The tools are there to help you, not get in your way”. This interviewee added that GitHub Advanced Security enabled faster identification of vulnerabilities across the codebase, which reduced downtime and business disruption: “When Log4j happened, I went to GitHub Advanced Security and saw that we didn’t have any dependencies on Log4j. In minutes, we knew our codebase was clear. That saved us days of disruption.”
Security-related task efficiency improvement for DevSecOps teams and developers with GitHub Advanced Security.
Leveraging the following capabilities in GitHub Copilot Enterprise enhanced the ability of software development teams to integrate security practices into their coding process, promoting best practices and enabling proactive risk management:
Real-time code suggestions. Developers used context-aware code suggestions in Copilot, which allowed them to write secure code by reducing the likelihood of errors that could introduce vulnerabilities.
Integration with security tools. Developers paired Copilot with static code analyzers and vulnerability scanners, allowing for continuous security assessments as they developed code, thus identifying potential security issues early in the development lifecycle.
Prompt engineering for security. Developers crafted specific prompts to guide Copilot in generating secure code, thereby enhancing the relevance and safety of the output.
Monitoring and auditing. Organizations established regular procedures to review code changes made with Copilot, ensuring compliance with security standards and data privacy regulations.
To mitigate potential security risks effectively when implementing AI coding practices, interviewees’ organizations adopted the following strategies into their development processes:
Thorough code reviews. Code reviews helped identify vulnerabilities in AI-generated code and ensured security compliance.
Limiting sensitive data exposure. Segregation and strict access controls limited sensitive data exposure.
Integrating security tools. Tools like static code analyzers enhanced overall security.
Implementing secure development practices. Encryption and code scanning further ensured data protection.
Monitoring and auditing. Regular monitoring and auditing of code changes ensured compliance with privacy regulations.
For more information, download the full study: “The Total Economic Impact™ Of GitHub Enterprise Cloud,” a commissioned study conducted by Forrester Consulting on behalf of GitHub, July 2025.
Study Findings
Forrester interviewed six total representatives at organizations with experience using GitHub Enterprise Cloud, including GitHub Advanced Security and GitHub Copilot Enterprise, and combined the results into a three-year financial analysis for a composite organization. Risk-adjusted present value (PV) quantified benefits for the composite organization include:
A shorter development cycle worth $48.28 million from improved tools and automation and enhanced security features and user interfaces. Improved tools and automation lead to measurable time savings and increased productivity for developers. Enhanced security features and user interfaces streamline development processes, resulting in higher output and efficiency.
Security and compliance efficiencies worth $9.25 million from features like code scanning, secret scanning, and embedded security tools. Features like code scanning, secret scanning, and embedded security tools streamline processes, reduce vulnerabilities, and enhance overall security posture. These tools make it easier for engineers to manage and fix vulnerabilities, ensuring more secure deployments.
Shorter time to productivity for new developers worth $1.73 million. GitHub Copilot helps new developers understand code and improve documentation more quickly, reducing the learning curve and accelerating onboarding. Comprehensive design summaries further enhance the learning process, leading to faster productivity.
Cost and time savings from retiring the legacy tech stack worth $8.22 million. Consolidating systems and moving to a SaaS model reduce complexity and resource requirements, lowering both human and operational costs. Enhanced security coverage and future-proofing for development processes further contribute to these savings.
Accelerated time to market revenue impact valued at $18.41 million. Consolidating systems and standardizing development processes reduce complexity and improve efficiency, leading to faster product delivery. Enhanced collaboration and automation further streamline development cycles, contributing to quicker market readiness.
1 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
Readers should be aware of the following:
This study is commissioned by GitHub and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in GitHub Enterprise Cloud.
GitHub reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
GitHub provided the customer names for the interviews but did not participate in the interviews.
ABOUT FORRESTER CONSULTING
Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.
https://mainstayadvisor.com/go/mainstay/gdpr/policy.html
PDF