How to avoid costs on Secret Protection?

[shivarammysore]

Select Topic Area

Question

Body

I getting charged $0.61 every day for Secret Protection cost. I don't know why and I don't want it. I went over to each of my 70+ repos and disabled secrets. I am not sure what else should I do - but, I want this charge to be gone.

gh api -X PATCH "repos/$ORG/$REPO" \
    -f security_and_analysis.secret_scanning.status=disabled \
    -f security_and_analysis.secret_scanning_push_protection.status=disabled

Thanks

[bepoooe]

Verify all repositories were updated successfully:

The script you ran might not have successfully updated all repositories
Some repositories might have organization-level overrides

Check organization-level settings:

Secret scanning might be enabled at the organization level
You can disable it organization-wide with:

gh api -X PATCH "orgs/$ORG"
-f security_and_analysis.secret_scanning.status=disabled
-f security_and_analysis.secret_scanning_push_protection.status=disabled

Check for Advanced Security billing:

Navigate to your organization's "Billing and plans" section
Look for "GitHub Advanced Security" usage
Check if any repositories still show as using Secret Scanning

Billing lag:

There might be a delay between disabling the feature and seeing the change reflected in billing
Wait 24-48 hours to see if charges stop

Contact GitHub Support:

If charges continue after confirming all settings are disabled, reach out to GitHub Support
They can investigate if there's a billing issue or remaining active scanning

[shivarammysore]

Thanks @bepoooe for the suggestion. I did apply the same. But, looking at the settings, I can only see these:

  "advanced_security_enabled_for_new_repositories": false,
  "dependabot_alerts_enabled_for_new_repositories": false,
  "dependabot_security_updates_enabled_for_new_repositories": false,
  "dependency_graph_enabled_for_new_repositories": false,
  "secret_scanning_enabled_for_new_repositories": false,
  "secret_scanning_push_protection_enabled_for_new_repositories": false,
  "secret_scanning_push_protection_custom_link_enabled": false,
  "secret_scanning_push_protection_custom_link": null,
  "secret_scanning_validity_checks_enabled": false

The settings in the script provided does not seem to exist. But, I did run it for what it is worth. FYI - I am the owner of this ORG and there is only one member in this ORG.

gh api -X PATCH "orgs/$ORG" -f security_and_analysis.secret_scanning.status=disabled -f security_and_analysis.secret_scanning_push_protection.status=disabled

I will have to wait for a couple of more days to see if this makes any difference.

[mscbuild]

Check for Advanced Security billing:

Navigate to your organization's "Billing and plans" section
Look for "GitHub Advanced Security" usage
Check if any repositories still show as using Secret Scanning

Billing lag:

There might be a delay between disabling the feature and seeing the change reflected in billing
Wait 24-48 hours to see if charges stop

Contact GitHub Support:

[shivarammysore]

In spite of all the configurations, I still see ....

[mscbuild]

This is not an error or a problem, just an informational message.

It means that your organization:

There are no repositories with Secret Protection enabled (searching for and protecting secrets in code, such as API tokens).

There are no repositories with Code Security enabled (such as Code Scanning, Dependabot, and other GitHub Advanced Security features).

Reason:
Although you have purchased and have unlimited GitHub Advanced Security licenses available, you have not yet enabled these features in any of your repositories.

Here's a step-by-step guide on how to enable Secret Protection and Code Security for a repository in GitHub:

✅ 1. Go to the repository
Go to the desired repository in your organization on GitHub.

✅ 2. Open the repository settings
In the top menu, select the ⚙️ Settings tab.

✅ 3. Go to the security section
In the left menu, select:

pgsql
Copy
Edit
Security > Code security and analysis
If the menu is collapsed, expand it.

✅ 4. Enable the desired features
In this section, you will see options that can be enabled:

🔒 Secret scanning
Finds accidentally committed tokens, passwords, and API keys.

Click Enable next to this feature.

🛡️ Code scanning
Automatically analyzes code for vulnerabilities.

Click Set up or Enable.

You can configure the GitHub Actions workflow (codeql-analysis.yml is created automatically).

🔁 Dependabot alerts & updates
Checks dependencies for vulnerabilities.

Enable Dependabot alerts and, if necessary, Dependabot security updates.

✅ 5. Commit and complete setup
Some features (like CodeQL) will require you to create a Pull Request with configuration - just follow GitHub's instructions.

📌 Result
After activation:

GitHub will start using GitHub Advanced Security licenses.

The message This organization has no repositories using ... licenses will disappear.

Reports and alerts will start appearing in the Security section of the repository.

Here are example files to enable two important GitHub Advanced Security features:

🛡️ 1. CodeQL (Code scanning)
Add this workflow file to the repository:

📁 .github/workflows/codeql-analysis.yml

yaml
Copy
Edit
name: "CodeQL"

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:

• cron: '0 0 * * 0' # once a week

jobs:
analyze:
name: Analyze code with CodeQL
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
matrix:
language: [ 'javascript', 'python' ] # specify the languages ​​you need

steps:

• name: Checkout repository
  uses: actions/checkout@v3

• name: Initialize CodeQL
  uses: github/codeql-action/init@v3
  with:
  languages: ${{ matrix.language }}

• name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v3
  🔧 Replace javascript, python with the languages ​​you use (e.g. java, go, csharp, etc.).

🔁 2. Dependabot (dependency updater)
Add this config file:

📁 .github/dependabot.yml

yaml
Copy
Edit
version: 2
updates:

• package-ecosystem: "npm" # e.g. npm, pip, maven, etc.
  directory: "/" # path to package.json
  schedule:
  interval: "weekly"
  🔧 Configure for your project:

package-ecosystem: select the desired dependency system (npm, pip, gradle, etc.).

directory: path to the dependency file (/, src/, etc.).

After adding these files and committing to main:

Code scanning and Dependabot will be active.

GitHub will start using Code Security licenses.

Reports will appear in the Security → Code scanning alerts and Dependabot section.

[mscbuild]

🛡️ 1. CodeQL for Node.js and Python
📁 .github/workflows/codeql-analysis.yml

yaml
Copy
Edit
name: "CodeQL"

on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:

• cron: '0 0 * * 0' # weekly on Sundays

jobs:
analyze:
name: Analyze code with CodeQL
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
matrix:
language: [ 'javascript', 'python' ]

steps:

• name: Checkout repository
  uses: actions/checkout@v3

• name: Initialize CodeQL
  uses: github/codeql-action/init@v3
  with:
  languages: ${{ matrix.language }}

• name: Perform CodeQL Analysis
  uses: github/codeql-action/analyze@v3
  🔁 2. Dependabot for Node.js and Python
  📁 .github/dependabot.yml

yaml
Copy
Edit
version: 2
updates:

• package-ecosystem: "npm"
  directory: "/" # if package.json is in the root
  schedule:
  interval: "weekly"

• package-ecosystem: "pip"
  directory: "/" # if requirements.txt is in the root
  schedule:
  interval: "weekly"
  ✅ What's next:
  Copy these two files to the corresponding .github/workflows/ and .github/ folders.

Commit and push to main:

bash
Copy
Edit
git add .github/
git commit -m "Enable CodeQL and Dependabot"
git push origin main
Go to repository → Security → and make sure that active tools have appeared.

[mscbuild]

Here is an archive with the necessary files to activate CodeQL and Dependabot:
github-security-setup.zip

[mscbuild]

Unzip it to the root of your repository and commit the contents - everything will be ready to run.

[shivarammysore]

Thanks @mscbuild for all the info. But, I just want that secret protection charge to go away. I don't want to enable Secret Protection. I have tried everything that I know of and still getting charged.

[mscbuild]

It sounds like you're being charged for a Secret Protection feature—possibly from a cloud provider like GitHub, AWS, Azure, or another dev-related service—and you want to stop the charges but can't figure out how to fully disable or remove it.

Here's a general step-by-step guide to try and stop the charge:

🔍 1. Identify the Source of the Charge
Check your billing statement to confirm:

The exact service name (e.g., “GitHub Advanced Security – Secret Scanning”).

The provider (e.g., GitHub, AWS, Google Cloud, etc.).

The account or organization the charge is tied to.

🔧 2. GitHub Specific – If That’s the Source
If the charge is from GitHub's Secret Scanning / Advanced Security, here's what to do:

a. Disable GitHub Advanced Security
Go to your organization settings > Security > Code security and analysis.

Under Secret scanning or Advanced Security, disable all checkboxes for each repo.

Do this for each repository (there’s no global off-switch yet).

b. Downgrade Plan (if needed)
Go to Settings > Billing & plans.

Cancel or downgrade any paid plans or features (especially anything related to security scanning or GitHub Advanced Security).

🧾 3. Contact Billing Support
If charges persist, contact the provider’s billing support directly:

GitHub: Submit a billing support ticket

AWS: Use the AWS Billing Console and request support

Others: Use their respective contact forms

Explain that:

You do not want to use Secret Protection / Advanced Security.

You have disabled all related features.

You are still being billed and want the charges removed or refunded.

[shivarammysore]

Thanks @mscbuild .I have already disabled all the security protection related stuff - please refer to the first 2 messages in this discussion. I don't have any automated jobs setup with AWS/GCP, etc. I have raised a support ticket too. Now, I just have to wait for their response.

[mscbuild]

Unfortunately, you'll have to wait.

[jonhubby]

Sometimes, a few slip through if the script doesn’t fully complete. Also, check if secret scanning is still enabled at the organization level, as that can override repo settings. If everything’s off and you're still getting charged after a day or two, it's probably worth reaching out to GitHub Support to make sure nothing's being missed on their end.

[shivarammysore]

For anyone to use - this is the script that I have to disable_secret_protection.sh

#!/bin/bash

# This a script to Disable Secret Scanning in All Affected GitHub Repositories and save $$

ORG="REPLACE_ORG"
echo "🔍 Fetching repositories for organization: $ORG..."

# Fetch all repos (paginated)
REPOS=$(gh api -H "Accept: application/vnd.github+json" \
  "/orgs/$ORG/repos?per_page=100&type=private" --paginate \
  | jq -r '.[] | select(.archived == false and .private == true) | .name')

if [[ -z "$REPOS" ]]; then
  echo "⚠️ No private, non-archived repositories found in organization: $ORG"
  exit 0
fi

echo "🔧 Disabling secret scanning in Organization $ORG ..."
gh api -X PATCH "orgs/$ORG" \
  -f security_and_analysis.secret_scanning.status=disabled \
  -f security_and_analysis.secret_scanning_push_protection.status=disabled \
  >/dev/null 2>&1 \
  && echo "✅ $ORG updated." \
  || echo "⚠️ Failed or not applicable: $ORG"

echo "🔧 Disabling secret scanning in eligible repositories..."

for REPO in $REPOS; do
  echo "🔄 Updating $REPO..."
  gh api -X PATCH "repos/$ORG/$REPO" \
    -f security_and_analysis.secret_scanning.status=disabled \
    -f security_and_analysis.secret_scanning_push_protection.status=disabled \
    >/dev/null 2>&1 \
    && echo "✅ $REPO updated." \
    || echo "⚠️ Failed or not applicable: $REPO"
done

echo "🔍 Final check: Repositories with secret scanning still ENABLED"

for REPO in $REPOS; do
  STATUS=$(gh api "repos/$ORG/$REPO" --jq '.security_and_analysis.secret_scanning.status' 2>/dev/null)
  if [[ "$STATUS" != "disabled" ]]; then
    echo "❗ $REPO -> secret_scanning.status = $STATUS"
  fi
done

STATUS_ORG=$(gh api "orgs/$ORG" --jq '.security_and_analysis.secret_scanning.status' 2>/dev/null)
if [[ "$STATUS_ORG" != "disabled" ]]; then
  echo "❗ $ORG -> secret_scanning.status = $STATUS_ORG"
fi

echo "✅ Script completed."

[mscbuild]

✅ Checklist & Fixes
gh CLI Authenticated?

Ensure you’re authenticated:

bash
 
gh auth status

You need appropriate scopes (e.g. admin:org, repo, security_events) to run these APIs.

Missing or Invalid ORG

You still have ORG="REPLACE_ORG" — you must replace REPLACE_ORG with your actual GitHub organization name.

GitHub API Availability / Errors

Run with verbose/debug:

bash
 
set -x

You can also remove >/dev/null 2>&1 temporarily to see actual error output.

Permissions / API Limitations

Some endpoints (like PATCH orgs/$ORG) require enterprise-level permissions and are not available for all organizations.

Not all organizations allow modifications to security_and_analysis via the API.

.security_and_analysis May Not Exist

For some repos, this field is null unless enabled via UI at least once. You can check:

bash
 
gh api "repos/$ORG/$REPO" | jq .security_and_analysis
Incorrect API Usage

According to the GitHub API docs, the correct way to PATCH security_and_analysis is to send JSON, not form fields (-f).

You should use this syntax:

bash
 
gh api -X PATCH "repos/$ORG/$REPO" \
  -H "Accept: application/vnd.github+json" \
  -H "Content-Type: application/json" \
  -F "$(jq -n '{
    security_and_analysis: {
      secret_scanning: { status: "disabled" },
      secret_scanning_push_protection: { status: "disabled" }
    }
  }')" 

⚠️ However, gh api doesn't handle -F for JSON bodies well. You should instead do:

bash
 
gh api -X PATCH "repos/$ORG/$REPO" \
  -H "Accept: application/vnd.github+json" \
  -H "Content-Type: application/json" \
  --input <(jq -n '{
    security_and_analysis: {
      secret_scanning: { status: "disabled" },
      secret_scanning_push_protection: { status: "disabled" }
    }
  }')

🔧 Suggested Fix: Replace This Line
Instead of:

bash
 
gh api -X PATCH "repos/$ORG/$REPO" \
  -f security_and_analysis.secret_scanning.status=disabled \
  -f security_and_analysis.secret_scanning_push_protection.status=disabled

Use:

bash
 
gh api -X PATCH "repos/$ORG/$REPO" \
  -H "Accept: application/vnd.github+json" \
  -H "Content-Type: application/json" \
  --input <(jq -n '{
    security_and_analysis: {
      secret_scanning: { status: "disabled" },
      secret_scanning_push_protection: { status: "disabled" }
    }
  }')

You’ll need to do the same for the organization-level PATCH if it supports this field.

[mscbuild]

✅ Исправленный скрипт:disable_secret_protection.sh

#!/bin/bash

# This is a script to disable Secret Scanning in all affected GitHub repositories

ORG="REPLACE_ORG"  # TODO: Replace with your GitHub organization name

echo "🔍 Fetching repositories for organization: $ORG..."

# Fetch all repos (paginated)
REPOS=$(gh api -H "Accept: application/vnd.github+json" \
  "/orgs/$ORG/repos?per_page=100&type=private" --paginate \
  | jq -r '.[] | select(.archived == false and .private == true) | .name')

if [[ -z "$REPOS" ]]; then
  echo "⚠️ No private, non-archived repositories found in organization: $ORG"
  exit 0
fi

echo "🔧 Disabling secret scanning at the organization level..."

gh api -X PATCH "orgs/$ORG" \
  -H "Accept: application/vnd.github+json" \
  -H "Content-Type: application/json" \
  --input <(jq -n '{
    security_and_analysis: {
      secret_scanning: { status: "disabled" },
      secret_scanning_push_protection: { status: "disabled" }
    }
  }') \
  && echo "✅ Organization $ORG updated." \
  || echo "⚠️ Failed to update organization-level settings."

echo "🔧 Disabling secret scanning in eligible repositories..."

for REPO in $REPOS; do
  echo "🔄 Updating $REPO..."

  gh api -X PATCH "repos/$ORG/$REPO" \
    -H "Accept: application/vnd.github+json" \
    -H "Content-Type: application/json" \
    --input <(jq -n '{
      security_and_analysis: {
        secret_scanning: { status: "disabled" },
        secret_scanning_push_protection: { status: "disabled" }
      }
    }') \
    && echo "✅ $REPO updated." \
    || echo "⚠️ Failed or not applicable: $REPO"
done

echo "🔍 Final check: Repositories with secret scanning still ENABLED..."

for REPO in $REPOS; do
  STATUS=$(gh api "repos/$ORG/$REPO" --jq '.security_and_analysis.secret_scanning.status' 2>/dev/null)
  if [[ "$STATUS" != "disabled" ]]; then
    echo "❗ $REPO -> secret_scanning.status = $STATUS"
  fi
done

STATUS_ORG=$(gh api "orgs/$ORG" --jq '.security_and_analysis.secret_scanning.status' 2>/dev/null)
if [[ "$STATUS_ORG" != "disabled" ]]; then
  echo "❗ $ORG -> secret_scanning.status = $STATUS_ORG"
fi

echo "✅ Script completed."

🛠️ Requirements
Make sure:

gh CLI is authenticated and authorized with appropriate scopes.

jq is installed (used for JSON processing).

You’ve replaced REPLACE_ORG with your actual organization name.

[ghostinhershell]

Hi @shivarammysore! I see that multiple people in the community have chimed in here but haven't been able to answer your question. The best place to go for answers to account-specific questions like this one is opening a ticket on our Support page. Please open a ticket with them :)

[shivarammysore]

thanks @ghostinhershell I have opened a support ticket for the past 2 days. I also wanted to make sure that I have done everything from my side.

[ghostinhershell]

@shivarammysore Judging from the screenshots that you provided to the other commenters, I would say you have. Support would be able to say for sure if we're missing anything here.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[HoeunPichet]

1. Use Public Repositories
   Secret scanning is free for public repos, so if your code can be open-source, this is the easiest way to avoid charges.

2. Disable Paid Secret Scanning Features on Private Repos
   If you're on a paid plan, you can disable secret scanning alerts for private repositories:

   • Go to Repo Settings → Security & Analysis
   • Turn off:
     • "Secret scanning"
     • "Push protection"

3. Use Git pre-commit hooks (Free Local Scanning)
   Instead of relying on GitHub’s paid push protection:

   • Use tools like git-secrets or gitleaks locally to catch secrets before pushing.

4. Audit Your GitHub Plan

   • Organizations using GitHub Enterprise should check billing reports to see if Secret Scanning is enabled and incurring costs.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[doanhp]

Here's how I did it.

The default for GitHub Configuration for Secret Protection and Code Security is enabled. Check if you have any repos using the security protection. If so, you'll need to disable it in each repo; see pic.

To completely turn it off, you'll need to create a new configuration with both disabled, apply it to all your repos, and enforce it for new repos.

I hope this helps.
Hao

[facundotorraca]

I applied this today. I should see a drop tomorrow?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬