Customer Stories
Bringing Security In-House with GitHub Advanced Security
Introduction
A leading U.S. retail company with thousands of stores nationwide set out to strengthen its software security and empower its developers to take full ownership of their codebase. Following a successful migration to GitHub Enterprise Cloud with Xebia, the next step was clear: bring GitHub Advanced Security (GHAS) in-house and make it a measurable driver of business value.
By partnering with Xebia, the company gained hands-on expertise, implemented a standardized security model, and gave its development teams the knowledge, tools, and confidence to manage GHAS independently. Within one month, the organization transformed its approach to software security, unlocking new efficiencies and establishing a foundation for continuous improvement.
At a Glance
Challenge
Limited visibility into security metrics and dependency on external partners for managing GitHub Advanced Security.
Solution
Xebia’s GHAS Adoption Framework combining training, automation, a customized playbook, and Office Hours sessions to internalize expertise and governance.
Results
Five development teams fully trained and certified on GHAS
Standardized security operating model established
Comprehensive GHAS Playbook created for repeatable rollouts
Productivity boosted through automation and developer enablement
The Challenge
After migrating to GitHub Enterprise Cloud, the company wanted to gain deeper visibility and control over its security operations. While GitHub Advanced Security was already in use through an external partner, the internal teams lacked both direct ownership and a full understanding of how to use the tool effectively.
The organization needed to answer critical questions such as how many vulnerabilities were being found and remediated, which teams were most active in resolving them, and how GHAS could contribute to long-term value creation.
“The company was already using GitHub Advanced Security through an external party. With our support, they aimed to bring it in-house, empowering developers to use the tool directly. At the same time, they wanted deeper visibility into its usage and impact,” explains Matthew Olson, Consultant at Xebia.
The Solution
Recognizing that success required both practical knowledge and process standardization, the company partnered with Xebia to implement the GitHub Advanced Security Adoption Framework. The goal was to transfer ownership of GHAS from external vendors to internal teams while ensuring consistent governance, reporting, and automation.
Xebia delivered a comprehensive enablement program covering all aspects of adoption, including training, process documentation, and operational support. The engagement included:
Customized GHAS Training and Bootcamps
Within one month, Xebia designed and delivered fully customized GitHub Advanced Security training for five development teams. The courses combined standard learning materials with client-specific demos and labs that reflected real-world workflows and vulnerabilities.
“We took the excellent base materials, enhanced them with our knowledge and experience, and then created our own training, completely customized to fit the client’s needs,” says Olson.
GitHub Advanced Security Playbook
To ensure the changes were sustainable, Xebia developed a comprehensive GHAS Playbook. The document detailed best practices for automation, escalation paths, RACI structures, decision trees, and templates for future rollouts.
“We got teams up to speed with hands-on training and locked it all down in a playbook, so they have a repeatable, go-to guide whenever they need it,” adds Olson.
Office Hours and Continuous Enablement
Xebia hosted several Office Hours sessions for the security and development teams. These sessions provided an open forum where developers could ask questions, explore advanced features, and resolve challenges in real time. Topics included using the GitHub API, integrating GHAS findings into internal dashboards, and pulling key metrics for reporting on detection and remediation.
The Outcome
By the beginning of 2025, the collaboration had delivered measurable impact. The company successfully transitioned from relying on external partners to managing its own GitHub Advanced Security environment in-house.
Key achievements included:
- A standardized operating model for managing GHAS across the organization.
- Fully trained internal teams with the expertise to handle configuration, scanning, and remediation independently.
- A robust playbook to guide future rollouts and ensure repeatability.
- Improved visibility into vulnerabilities, metrics, and remediation activity.
- Automation scripts that streamlined security workflows and improved productivity.
“We enabled the teams to bring their security in-house while delivering the tools and knowledge needed to maintain momentum long after the engagement,” says Olson.
The engagement also produced a proprietary migration accelerator developed by Xebia during earlier phases of the partnership. This tool has since been reused across multiple enterprise migrations worldwide.
Key Learnings
Strong Partnerships Drive Extended Impact
The long-standing partnership between the retailer and Xebia began with a GitHub migration and expanded organically into advanced security enablement. The trust built through collaboration created a foundation for ongoing innovation and success.
Context-Driven Enablement Delivers More Value
This engagement marked one of Xebia’s first projects to prioritize open Office Hours over prescriptive training. The interactive, question-driven approach proved more valuable, allowing developers to explore real challenges in their environment and apply solutions immediately.
GitHub Advanced Security Is More Extensible Than Expected
One of the biggest takeaways for the client was realizing how adaptable GHAS can be. From integrating findings into dashboards to customizing workflows through APIs, developers gained a new appreciation for the platform’s flexibility.
“That insight really impressed them. It deserves far more visibility,” says Olson.
Looking Ahead
With GHAS now fully managed internally, the company has established a repeatable and scalable model for secure development. Future plans include extending GHAS capabilities to additional teams, deepening automation, and integrating advanced metrics to track ongoing ROI.
By empowering its developers to take ownership of security, the organization has turned GitHub Advanced Security into both a technical safeguard and a strategic business enabler.
Contact