GHSP ROI calculator in the secret risk assessment page (#57188)

Co-authored-by: Sophie <[email protected]>
Co-authored-by: Laura Coursen <[email protected]>

Author: 3 people

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/calculating-the-cost-savings-of-push-protection.md

@@ -0,0 +1,88 @@
+---
+title: Calculating the cost savings of push protection
+shortTitle: Push protection cost savings
+intro: Learn how to use the {% data variables.secret-scanning.roi-calculator %} to estimate the remediation time and labor costs you'll avoid by preventing leaked secrets.
+product: '{% data reusables.gated-features.secret-risk-assessment-calculators %}'
+versions:
+  feature: secret-risk-assessment
+permissions: '{% data reusables.permissions.push-protection-roi-calculator %}'
+topics:
+  - Secret scanning
+  - Secret Protection
+contentType: how-tos
+---
+
+## What is the cost savings calculator?
+
+You can use the {% data variables.secret-scanning.roi-calculator %} to estimate the cost avoided by preventing leaked secrets with push protection. This information can help you:
+
+* Determine how widely to enable {% data variables.product.prodname_GH_secret_protection %} in your organization.
+* Compare the estimated impact of push protection in different teams or environments.
+* Communicate time and cost implications of rollout decisions to stakeholders.
+
+Push protection is a paid feature which is available with {% data variables.product.prodname_GH_secret_protection %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection).
+
+## Prerequisites
+
+* You need to have generated a secret risk assessment for your organization. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization).
+* You have realistic values for:
+  * Average remediation time per leaked secret (hours)
+  * Average annual developer salary (USD)
+
+## Estimating cost savings from push protection
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+{% data reusables.security-overview.open-assessments-view %}
+1. On the top right corner of the banner, click **Get started**.
+1. In the dropdown, select **Estimate push protection savings**.
+1. Review the non-editable value for "Preventable leaks" (P). If 0, a baseline value (such as 70) is shown for modeling purposes.
+1. Enter or adjust the average developer annual compensation (C), in USD.
+   * Use blended fully loaded annual compensation (salary + benefits).
+   * Keep estimates conservative to avoid overstatement.
+1. Enter or adjust the time to remediate each leaked secret (T), in hours. We recommend you use an average remediation time that reflects steps for revoking, rotating, and validating secrets, as well as notifying your teams or customers:
+   * T = 1-1.5 hours for simple rotation, minimal coordination
+   * T = 2-3 hours to account for a distributed team or extra checks
+   * T = 3-4 hours if you work in a regulated / audited environment
+1. Review the outputs from the **Return on investment** panel:
+   * **Secrets prevented**: The number of preventable secrets detected.
+   * **Time saved**: Total hours saved by preventing these secrets, based on your input.
+   * **Potential savings with push protection**: The total estimated labor cost avoided.
+
+{% note %}
+
+Did you successfully use the {% data variables.secret-scanning.roi-calculator %} to estimate the cost savings of using push protection on your organization?
+
+<a href="https://docs.github.io/success-test/yes.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>Yes</span></a>  <a href="https://docs.github.io/success-test/no.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>No</span></a>
+
+{% endnote %}
+
+## Understanding your results
+
+Next, review the results to understand their implications and determine the appropriate scope for rolling out push protection in your organization. Keep the following information in mind as you interpret your results.
+
+The calculator **does**:
+* Estimate savings for **secrets blocked by push protection** only.
+* Base results on your risk assessment and assumptions you provide.
+* Provide estimates based on **labor cost avoidance** only.
+* Provide a modeled baseline for preventable leaks if no secrets were detected in the current scan window.
+
+The calculator does **not**:
+* Include any costs related to data breaches or external impacts. For informational purposes, the cost of a data breach averaged $4.88M in 2024 according to IBM.
+* Include time savings from other {% data variables.product.prodname_GH_secret_protection %} features.
+* Support currencies other than USD.
+
+## Troubleshooting
+
+If you run into problems using the calculator, use the following table to troubleshoot.
+
+| Issue | Action |
+|-------|--------|
+| **Preventable secrets = 0** | When no preventable secrets are detected, the calculator displays a default baseline value (such as 70) for modeling purposes.<br> To replace the baseline with real data, enable push protection on more repositories and allow secret scanning to collect more information. |
+| **Estimated savings shows $5M+** | The calculator is capped at $5M. If your modeled savings exceed this threshold, the value will be displayed as "$5M+" in the UI. To get the precise amount, export your input values (preventable secrets, time to remediate, and developer salary) and replicate the formula in a spreadsheet:</br>`(Secrets prevented) × (Time to remediate) × (Hourly rate)` where hourly rate is calculated as `Salary ÷ 2080`. |
+| **Value seems low** | Review your inputs for time to remediate and average developer compensation. Ensure you have included all steps involved in remediation (such as revoke, rotate, validate, and notify) and that the salary reflects a fully loaded annual cost. |
+| **Value seems high** | Double-check your input values for time to remediate and average compensation to make sure they are realistic and not overstated. Remove any outliers that could be skewing the estimate. |
+
+## Further reading
+
+* [Detecting and Preventing Secret Leaks in Code](https://github.com/resources/whitepapers/secret-scanning-a-key-to-your-cybersecurity-strategy) in  {% data variables.product.github %}'s `resources` repository

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection.md

@@ -27,6 +27,14 @@ To generate a {% data variables.product.prodname_secret_risk_assessment %} repor
 
 {% data variables.product.prodname_secret_protection %} is billed per active committer to the repositories where it is enabled. It is available to users with a {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} plan, see [AUTOTITLE](/billing/managing-billing-for-your-products/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security).
 
+{% ifversion fpt or ghec or ghes > 3.19 %}
+
+{% data variables.product.github %} provides two calculators to help you budget, justify rollout scope, and prioritize which repositories to enable {% data variables.product.prodname_secret_protection %} on first while optimizing license usage. You can estimate:
+* How much you can save by using push protection in repositories in your organization **with the {% data variables.secret-scanning.roi-calculator %}**. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/calculating-the-cost-savings-of-push-protection).
+* How much {% data variables.product.prodname_secret_protection %} will cost you monthly for repositories in your organization **with the {% data variables.secret-scanning.pricing-calculator %}**. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/estimating-the-price-of-secret-protection).
+
+{% endif %}
+
 ## Why you should enable {% data variables.product.prodname_secret_protection %} for 100% of your organization's repositories
 
 {% data variables.product.github %} recommends enabling {% data variables.product.prodname_GH_secret_protection %} products for all repositories, in order to protect your organization from the risk of secret leaks and exposures.  {% data variables.product.prodname_GH_secret_protection %} is free to enable for public repositories, and available as a purchasable add-on for private and internal repositories.

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/estimating-the-price-of-secret-protection.md

@@ -0,0 +1,54 @@
+---
+title: Estimating the price of Secret Protection
+shortTitle: Secret protection pricing
+intro: Learn how to use the {% data variables.secret-scanning.pricing-calculator %} to estimate the monthly cost of {% data variables.product.prodname_GH_secret_protection %} for your repositories.
+product: '{% data reusables.gated-features.secret-risk-assessment-calculators %}'
+versions:
+  feature: secret-risk-assessment
+permissions: '{% data reusables.permissions.push-protection-roi-calculator %}'
+topics:
+  - Secret scanning
+  - Secret Protection
+contentType: how-tos
+---
+
+## What is the pricing calculator?
+
+You can use the {% data variables.secret-scanning.pricing-calculator %} on the secret risk assessment page to estimate the monthly cost of {% data variables.product.prodname_GH_secret_protection %} for your organization. This tool allows you to preview costs based on your current repositories and active committers, so you can plan for purchase or rollout decisions.
+
+For more information about {% data variables.product.prodname_secret_protection %}, see [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection).
+
+## Prerequisites
+
+You need to have generated a secret risk assessment for your organization. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization).
+
+## Estimating the price of {% data variables.product.prodname_secret_protection %}
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.security-overview %}
+{% data reusables.security-overview.open-assessments-view %}
+1. On the top right corner of the banner, click **Get started**.
+1. In the dropdown, select **Preview cost and enable Secret Protection**.
+1. In the calculator dialog, choose whether to estimate the cost for:
+   * **All repositories**: Includes every repository in your organization.
+   * **Selected repositories**: Choose specific repositories for the estimate.
+   Once you've made your choices, the calculator shows:
+      * The **estimated monthly cost** for your organization.
+      * The **number of {% data variables.product.prodname_secret_protection %} licenses required**, based on active committers in the last 90 days for the selected repositories.
+      * The **per-committer rate** (for example, $19 per active committer).
+1. To proceed with enabling {% data variables.product.prodname_secret_protection %}, click **Review and enable**.
+
+{% note %}
+
+Did you successfully use the {% data variables.secret-scanning.pricing-calculator %} to estimate the cost of using {% data variables.product.prodname_secret_protection %} features on your organization?
+
+<a href="https://docs.github.io/success-test/yes.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>Yes</span></a>  <a href="https://docs.github.io/success-test/no.html" target="_blank" class="btn btn-outline mt-3 mr-3 no-underline"><span>No</span></a>
+
+{% endnote %}
+
+## Understanding your results
+
+* **The {% data variables.secret-scanning.pricing-calculator %} only provides an estimate.** Actual billing is based on the number of active committers in the selected private repositories during the billing period.
+* The calculator **does not include costs for other {% data variables.product.prodname_GHAS %} features**.
+* The calculator **dynamically calculates active committers** for each repository you select. If two repositories share the same number of committers, adding the second repository shows 0 additional committers, because enabling {% data variables.product.prodname_secret_protection %} for one also covers the other. This helps you quickly see the true incremental cost as you select repositories.
+* USD is the only supported currency.

content/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/index.md

@@ -15,4 +15,6 @@ children:
   - /viewing-the-secret-risk-assessment-report-for-your-organization
   - /interpreting-secret-risk-assessment-results
   - /choosing-github-secret-protection
+  - /calculating-the-cost-savings-of-push-protection
+  - /estimating-the-price-of-secret-protection
 ---

data/reusables/gated-features/secret-risk-assessment-calculators.md

@@ -0,0 +1,2 @@
+
+The calculator is available in organizations on {% data variables.product.prodname_team %}, {% data variables.product.prodname_ghe_cloud %}, and {% data variables.product.prodname_ghe_server %} (_For {% data variables.product.prodname_ghe_server %}, from version 3.20 only_).

data/reusables/permissions/push-protection-roi-calculator.md

@@ -0,0 +1 @@
+Organization owners and security managers

data/reusables/secret-protection/product-list.md

@@ -1,6 +1,6 @@
 * **{% data variables.product.prodname_secret_scanning_caps %}**: Detect secrets, for example keys and tokens, that have been checked into a repository and receive alerts.
 
-* **Push protection**: Prevent secret leaks before they happen by blocking commits containing secrets.{% ifversion secret-scanning-ai-generic-secret-detection %}
+* **Push protection**: Prevent secret leaks before they happen by blocking commits containing secrets. {% ifversion fpt or ghec or ghes > 3.19 %} You can calculate how much you can save by using push protection in repositories in your organization with the {% data variables.secret-scanning.roi-calculator %}. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/calculating-the-cost-savings-of-push-protection).{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
 
 * **{% data variables.secret-scanning.copilot-secret-scanning %}**: Leverage AI to detect unstructured credentials, such as passwords, that have been checked into a repository.{% endif %}
 

data/variables/secret-scanning.yml

@@ -13,6 +13,8 @@ custom-pattern-regular-expression-generator-caps: 'Regular expression generator'
 copilot-secret-scanning: 'Copilot secret scanning'
 generic-secret-detection: 'generic secret detection'
 generic-secret-detection-caps: 'Generic secret detection'
+roi-calculator: 'ROI calculator'
+pricing-calculator: 'pricing calculator'
 
 # Secret risk assessment call to action links. If changing the links below, also update the hard-coded link in /code-security/index.md
 secret-risk-assessment-cta-link: '/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/viewing-the-secret-risk-assessment-report-for-your-organization#generating-an-initial-secret-risk-assessment'