diff --git a/docs/security-testing-orchestration/set-up-scans/shared/sast-scanners.md b/docs/security-testing-orchestration/set-up-scans/shared/sast-scanners.md
index cacf7a839fe..29fed9c6313 100644
--- a/docs/security-testing-orchestration/set-up-scans/shared/sast-scanners.md
+++ b/docs/security-testing-orchestration/set-up-scans/shared/sast-scanners.md
@@ -6,9 +6,10 @@
6. **[Coverity](/docs/security-testing-orchestration/sto-techref-category/coverity-scanner-reference)** - *open-source*
7. **[CodeQL](/docs/security-testing-orchestration/sto-techref-category/codeql-scanner-reference)**
8. **[FOSSA](/docs/security-testing-orchestration/sto-techref-category/fossa-scanner-reference)**
-9. **[Mend](/docs/security-testing-orchestration/sto-techref-category/mend-scanner-reference)** (formerly known as WhiteSource)
-10. **[Semgrep](/docs/security-testing-orchestration/sto-techref-category/semgrep/semgrep-scanner-reference)** - *open-source option*
-11. **[Snyk](/docs/security-testing-orchestration/sto-techref-category/snyk/snyk-scanner-reference)**
-12. **[SonarQube](/docs/security-testing-orchestration/sto-techref-category/sonarqube-sonar-scanner-reference)**
-13. **[Veracode](/docs/security-testing-orchestration/sto-techref-category/veracode-scanner-reference)**
-14. **[Wiz](/docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz)**
\ No newline at end of file
+9. **[GitHub Advanced Security](/docs/security-testing-orchestration/sto-techref-category/github-advanced-security)**
+10. **[Mend](/docs/security-testing-orchestration/sto-techref-category/mend-scanner-reference)** (formerly known as WhiteSource)
+11. **[Semgrep](/docs/security-testing-orchestration/sto-techref-category/semgrep/semgrep-scanner-reference)** - *open-source option*
+12. **[Snyk](/docs/security-testing-orchestration/sto-techref-category/snyk/snyk-scanner-reference)**
+13. **[SonarQube](/docs/security-testing-orchestration/sto-techref-category/sonarqube-sonar-scanner-reference)**
+14. **[Veracode](/docs/security-testing-orchestration/sto-techref-category/veracode-scanner-reference)**
+15. **[Wiz](/docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz)**
\ No newline at end of file
diff --git a/docs/security-testing-orchestration/set-up-scans/shared/sca-scanners.md b/docs/security-testing-orchestration/set-up-scans/shared/sca-scanners.md
index c469f64a3ef..066ab565e54 100644
--- a/docs/security-testing-orchestration/set-up-scans/shared/sca-scanners.md
+++ b/docs/security-testing-orchestration/set-up-scans/shared/sca-scanners.md
@@ -1,8 +1,9 @@
1. **[Aqua Trivy](/docs/security-testing-orchestration/sto-techref-category/trivy/aqua-trivy-scanner-reference)** - *open-source*
2. **[Checkmarx](/docs/security-testing-orchestration/sto-techref-category/checkmarx/checkmarx-scanner-reference)**
3. **[Checkmarx One](/docs/security-testing-orchestration/sto-techref-category/checkmarx/checkmarxone-scanner-reference)**
-4. **[OSV Scanner](/docs/security-testing-orchestration/sto-techref-category/osv-scanner-reference)** - *open-source*
-5. **[OWASP Dependency-Check](/docs/security-testing-orchestration/sto-techref-category/owasp-scanner-reference)** - *open-source*
-6. **[Snyk](/docs/security-testing-orchestration/sto-techref-category/snyk/snyk-code-scanning)**
-7. **[Veracode](/docs/security-testing-orchestration/sto-techref-category/veracode-scanner-reference)**
-8. **[Wiz](/docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz)**
\ No newline at end of file
+4. **[GitHub Advanced Security](/docs/security-testing-orchestration/sto-techref-category/github-advanced-security)**
+5. **[OSV Scanner](/docs/security-testing-orchestration/sto-techref-category/osv-scanner-reference)** - *open-source*
+6. **[OWASP Dependency-Check](/docs/security-testing-orchestration/sto-techref-category/owasp-scanner-reference)** - *open-source*
+7. **[Snyk](/docs/security-testing-orchestration/sto-techref-category/snyk/snyk-code-scanning)**
+8. **[Veracode](/docs/security-testing-orchestration/sto-techref-category/veracode-scanner-reference)**
+9. **[Wiz](/docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz)**
\ No newline at end of file
diff --git a/docs/security-testing-orchestration/set-up-scans/shared/secret-scanners.md b/docs/security-testing-orchestration/set-up-scans/shared/secret-scanners.md
index 0afe10f3060..77cd2f64b22 100644
--- a/docs/security-testing-orchestration/set-up-scans/shared/secret-scanners.md
+++ b/docs/security-testing-orchestration/set-up-scans/shared/secret-scanners.md
@@ -1,3 +1,4 @@
1. **[Aqua Trivy](/docs/security-testing-orchestration/sto-techref-category/trivy/aqua-trivy-scanner-reference)** - *open-source*
2. **[Checkmarx One](/docs/security-testing-orchestration/sto-techref-category/checkmarx/checkmarxone-scanner-reference)**
-3. **[Gitleaks](/docs/security-testing-orchestration/sto-techref-category/gitleaks-scanner-reference)** - *open-source*
\ No newline at end of file
+3. **[Gitleaks](/docs/security-testing-orchestration/sto-techref-category/gitleaks-scanner-reference)** - *open-source*
+4. **[GitHub Advanced Security](/docs/security-testing-orchestration/sto-techref-category/github-advanced-security)**
\ No newline at end of file
diff --git a/docs/security-testing-orchestration/sto-techref-category/github-advanced-security.md b/docs/security-testing-orchestration/sto-techref-category/github-advanced-security.md
new file mode 100644
index 00000000000..52ff4ba1d5f
--- /dev/null
+++ b/docs/security-testing-orchestration/sto-techref-category/github-advanced-security.md
@@ -0,0 +1,149 @@
+---
+title: GitHub Advanced Security step configuration
+description: Scan code repositories with GitHub Advanced Security (GHAS).
+sidebar_label: GitHub Advanced Security step configuration
+sidebar_position: 201
+---
+
+
+
+
+
+
+
+
+The GitHub Advanced Security (GHAS) step in Harness STO enables you to scan your code repositories from the following GHAS products:
+
+- **[CodeQL](#codeql) (SAST):** Identify code vulnerabilities. Supported in [**Orchestration**](#scan-mode), [**Extraction**](#scan-mode), and [**Ingestion**](#scan-mode).
+- **[Dependabot](#dependabot) (SCA):** Detect vulnerable open-source dependencies. Supported in [**Orchestration**](#scan-mode), [**Extraction**](#scan-mode), and [**Ingestion**](#scan-mode).
+- **[Secret Scanning](#secret-scanning):** Detect exposed secrets such as API keys and tokens. Supported in [**Extraction**](#scan-mode) and [**Ingestion**](#scan-mode).
+
+:::info
+- To run scans as a non-root user, you can use custom STO scan images and pipelines. See [Configure your pipeline to use STO images from private registry](/docs/security-testing-orchestration/use-sto/set-up-sto-pipelines/configure-pipeline-to-use-sto-images-from-private-registry).
+- STO supports multiple workflows for loading self-signed certificates. See [Run STO scans with custom SSL certificates](/docs/security-testing-orchestration/use-sto/secure-sto-pipelines/ssl-setup-in-sto/#supported-workflows-for-adding-custom-ssl-certificates).
+:::
+
+## GitHub Advanced Security step settings
+
+The recommended workflow is to add a GitHub Advanced Security step to a **Security** or **Build** stage and configure it as described below.
+
+### Scan
+
+#### Scan Mode
+
+- **Orchestration**: Executes the scan, normalizes, and deduplicates results. Supported for **CodeQL** and **Dependabot**.
+ :::note
+ - To comply with [GitHub’s licensing requirements](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security#about-github-advanced-security-products), orchestration scans are uploaded to GitHub and then imported into STO.
+ - **Orchestration** mode currently supports *Python (pip)* and *JavaScript/TypeScript (npm or yarn)*. **Extraction** mode supports all languages available in GHAS.
+ :::
+
+- **Extraction**: Pulls existing results from GitHub APIs (**CodeQL**, **Dependabot**, **Secret Scanning**).
+- **Ingestion**: Ingests SARIF files from previously run GHAS scans.
+
+#### Scan Configuration
+
+import StoSettingProductConfigName from './shared/step-palette/scan/config-name.md';
+
+
+
+The GitHub Advanced Security step supports the following configurations:
+- **[CodeQL](#codeql)**
+- **[Dependabot](#dependabot)**
+- **[Secret Scanning](#secret-scanning)**
+
+### CodeQL
+You can use **CodeQL** to perform Static Application Security Testing (SAST). For details about CodeQL itself, see the [CodeQL documentation](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql).
+
+Here are a few important points to note when using CodeQL with **Orchestration mode**:
+- The repository must be configured with **Advanced setup** for **CodeQL analysis**. To do this, go to your repository settings, click on **Advanced Security**, then go to **Code scanning** section and select **Advanced setup** for **CodeQL analysis**. If you're using default setup, you must switch to Advanced setup before running scans with Orchestration scan mode.
+
+For **Extraction mode**, CodeQL works with both **Default** and **Advanced setup**.
+
+---
+
+### Dependabot
+You can use **Dependabot** for dependency (SCA) scans. For more information, see the [Dependabot documentation](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
+
+Prerequisites for Dependabot scans:
+- **Dependabot alerts** must be enabled. To check this, go to your repository settings, select **Advanced Security**, then click on **Enable** for **Dependabot alerts**.
+- **Dependabot** with **Orchestration mode** requires a **Docker-in-Docker (DinD)** background step. When you configure this step, set the **Entrypoint** to `dockerd-entrypoint.sh` instead of `dockerd`. For setup instructions, go to [Configure Docker-in-Docker (DinD) for your pipeline](/docs/security-testing-orchestration/sto-techref-category/security-step-settings-reference#configuring-docker-in-docker-dind-for-your-pipeline).
+
+---
+
+### Secret Scanning
+You can use **Secret Scanning** to detect exposed secrets such as API keys, tokens, or other sensitive values in your repositories. For more details about this feature, see the [Secret Scanning documentation](https://docs.github.com/en/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection).
+
+Prerequisites for Secret Scanning:
+- **Secret protection** must be enabled. To enable this, go to your repository settings, click on **Advanced Security**, then click on **Enable** for **Secret Protection**.
+
+### Target
+
+#### Type
+import StoSettingScanTypeRepo from './shared/step-palette/target/type/repo.md';
+
+
+
+#### Name
+import StoSettingTargetName from './shared/step-palette/target/name.md';
+
+
+
+#### Variant
+import StoSettingTargetVariant from './shared/step-palette/target/variant.md';
+
+
+
+#### Workspace
+import StoSettingTargetWorkspace from './shared/step-palette/target/workspace.md';
+
+
+
+### Ingestion File
+import StoSettingIngestionFile from './shared/step-palette/ingest/file.md';
+
+
+
+### Authentication
+
+#### Access Token
+import StoSettingAuthAccessToken from './shared/step-palette/auth/access-token.md';
+
+
+
+Use a GitHub fine-grained **Personal Access Token (PAT)** with the following repository permissions:
+
+| **Scan Mode** | **Permission** | **Level** |
+|---------------|--------------------------|---------------|
+| **Orchestration** (CodeQL, Dependabot) | Code scanning alerts | Read & Write |
+| | Dependabot alerts | Read & Write |
+| | Secret scanning alerts | Read & Write |
+| **Extraction** (CodeQL, Dependabot, Secret Scanning) | Code scanning alerts | Read-only |
+| | Dependabot alerts | Read-only |
+| | Secret scanning alerts | Read-only |
+
+Make sure **Repository access** is set to *All repositories* or *Only selected repositories*.
+
+### Log Level
+import StoSettingLogLevel from './shared/step-palette/all/log-level.md';
+
+
+
+### Fail on Severity
+import StoSettingFailOnSeverity from './shared/step-palette/all/fail-on-severity.md';
+
+
+
+### Additional Configuration
+import ScannerRefAdditionalConfigs from './shared/additional-config.md';
+
+
+
+### Advanced Settings
+import ScannerRefAdvancedSettings from './shared/advanced-settings.md';
+
+
+
+## Proxy settings
+import ProxySettings from './shared/proxy-settings.md';
+
+
diff --git a/docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-ingestion-formats.md b/docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-ingestion-formats.md
index 3ca401414ce..77d263429a7 100644
--- a/docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-ingestion-formats.md
+++ b/docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-ingestion-formats.md
@@ -1,4 +1,3 @@
-
:::info
Static Analysis Results Interchange Format (SARIF) is an open JSON format supported by many scan tools, especially tools available as GitHub Actions. Harness STO can [ingest SARIF 2.1.0 data](/docs/security-testing-orchestration/custom-scanning/ingest-sarif-data) from any tool that supports this format.
@@ -26,6 +25,7 @@ Harness recommends that you publish and ingest using the scanner-specific JSON f
- **Fortify on Demand** — JSON
- **Fossa** — JSON
- **Gitleaks** — JSON _(recommended)_, SARIF
+- **GitHub Advanced Security** — SARIF
- **HQL AppScan** — XML
- **Grype** — JSON
- **Mend _(formerly Whitesource)_** — JSON
diff --git a/docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-scanners.md b/docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-scanners.md
index c6bc17b1c71..8d423377b06 100644
--- a/docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-scanners.md
+++ b/docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-scanners.md
@@ -51,6 +51,7 @@ A code scanner can detect one or more of the following issue types in your sourc
Fortify on Demand Orchestration, Extraction, Ingestion
Fortify Static Code Analyzer Ingestion
Fossa Ingestion
+ GitHub Advanced Security Orchestration, Extraction, Ingestion
Mend (formerly WhiteSource) Orchestration, Extraction, Ingestion
Nexus IQ Orchestration, Extraction, Ingestion
Qwiet AI (formerly ShiftLeft) Orchestration, Extraction, Ingestion