GH-500 — GitHub Advanced Security Study Guide

What is the primary purpose of GitHub's secret scanning feature?

• A To encrypt all repository data at rest
• B To prevent code from being pushed to public repositories
• C To monitor user login attempts across GitHub
• D To identify hardcoded secrets and credentials in repositories before they're exposed ✓ Correct

Which of the following best describes the relationship between SARIF and GitHub Advanced Security?

• A SARIF is used exclusively for authenticating users in GitHub Enterprise
• B SARIF is a standardized format for expressing static analysis results that GitHub Advanced Security uses to import third-party tool findings ✓ Correct
• C SARIF is a proprietary GitHub format for storing security analysis results
• D SARIF prevents code from being merged to main branches

When configuring dependency updates with Dependabot, what is the impact of setting the 'insecure-external-code-execution' option to 'deny'?

• A It prevents Dependabot from running any update checks
• B It blocks updates for dependencies that require external code execution during the build process ✓ Correct
• C It disables vulnerability alerts for all npm packages
• D It encrypts all dependency information in the repository

What is the primary difference between CodeQL analysis performed on a schedule versus on pull requests?

• A Pull request analysis is deprecated and no longer supported by GitHub
• B Scheduled analysis only runs on Windows runners, while PR analysis runs on Linux
• C Scheduled analysis requires manual approval before running, while PR analysis runs automatically
• D Scheduled analysis examines the entire codebase at a point in time, while PR analysis focuses on changed code to provide faster feedback ✓ Correct

In GitHub Advanced Security, what does the 'severity' label indicate for a code scanning alert?

• A The potential impact of the vulnerability if exploited, ranging from low to critical ✓ Correct
• B The version of the programming language where the issue occurs
• C The cost in credits required to fix the vulnerability
• D The estimated number of developers affected by the issue

How does GitHub's secret scanning handle false positives when a non-secret pattern matches a scanning rule?

• A False positives cannot be handled and require repository deletion
• B GitHub automatically rewrites matching code to prevent false positives
• C Administrators can dismiss alerts or mark them as false positives in the security tab ✓ Correct
• D All matches are automatically deleted from the repository

What is the primary advantage of using custom CodeQL queries versus relying only on default queries?

• A Custom queries automatically fix vulnerabilities without requiring code changes
• B Custom queries are always faster to execute than default queries
• C Custom queries allow organizations to detect vulnerabilities specific to their codebase and security policies ✓ Correct
• D Custom queries eliminate the need for Dependabot entirely

When a secret is detected by GitHub's secret scanning, which of the following actions occurs automatically?

• A The secret is immediately deleted from the repository history
• B An alert is created and the secret provider is notified if integration is configured ✓ Correct
• C All commits containing the secret are reverted
• D The repository is automatically made private

What is the role of the 'codeql-action' in GitHub Advanced Security workflows?

• A It disables CodeQL analysis on pull requests
• B It is a GitHub Action that initializes, runs, and uploads CodeQL analysis results to GitHub's code scanning service ✓ Correct
• C It replaces Dependabot completely
• D It encrypts repository contents before analysis

How does GitHub Advanced Security handle dependency vulnerabilities discovered after a release has been deployed to production?

• A The production deployment is automatically rolled back
• B Dependabot creates alerts and can generate pull requests to update the vulnerable dependency ✓ Correct
• C They are ignored until the next scheduled scan
• D The repository is permanently locked from further updates

What is the significance of the 'default' branch configuration in CodeQL analysis settings?

• A It determines which branch's code quality metrics are displayed on the main dashboard
• B It specifies the branch against which PR analysis results are compared for new findings ✓ Correct
• C It prevents analysis from running on any other branches
• D It controls which branch's secrets are scanned

In the context of GitHub Advanced Security, what does 'data flow analysis' in CodeQL primarily detect?

• A How untrusted or tainted data moves through the codebase and may reach security-sensitive operations ✓ Correct
• B Performance bottlenecks in the CI/CD pipeline
• C The version control history of file modifications
• D The rate at which network packets travel through the repository

What is the primary benefit of enabling 'Dependabot alerts' for a private repository?

• A It automatically fixes all vulnerabilities without human review
• B It prevents the repository from being cloned
• C It notifies maintainers of known security vulnerabilities in dependencies with severity and remediation guidance ✓ Correct
• D It encrypts all package dependencies

How can an organization ensure that all code scanning results are reviewed before code is merged to protected branches?

• A By restricting push access to only administrators
• B By configuring branch protection rules that require code scanning to pass before merge ✓ Correct
• C By disabling code scanning entirely
• D By manually reviewing every commit

What does the 'dismiss' action on a code scanning alert indicate?

• A The alert cannot be reopened under any circumstances
• B The alert is closed with a recorded reason (false positive, won't fix, used in tests, etc.) but remains in audit logs ✓ Correct
• C The vulnerable code is automatically patched
• D The alert is deleted permanently from all backup systems

In CodeQL, what is the purpose of database creation before query execution?

• A To encrypt the source code
• B To create a relational representation of the codebase that queries can analyze efficiently ✓ Correct
• C To automatically fix security issues
• D To delete temporary files from the repository

What is the primary difference between supply chain attacks detected by GitHub Advanced Security and typical dependency vulnerabilities?

• A Supply chain attacks only affect JavaScript projects
• B Supply chain attacks are less serious than dependency vulnerabilities
• C Supply chain attacks involve malicious code introduced through compromised or typosquatted dependencies, while typical vulnerabilities are flaws in legitimate packages ✓ Correct
• D GitHub Advanced Security only detects one type of vulnerability

How does GitHub Advanced Security's secret scanning integrate with partner platforms like AWS or Slack?

• A Integration requires manual notification to each platform
• B Partner platforms automatically delete secrets without GitHub notification
• C It does not integrate with external platforms
• D GitHub can notify partners when their secrets are detected, allowing them to revoke credentials proactively ✓ Correct

What is the significance of 'confidence' levels in CodeQL alert results?

• A The confidence level indicates the programming language used in the vulnerable code
• B It measures the developer's skill level
• C The confidence level determines the color of the alert in the user interface
• D It represents GitHub's statistical certainty that the identified pattern represents an actual vulnerability ✓ Correct

When configuring Dependabot version updates, what is the function of the 'allow' field in the dependabot.yml file?

• A It allows public repositories to be scanned
• B It prevents all automated dependency updates
• C It allows administrators to manually approve all updates
• D It specifies which types of updates (direct, indirect, production, development) Dependabot should create pull requests for ✓ Correct

What is the primary purpose of security advisories in GitHub Advanced Security?

• A To document and share vulnerability information with the community, allowing dependent projects to assess their risk ✓ Correct
• B To disable repositories with known vulnerabilities
• C To prevent all code from being executed
• D To automatically patch vulnerabilities without approval

How does CodeQL's 'taint tracking' specifically contribute to vulnerability detection?

• A It tracks user login patterns
• B It prevents developers from committing untested code
• C It follows the flow of potentially dangerous data from source to sink to identify unsafe operations like SQL injection or XSS ✓ Correct
• D It monitors network traffic between repositories

In GitHub Advanced Security, what action should be taken when a secret scanning alert is flagged for a credential that has already been committed?

• A The repository should be deleted
• B Nothing needs to be done; the credential is safe in a private repository
• C The commit should be immediately reverted
• D The credential should be rotated/revoked immediately, and the secret should be removed from commit history using tools like git filter-branch ✓ Correct

What is the relationship between GitHub Advanced Security and GitHub's default security features?

• A Advanced Security replaces all default features
• B They are completely separate services with no overlap
• C Default features are more comprehensive than Advanced Security
• D Advanced Security provides additional scanning capabilities (CodeQL, advanced secret scanning, supply chain features) beyond the free dependency alerts and basic scanning ✓ Correct

How can an organization customize which secret patterns GitHub Advanced Security scans for?

• A Custom patterns are only available for public repositories
• B Custom patterns require forking the GitHub repository
• C Organizations can define custom secret patterns using regular expressions to detect organization-specific credentials or sensitive formats ✓ Correct
• D Custom patterns cannot be created; only GitHub's default patterns are available

What is the primary purpose of GitHub Advanced Security?

• A To manage user authentication only
• B To automate deployment pipelines exclusively
• C To replace all version control functionality
• D To provide code scanning, secret scanning, and dependency analysis capabilities ✓ Correct

Which of the following best describes the role of CodeQL in GitHub Advanced Security?

• A A container registry for storing Docker images
• B A deployment automation tool for CI/CD pipelines
• C A query language for analyzing code to find vulnerabilities ✓ Correct
• D A package manager for JavaScript dependencies

When enabling Secret Scanning for a GitHub repository, which of the following is NOT a default pattern that gets scanned?

• A Custom JavaScript variable names ✓ Correct
• B Private SSH keys
• C GitHub personal access tokens
• D AWS API keys

What is the relationship between Dependabot and GitHub Advanced Security?

• A Dependabot is integrated and helps identify vulnerable dependencies automatically ✓ Correct
• B Dependabot only works with private repositories
• C Dependabot is a separate service that must be purchased independently
• D Dependabot is exclusive to GitHub Enterprise Cloud and cannot be used with Advanced Security

In the context of Code Scanning with CodeQL, what does a 'query' represent?

• A A request sent to GitHub's API for repository information
• B A database search operation performed on a separate server
• C A configuration file that specifies which files should be ignored during analysis
• D A set of rules or patterns used to identify potential security issues in code ✓ Correct

Which file should be created in the `.github/workflows` directory to configure Code Scanning with CodeQL?

• A security.config
• B scan.yaml or scan.yml ✓ Correct
• C codeql.json
• D analysis-settings.md

What is the primary difference between 'push' and 'pull_request' events in a Code Scanning workflow?

• A There is no functional difference; both scan exactly the same code
• B Push triggers scanning on direct commits; pull_request triggers scanning on PR branches before merge ✓ Correct
• C Push events are slower than pull_request events
• D Pull_request only works with protected branches

When configuring Secret Scanning, what does enabling 'Push Protection' accomplish?

• A It prevents secrets from being committed to the repository by blocking pushes ✓ Correct
• B It masks secrets in the GitHub web interface only
• C It deletes historical commits containing secrets
• D It encrypts all secrets in the repository automatically

Which of the following scenarios would require using a custom CodeQL query instead of default queries?

• A When developers have been trained on secure coding practices
• B When the repository uses only open-source dependencies
• C When an organization has specific security policies or vulnerability patterns unique to their codebase ✓ Correct
• D When scanning a repository smaller than 100KB

What is the purpose of the 'sarif' format in GitHub Advanced Security?

• A It is a method for encrypting repository data
• B It is a programming language for writing secure code
• C It is a protocol for secure API communication
• D It is the standard format for uploading code analysis results from external tools to GitHub ✓ Correct

When a Code Scanning alert is generated, what information should be reviewed to determine its severity?

• A Only the file name where the alert occurred
• B The repository size and number of watchers
• C Only the developer's commit message
• D The alert rule, the security severity level, and the CWE classification ✓ Correct

Which GitHub Advanced Security feature is specifically designed to prevent accidental exposure of credentials in version control history?

• A Branch protection rules
• B Code Scanning with CodeQL
• C Secret Scanning with Push Protection ✓ Correct
• D Dependency management

What is a 'false positive' in the context of Code Scanning, and how should it be handled?

• A An alert that appears in multiple branches simultaneously
• B An alert generated by a developer with false credentials
• C An alert triggered by legitimate code that is not actually vulnerable; should be marked as 'won't fix' or 'false positive' ✓ Correct
• D An alert that occurs only on weekends

In GitHub Advanced Security, what does the 'Dependency graph' feature primarily help identify?

• A The relationships between code components and their dependencies across the repository ✓ Correct
• B The pull request review workflow
• C The commit history and developer contributions
• D The git branching strategy being used

When configuring CodeQL analysis for a multi-language repository, what should be considered?

• A Only the primary language should be analyzed to avoid conflicts
• B Each language may require different query sets and configuration in the CodeQL workflow file ✓ Correct
• C CodeQL automatically detects all languages and configures appropriate analysis without manual intervention required
• D CodeQL can only analyze repositories written in a single programming language

What is the primary benefit of using GitHub Advanced Security with GitHub Actions for continuous security scanning?

• A It reduces the need for developers to write unit tests
• B It automatically fixes all identified vulnerabilities
• C It eliminates the need for code reviews
• D It provides automated, repeatable security analysis on every push and pull request without manual scanning ✓ Correct

Which of the following best describes the role of 'severity levels' in Code Scanning alerts?

• A They control which team members can view the alert
• B They determine the color of the alert badge in the repository
• C They automatically assign the alert to a specific developer
• D They indicate the priority and impact of a potential vulnerability to help with remediation prioritization ✓ Correct

When using CodeQL, what is the purpose of the 'CodeQL database'?

• A It is an intermediate representation of the source code that CodeQL queries analyze to identify vulnerabilities ✓ Correct
• B It stores all GitHub user credentials and access tokens
• C It is a backup copy of the repository for disaster recovery
• D It tracks all changes made to the codebase over time

How should an organization handle a Secret Scanning alert for an exposed API key?

• A Immediately rotate the compromised key and remove it from the repository history if possible ✓ Correct
• B Wait until the key is used maliciously before taking action
• C Change only the password associated with the key
• D Mark it as 'resolved' in GitHub without taking action

What is the relationship between GitHub Advanced Security and GitHub Enterprise Cloud?

• A GitHub Advanced Security requires GitHub Enterprise Server and cannot be used with Cloud
• B GitHub Advanced Security is available on both public and private repositories for organizations with appropriate licensing ✓ Correct
• C GitHub Advanced Security is only available as part of GitHub Enterprise Cloud
• D GitHub Advanced Security features are identical regardless of GitHub plan

When reviewing Code Scanning alerts, which CWE (Common Weakness Enumeration) would most commonly relate to SQL injection vulnerabilities?

• A CWE-352 (Cross-Site Request Forgery)
• B CWE-434 (Unrestricted Upload of Dangerous File)
• C CWE-89 (SQL Injection) ✓ Correct
• D CWE-79 (Cross-site Scripting)

What configuration option allows GitHub Advanced Security to scan only specific code paths in a repository?

• A Manually selecting files through the GitHub web interface for each analysis
• B Asking developers to only commit changes to monitored directories
• C Creating a separate repository for each code path
• D Using 'paths' or 'paths-ignore' in the Code Scanning workflow to include or exclude specific directories ✓ Correct

How does GitHub Advanced Security handle dependency scanning for indirect dependencies?

• A It requires manual configuration for each indirect dependency
• B It only scans direct dependencies listed in package.json or requirements.txt
• C Indirect dependencies cannot be scanned and must be monitored separately
• D It analyzes the entire dependency tree including transitive dependencies to identify vulnerabilities at any level ✓ Correct

When implementing Secret Scanning across an organization, what is the recommended approach for handling existing secrets in repository history?

• A Conduct an audit using Secret Scanning to identify existing secrets, then use tools like git-filter-repo to remove them and rotate credentials ✓ Correct
• B Ignore historical secrets and only focus on preventing new ones
• C Create a separate repository containing all historical secrets for reference
• D Publicly disclose all found secrets to ensure transparency

What is the significance of the 'CodeQL CLI' for organizations implementing GitHub Advanced Security?

• A It allows local CodeQL analysis and database creation before pushing to GitHub, enabling faster feedback and custom integration scenarios ✓ Correct
• B It cannot be used with GitHub.com repositories
• C It is only available to GitHub Enterprise Server customers
• D It replaces the need for GitHub Actions in security scanning

When configuring branch protection rules in GitHub Advanced Security, what is the primary purpose of requiring code reviews before merging?

• A To ensure at least one other developer has reviewed the code for security vulnerabilities and quality ✓ Correct
• B To prevent any commits from being made to protected branches
• C To log all merge activities for compliance auditing purposes
• D To automatically scan all pull requests using SAST tools

Which GitHub Advanced Security feature allows you to identify and track dependencies with known vulnerabilities across your repositories?

• A GitHub Actions continuous integration workflows
• B Repository Settings Dashboard
• C Dependabot alerts and vulnerability scanning ✓ Correct
• D Branch protection rule enforcement

You are reviewing a secret scanning alert that detected a hardcoded AWS access key in a commit from three weeks ago. What is the most critical immediate action you should take?

• A Immediately revoke the compromised credential and rotate it with a new one, then audit its usage in CloudTrail ✓ Correct
• B Document the finding in your security log for future reference
• C Create a GitHub issue to track remediation efforts over the next quarter
• D Wait for the next security review cycle to address the issue systematically

In the context of GitHub Advanced Security, what does SAST stand for and what is its primary function?

• A Static Application Security Testing; analyzes source code without executing it to identify vulnerabilities ✓ Correct
• B Secure Automated Software Testing; performs runtime testing of application behavior
• C Security Assessment and Scanning Tool; validates infrastructure compliance
• D Source Authentication and Signature Testing; verifies commit signatures and author identity

You need to enable Code Scanning for a repository, but you want to use a custom CodeQL query to detect a specific pattern relevant to your organization. What is the correct approach?

• A Export the default CodeQL rules and manually integrate them into your CI/CD pipeline instead of using GitHub Actions
• B Contact GitHub Support to add your custom query to the global CodeQL database
• C Create a custom CodeQL query in your repository and reference it in your GitHub Actions workflow configuration file ✓ Correct
• D Modify the default CodeQL query library files directly in the GitHub Actions environment

When interpreting Code Scanning results, what does a 'high' severity rating typically indicate?

• A The vulnerability affects a rarely-used code path and has low business impact
• B The finding requires multiple exploitation steps and authenticated access to trigger
• C The vulnerability could allow an attacker to execute arbitrary code or gain unauthorized access with minimal complexity ✓ Correct
• D The issue is a style or best-practice violation that does not pose immediate security risk

Which of the following best describes the relationship between GitHub Advanced Security and supply chain security?

• A Advanced Security protects against supply chain attacks by securing dependencies, managing secrets, and controlling code integrity throughout the development lifecycle ✓ Correct
• B Advanced Security is a supply chain tool that focuses only on third-party library management and has no code analysis capabilities
• C Supply chain security is handled exclusively by container registry scanning and does not involve GitHub
• D They are completely separate concerns; Advanced Security only addresses code vulnerabilities

An organization has enabled secret scanning on all repositories but wants to prevent false positives for test credentials. What is the recommended approach to handle legitimate non-production secrets?

• A Use environment variables and GitHub Secrets for non-production credentials, and configure custom patterns to exclude test-related secret formats ✓ Correct
• B Store all test credentials in plaintext files marked with special comments that secret scanning will ignore
• C Disable secret scanning entirely and use manual code review instead
• D Push all test secrets to a separate 'test-secrets' branch that is excluded from secret scanning

When using GitHub's push protection feature (part of Advanced Security), at what point in the development workflow does it prevent credential exposure?

• A At the commit stage, before code is pushed to any remote repository ✓ Correct
• B During the build process in GitHub Actions, before deployment
• C During code review, before the pull request is merged
• D After deployment to production, triggering an automatic rollback

In a mature GitHub Advanced Security implementation, how should security alerts from multiple features (Code Scanning, Dependabot, Secret Scanning) be prioritized for remediation?

• A By alert creation date, addressing oldest vulnerabilities first
• B Equally across all alert types, allocating equal resources to each category regardless of risk profile
• C By the alphabetical order of repository names to ensure fairness across teams
• D By severity, CVSS score, affected component criticality, and exploitability, focusing on high-risk items affecting production-critical code ✓ Correct