






































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The GitHub Advanced Security Certification Practice Test Ultimate Exam helps IT professionals and developers prepare for GitHub security-focused certification assessments. The exam covers code scanning, secret scanning, dependency management, DevSecOps principles, vulnerability remediation, CI/CD security, compliance practices, and repository protection strategies. It strengthens practical cybersecurity skills within software development environments.
Typology: Exams
1 / 78
This page cannot be seen from the preview
Don't miss anything!







































































Question 1. Which GitHub Advanced Security (GHAS) feature is exclusive to private or enterprise repositories and not available for public repositories? A) Dependabot alerts B) Secret scanning for public repos C) Code scanning with CodeQL D) Push protection for private repositories Answer: D Explanation: Push protection, which blocks commits containing secrets before they reach the remote, is only enforceable on private/enterprise repositories. Public repositories receive secret scanning after the fact, but cannot block pushes.
Question 2. In the GHAS security ecosystem, which role best describes its position relative to traditional DevSecOps tooling? A) Replacement for all CI/CD security checks B) Complementary layer that integrates early security feedback into developers’ workflow C) Stand-alone audit performed after release D) Tool that only monitors production environments Answer: B Explanation: GHAS is designed to embed security early (shift-left) while still working alongside other DevSecOps tools, providing continuous feedback rather than replacing them.
Question 3. Where can an organization view aggregate vulnerability trends across all its repositories? A) Repository Settings → Security & analysis B) Organization → Security overview dashboard C) Enterprise → Billing → Security usage D) Personal profile → Security alerts Answer: B Explanation: The organization-level Security overview dashboard aggregates alerts, secret scanning findings, and CodeQL results across all repositories in the organization.
Question 4. Which practice most directly shifts security “left” using GHAS? A) Running CodeQL scans only on release branches B) Enabling Dependabot security updates on default branches C) Reviewing alerts after a product launch D) Applying security policies only to archived repositories Answer: B
Answer: B Explanation: When secret scanning is enabled, GitHub automatically scans the full commit history to identify any previously committed secrets.
Question 7. Which of the following best describes the workflow when Push Protection blocks a commit containing a secret? A) The commit is accepted but marked as vulnerable B) The push is rejected, and the developer receives a UI warning with remediation steps C) The secret is automatically removed from the commit and the push proceeds D) The repository is locked until an admin reviews the push Answer: B Explanation: Push Protection prevents the push, displays a warning, and provides guidance on rotating the secret and committing a clean version.
Question 8. When GitHub verifies the validity of a detected AWS secret key, what does it check? A) Whether the key matches a known pattern only B) Whether the key is still active in the AWS account via an API call C) Whether the key is longer than 20 characters D) Whether the key appears in the repository’s README file
Answer: B Explanation: GitHub performs a real-time validity check by contacting the AWS API to see if the key is still active, helping prioritize remediation.
Question 9. Which method allows an organization to scan for proprietary tokens not covered by GitHub’s built-in patterns? A) Enabling the “Enterprise secret scanning” toggle only B) Adding custom regular-expression patterns via the Secret scanning API C) Relying on Dependabot alerts for custom tokens D) Using CodeQL queries to locate secrets Answer: B Explanation: Custom secret scanning patterns can be defined with regular expressions through the Secret scanning API, enabling detection of internal token formats.
Question 10. After a secret is exposed and a push is blocked, what is the recommended immediate action? A) Delete the offending commit only B) Revoke the secret, rotate it, and then purge it from Git history C) Rename the repository to hide the secret D) Disable secret scanning temporarily
D) There is no distinction; all are treated the same Answer: B Explanation: Direct dependencies are declared in manifest files (e.g., package.json), while transitive dependencies are resolved from lockfiles (e.g., package-lock.json) and shown in the graph.
Question 13. Which source powers Dependabot alerts for known vulnerabilities? A) NPM audit only B) GitHub Advisory Database, which aggregates data from multiple CVE feeds and security advisories C) Manual entry by repository owners D) Third-party scanning tools only Answer: B Explanation: Dependabot alerts draw from the GitHub Advisory Database, a curated collection of vulnerability data from CVE, OSV, and vendor advisories.
Question 14. What does the severity level “critical” indicate in a Dependabot alert? A) The vulnerability is only exploitable on Windows
B) The issue has a CVSS score of 9.0–10.0 and may lead to remote code execution or data loss C) The package is deprecated but not vulnerable D) The vulnerability has been patched in a future version Answer: B Explanation: “Critical” denotes the highest severity, typically corresponding to a CVSS score of 9.0–10.0 and indicating severe impact such as remote code execution.
Question 15. When configuring Dependabot security updates, which setting determines how often pull requests are opened? A) schedule.interval (e.g., daily, weekly) in the .github/dependabot.yml file B) Repository size limit C) Number of collaborators D) Default branch protection rules Answer: A Explanation: The schedule.interval field in the Dependabot configuration file controls the frequency of automated security update PRs.
Question 18. If a vulnerability has no available fix, what is the recommended GHAS response? A) Ignore the alert permanently B) Mark the alert as “unfixable” and monitor for future patches, possibly add a mitigation plan C) Delete the vulnerable package from the repository history D) Downgrade the severity to “low” Answer: B Explanation: Marking the alert as “unfixable” documents the issue, allows tracking, and encourages mitigation strategies while awaiting a fix.
Question 19. How does CodeQL treat source code for analysis? A) As a compiled binary only B) As a set of data objects that can be queried with a relational-like language C) As plain text without any abstraction D) As a series of regular-expression matches Answer: B Explanation: CodeQL models code as a database of facts (AST nodes, control flow, data flow) that can be queried using a specialized query language.
Question 20. Which of the following languages is considered “interpreted” for CodeQL analysis, affecting the way databases are generated? A) C++ B) Java C) JavaScript D) Go Answer: C Explanation: JavaScript is interpreted; CodeQL creates a database from the source without a separate compilation step, unlike compiled languages such as C++ or Go.
Question 21. When should a CodeQL scan be triggered to best align with a typical CI workflow? A) Only on manual workflow dispatch B) On every push to any branch, on pull_request events, and optionally on a scheduled basis C) Only when a release tag is created D) Only after a merge to main Answer: B Explanation: Triggering on push, pull_request, and on a schedule ensures continuous analysis of new code, PRs, and periodic full scans.
Question 24. Which command creates a CodeQL database for a JavaScript project using the CLI? A) codeql database create db --language=javascript B) codeql run analysis C) codeql pack install D) codeql query run Answer: A Explanation: The codeql database create command with the -- language=javascript flag initializes a database for analysis.
Question 25. In the CodeQL UI, what does the “source → sink” path represent? A) The ordering of files in the repository B) The data flow from a potentially tainted input (source) to a vulnerable operation (sink) C) The sequence of commit authors D) The network latency between GitHub servers Answer: B
Explanation: “Source → sink” visualizes how tainted data can travel through the code to reach a dangerous operation, helping developers locate the root cause.
Question 26. How can an organization enable GHAS features across all repositories at once? A) By editing each repository’s settings manually B) By applying a repository ruleset at the organization level that includes required security checks C) By creating a personal access token for each repo D) By disabling branch protection Answer: B Explanation: Organization-level repository rulesets allow administrators to enforce security policies (e.g., required CodeQL scans) across many repositories automatically.
Question 27. Which rule in a repository ruleset would prevent merges that do not pass a CodeQL scan? A) require_status_checks with the CodeQL check name B) allow_squash_merge set to false C) require_linear_history set to true D) block_fork_syncing set to true
D) By emailing GitHub support Answer: B Explanation: The GHAS GraphQL API provides endpoints to retrieve alerts, which can be scripted and exported for audits.
Question 30. In GHAS licensing, what constitutes a “seat” that consumes a license? A) Every repository in the organization B) Each active commit author (committer) who pushes code to a repository with GHAS enabled C) Each GitHub Actions runner D) Only enterprise owners Answer: B Explanation: GHAS licenses are counted per active committer who contributes to repositories where GHAS features are enabled.
Question 31. Which filter combination would show only critical, active secret scanning alerts? A) status:open severity:low B) validity:active severity:critical C) type:dependabot
D) dismissed:true Answer: B Explanation: validity:active ensures the secret is still usable, and severity:critical limits results to the highest-severity alerts.
Question 32. How can a team prevent security alerts from causing CI pipeline bottlenecks? A) Disable all status checks B) Adjust the required status check thresholds to only block on “high” or “critical” severity alerts C) Delete the alerts automatically after 1 hour D) Turn off Dependabot Answer: B Explanation: By configuring branch protection to require only high-severity alerts, the pipeline remains fast while still enforcing important security gates.
Question 33. When dismissing a CodeQL alert as “Used in Tests,” what does this indicate? A) The flagged pattern only occurs in test code and does not affect production logic
B) They automatically rotate compromised secrets C) They replace the need for Dependabot D) They make the repository public Answer: A Explanation: Custom patterns let organizations tailor detection to their own token structures, improving accuracy and reducing noise.
Question 36. Which of the following describes the “push protection bypass token” feature? A) A permanent exemption for a user to push secrets without warnings B) A short-lived token that allows a developer to override push protection after confirming the secret is safe C) A way to disable secret scanning for the entire organization D) An API key for GitHub Actions Answer: B Explanation: The bypass token is a temporary credential that lets a user override push protection after an explicit confirmation, useful for legitimate cases.
Question 37. In Dependabot alerts, what does the “fixed in version” field indicate?
A) The version where the vulnerability was first introduced B) The version that contains a patch resolving the vulnerability C) The version of Dependabot itself D) The version of GitHub Enterprise Answer: B Explanation: “Fixed in version” tells developers the minimal version of the package that includes the security fix.
Question 38. Which statement best explains why transitive dependencies can be a security risk? A) They are never scanned by GHAS B) They may introduce vulnerabilities that are not directly declared in the project’s manifest, making them easy to overlook C) They are always outdated D) They are only used in test environments Answer: B Explanation: Transitive dependencies are pulled in automatically and can contain vulnerabilities that developers may not be aware of, requiring tools like Dependabot to monitor them.