PrepIQ GitHub Administration Ultimate Exam, Exams of Technology

This certification exam validates knowledge of administering GitHub environments for organizations. Topics include managing teams and permissions, repository governance, authentication and SSO integration, billing, enterprise account management, compliance controls, and audit logging. Passing certifies candidates to administer GitHub securely and efficiently in enterprise environments.

Typology: Exams

2025/2026

Available from 04/09/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 84

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ GitHub Administration Ultimate
Exam
**Question 1. Which architecture typically reduces administrative overhead when
an organization wants to enforce a uniform policy across all its repositories?**
A) Multi-organization architecture
B) Single-organization architecture
C) Fork-based architecture
D) Distributed-team architecture
Answer: B
Explanation: A single-organization architecture centralizes policy enforcement,
billing, and user management, minimizing the need for duplicate configurations
across multiple organizations.
**Question 2. In GitHub Enterprise Cloud (GHEC), which feature provides automatic,
on-demand scaling of compute resources for Actions?**
A) Self-hosted runners
B) GitHub-hosted runners
C) Runner groups
D) Enterprise runner pools
Answer: B
Explanation: GitHub-hosted runners are fully managed by GitHub and automatically
scale based on workflow demand, eliminating the need for manual provisioning.
**Question 3. When configuring SAML SSO for an Enterprise, which setting
determines the attribute that maps an IdP user to a GitHub username?**
A) NameID format
B) Assertion Consumer Service URL
C) Attribute Mapping – “login”
D) Single Logout Service URL
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54

Partial preview of the text

Download PrepIQ GitHub Administration Ultimate Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. Which architecture typically reduces administrative overhead when an organization wants to enforce a uniform policy across all its repositories? A) Multi-organization architecture B) Single-organization architecture C) Fork-based architecture D) Distributed-team architecture Answer: B Explanation: A single-organization architecture centralizes policy enforcement, billing, and user management, minimizing the need for duplicate configurations across multiple organizations. Question 2. In GitHub Enterprise Cloud (GHEC), which feature provides automatic, on-demand scaling of compute resources for Actions? A) Self-hosted runners B) GitHub-hosted runners C) Runner groups D) Enterprise runner pools Answer: B Explanation: GitHub-hosted runners are fully managed by GitHub and automatically scale based on workflow demand, eliminating the need for manual provisioning. Question 3. When configuring SAML SSO for an Enterprise, which setting determines the attribute that maps an IdP user to a GitHub username? A) NameID format B) Assertion Consumer Service URL C) Attribute Mapping – “login” D) Single Logout Service URL

Exam

Answer: C Explanation: The “login” attribute mapping tells GitHub which IdP attribute should be used as the GitHub username during SAML authentication. Question 4. Which GitHub feature allows an organization to publish a standardized set of policies that all repositories must inherit? A) CODEOWNERS file B) Repository templates C) Organization policies (Enterprise Settings) D) Branch protection rules Answer: C Explanation: Organization policies, set in Enterprise Settings, enable administrators to define default repository permissions, allowed actions, and other controls that apply organization-wide. Question 5. What does SCIM stand for, and what primary purpose does it serve in GitHub Enterprise? A) Secure Cloud Identity Management – encrypts secrets B) System for Cross-domain Identity Management – automates user provisioning C) Single-sign-on Centralized Identity Module – provides SSO D) Service Control and Integration Model – monitors API usage Answer: B Explanation: SCIM (System for Cross-domain Identity Management) is a standard protocol that lets identity providers automatically create, update, and deactivate GitHub Enterprise users. Question 6. Which repository role grants a member the ability to manage branch protection rules but not delete the repository?

Exam

Explanation: Back-scanning reviews the existing commit history for leaked secrets, whereas Push Protection only checks new commits at push time. Question 9. In GitHub Enterprise Server (GHES), which component is responsible for replicating data across nodes for high availability? A) MySQL master-slave replication B) PostgreSQL streaming replication C) GitHub-Enterprise Replication Service (GERS) D) Redis sentinel cluster Answer: B Explanation: GHES uses PostgreSQL streaming replication to keep the primary and standby nodes synchronized, providing HA and failover capabilities. **Question 10. Which of the following best describes “Golden Path” documentation? ** A) A list of prohibited libraries for security compliance B) A curated set of best-practice workflows and tools for developers C) A deprecated feature guide for legacy systems D) A roadmap for future GitHub product releases Answer: B Explanation: Golden Path documentation outlines the recommended development processes, toolchains, and standards that teams should follow to ensure consistency and security. Question 11. What is the primary benefit of using GitHub-hosted runners over self-hosted runners in a regulated environment? A) Full control over hardware specifications

Exam

B) Automatic patching and compliance with GitHub’s security baseline C) Ability to run custom OS images D) Unlimited concurrent jobs without cost Answer: B Explanation: GitHub-hosted runners are maintained by GitHub, ensuring they receive timely security patches and conform to GitHub’s hardening standards, which helps meet regulatory requirements. Question 12. Which permission level allows a user to triage issues and pull requests but not push code? A) Read B) Triage C) Write D) Maintain Answer: B Explanation: The Triage role is designed for contributors who need to manage issues and PRs (e.g., labeling, assigning) without the ability to modify the codebase. Question 13. When using Dependabot, what type of vulnerability does it automatically raise a pull request for? A) License incompatibility B) Out-of-date documentation C) Known security flaws in dependencies D) Code style violations Answer: C Explanation: Dependabot monitors the dependency graph and opens PRs to update libraries that contain known security vulnerabilities.

Exam

D) They are automatically added to the organization’s Teams. Answer: C Explanation: Outside collaborators are external users granted access to specific repositories; they do not become organization members and are billed only for the repositories they use. Question 17. What is the purpose of an “IP allow-list” in a GitHub Enterprise environment? A) To restrict API token creation to certain IP ranges B) To limit SSH key usage to approved networks C) To permit only traffic from specified IP addresses to access the Enterprise instance D) To block all inbound traffic except from GitHub’s CDN Answer: C Explanation: An IP allow-list defines which source IPs are allowed to connect to the GHES instance, enhancing network security. Question 18. Which GitHub feature can be used to enforce that pull requests must pass a CodeQL analysis before merging? A) Required status checks in branch protection rules B) CODEOWNERS file C) GitHub Actions secret scanning D) Dependency Graph alerts Answer: A Explanation: By adding the CodeQL workflow’s status check as a required check in branch protection, merges are blocked until the analysis succeeds.

Exam

Question 19. When configuring Team Sync, what is the primary outcome of mapping an IdP group to a GitHub Team? A) Automatic creation of repositories for the group B) Real-time synchronization of membership between IdP and GitHub C) Enabling SAML SSO for the team’s members only D) Granting the team admin rights across the organization Answer: B Explanation: Team Sync ensures that any changes in the IdP group (additions or removals) are reflected instantly in the corresponding GitHub Team’s membership. Question 20. Which license type is typically linked to a Visual Studio Subscription (VSS) for GitHub Enterprise? A) Per-core license B) Seat-based (per-user) license C) Unlimited concurrent license D) Open-source community license Answer: B Explanation: VSS provides a seat-based license that can be applied to a user’s GitHub Enterprise account, allowing them to use the product under the subscription. Question 21. What does the “Push Protection” mode of Secret Scanning do? A) Scans only the latest commit on default branch B) Blocks pushes that contain known secrets before they reach the repository C) Sends an email alert after a secret is discovered in history D) Automatically deletes the secret from the repository after detection Answer: B

Exam

C) Requiring recovery codes for account recovery D) Blocking the creation of new SSH keys until 2FA is configured Answer: B Explanation: When 2FA is enforced, personal access tokens (PATs) also require the user to have 2FA enabled; they cannot bypass the requirement. Question 25. Which GitHub feature helps administrators view real-time usage metrics such as actions run minutes and storage consumption? A) Enterprise audit log B) Usage insights dashboard C) Dependency Graph D) CodeQL results page Answer: B Explanation: The Usage insights dashboard provides visualizations of actions minutes, storage, and other consumption metrics across the enterprise. Question 26. What is the effect of enabling “Require signed commits” in a branch protection rule? A) Only GPG-signed commits are allowed to be merged B) All commits must be signed with a GitHub-generated token C) The branch cannot be deleted without a signed commit D) It forces contributors to use SSH instead of HTTPS Answer: A Explanation: Enabling this rule ensures that only commits signed with a verified GPG key can be merged, improving provenance and security.

Exam

Question 27. Which of the following is a primary advantage of using reusable workflows in GitHub Actions? A) They eliminate the need for any secrets in workflows B) They allow a single definition to be called from multiple repositories, ensuring consistency C) They automatically grant admin permissions to all callers D) They run faster than standard workflows because they are cached Answer: B Explanation: Reusable workflows centralize CI/CD logic, enabling multiple repositories to invoke the same workflow file, reducing duplication and maintaining consistency. Question 28. When a GitHub App is installed at the organization level, what scope of access does it initially have? A) Full admin access to all repositories B) Access only to the repositories explicitly granted during installation C) Read-only access to the organization’s settings D) No access until a repository-specific token is generated Answer: B Explanation: Organization-level GitHub Apps request permission scopes and can be granted access to specific repositories or all repositories; they do not automatically receive full admin rights. Question 29. Which of the following best describes the difference between “Internal” and “Private” repository visibility in GitHub Enterprise Cloud? A) Internal repositories are visible to all GitHub users, Private only to members B) Internal repositories are visible to all members of the enterprise, Private only to explicitly added collaborators

Exam

Question 32. Which of the following statements about GitHub Actions “environment protection rules” is true? A) They can require manual approval before a workflow can deploy to a protected environment B) They automatically delete all secrets after each run C) They enforce code style linting on every push D) They disable all self-hosted runners in that environment Answer: A Explanation: Environment protection rules can be configured to require an approved reviewer before a workflow can proceed to a sensitive environment (e.g., production). Question 33. In GitHub Enterprise Server, which storage backend is used for Git data? A) Amazon S B) Azure Blob Storage C) Local file system with Git objects stored on disk D) Google Cloud Storage Answer: C Explanation: GHES stores Git objects on the local file system of the server nodes; external object storage can be configured for packages but not for core Git data. Question 34. Which setting in an organization’s billing configuration determines which users count toward the seat total? A) Users with “Read” access only B) Users with “Member” role (including EMUs) C) Only owners and billing managers D) All users, including outside collaborators

Exam

Answer: B Explanation: Seats are counted for every user who is a member of the organization, including Enterprise Managed Users, regardless of their repository permissions. Question 35. What does the “Dependabot alerts” feature provide to repository administrators? A) Automated pull requests to fix vulnerabilities B) Email notifications when a new dependency is added C) A list of known vulnerable dependencies in the repository’s dependency graph D) Real-time code scanning for secret leaks Answer: C Explanation: Dependabot alerts surface known security vulnerabilities detected in the repository’s dependency graph, allowing admins to act manually or enable automated fixes. Question 36. Which of the following is a recommended practice when rotating a PAT used by a CI workflow? A) Delete the old PAT before creating a new one to avoid duplication B) Create a new PAT, update the secret in the repository, then delete the old PAT after confirming the workflow succeeds C) Use the same PAT indefinitely; GitHub automatically rotates it D) Store the PAT in plain text within the workflow file for visibility Answer: B Explanation: The safe rotation process involves generating a new PAT, updating the encrypted secret, verifying the workflow runs correctly, then revoking the old PAT. Question 37. When configuring a “GitHub Enterprise Importer (GEI)” migration, which of the following data types is NOT transferred automatically?

Exam

Explanation: Business licenses provide admin controls, usage analytics, and policy enforcement across the organization, which are not available with personal licenses. Question 40. Which of the following is the correct order of precedence when multiple branch protection rules apply to a branch? A) Repository-level rules override organization-level defaults B) Organization-level defaults override repository-level rules C) The most restrictive rule (i.e., requiring the most checks) wins D) The rule set by the most recent admin takes precedence Answer: C Explanation: GitHub evaluates all applicable protection rules and enforces the most restrictive combination, ensuring the highest security posture. Question 41. In the context of GitHub Packages, what does “cleanup policy” refer to? A) Automatic deletion of older package versions based on age or number of retained versions B) Encryption of package contents before storage C) A script that runs after each package publish to validate metadata D) A firewall rule that blocks external download attempts Answer: A Explanation: Cleanup policies let administrators define retention rules (e.g., keep last 10 versions or delete versions older than 30 days) to control storage consumption. Question 42. Which of the following is a valid use case for GitHub Enterprise Cloud (GHEC) over GitHub Enterprise Server (GHES)? A) Organizations requiring on-premises data residency due to regulatory constraints

Exam

B) Companies that need full control over the underlying operating system C) Teams that want automatic platform updates without managing infrastructure D) Environments that require custom network appliances between the client and server Answer: C Explanation: GHEC is a fully managed SaaS offering; GitHub handles updates, scaling, and maintenance, making it ideal for teams that prefer not to manage infrastructure. Question 43. Which of the following audit log events indicates a change in repository visibility? A) repo.create B) repo.visibility_changed C) org.member_added D) secret_scanning.alert_created Answer: B Explanation: The repo.visibility_changed event records when a repository is switched between public, private, or internal visibility. Question 44. When configuring a self-hosted runner group, which setting controls which repositories can use the runners in that group? A) Runner group “Allowed repositories” list B) Organization-wide runner policy C) Repository-level “Self-hosted runner” toggle D) Global GitHub Actions settings page Answer: A Explanation: Each runner group can be associated with a specific list of repositories, limiting which repos can schedule jobs on those runners.

Exam

C) Adding the user as an organization owner D) Adding the user to the repository’s CODEOWNERS file only Answer: D Explanation: CODEOWNERS defines review responsibilities but does not grant repository access; the user must be a member, team member, or outside collaborator. Question 48. In the context of GitHub Actions, what does the “runs-on” keyword specify? A) The operating system and environment where the job will execute B) The number of concurrent jobs allowed C) The authentication token to use for the job D) The maximum timeout for the workflow Answer: A Explanation: runs-on determines the type of runner (e.g., ubuntu-latest, self- hosted) that will execute the job. Question 49. Which of the following is a primary reason to enable “Require commit signing” at the organization level? A) To prevent merge conflicts B) To ensure the authenticity and integrity of commits across the enterprise C) To speed up CI pipelines D) To automatically generate GPG keys for all users Answer: B Explanation: Enforcing signed commits helps verify that code originates from trusted contributors and has not been tampered with.

Exam

Question 50. Which GitHub setting controls whether members can create private repositories by default? A) Repository default permissions B) Organization → Settings → Member privileges → “Allow members to create private repos” C) Billing → Repository limits D) Security → Two-factor authentication enforcement Answer: B Explanation: The “Allow members to create private repositories” toggle under member privileges determines the default ability for members to create private repos. Question 51. What does the “Enterprise Audit Log” retain by default for a GitHub Enterprise Cloud organization? A) 30 days of events B) 90 days of events C) 180 days of events D) Unlimited retention Answer: B Explanation: By default, GHEC retains audit log events for 90 days, though retention can be extended via Enterprise settings. Question 52. Which of the following is NOT a supported package type in GitHub Packages? A) Docker B) npm C) PyPI (Python) D) RubyGems