




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This advanced GitHub certification exam evaluates knowledge in securing repositories and codebases. Topics include code scanning, secret scanning, dependency reviews, security advisories, vulnerability management, permissions, and branch protection rules. Passing confirms candidates’ ability to apply GitHub’s advanced security tools to safeguard development projects.
Typology: Exams
1 / 100
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which GitHub Advanced Security (GHAS) feature is exclusive to GitHub Enterprise Cloud (GHEC) and not available for public repositories? A) Secret Scanning B) Dependabot Security Updates C) CodeQL Analysis D) Security Overview Tab Answer: C Explanation: CodeQL analysis requires GHAS and is only provided for repositories on GHEC or GHES; public repositories can use secret scanning and Dependabot, but CodeQL requires an enterprise license. Question 2. In the Security Overview tab, what primary metric indicates the total number of unresolved security alerts across an organization? A) Alert Density B) Open Alerts Count C) Risk Score D) Dismissed Alerts Ratio Answer: B Explanation: The Open Alerts Count shows how many alerts are still active and need attention, giving a quick health snapshot. Question 3. Which role can dismiss a secret scanning alert but cannot configure secret scanning patterns? A) Organization Owner B) Security Manager C) Repository Admin D) Read-only Collaborator
Answer: C Explanation: Repository admins can manage alerts within their repo, including dismissal, but only security managers or owners can modify scanning configuration. Question 4. Integrated security scanning in a CI pipeline is best described as: A) Running scans only on the default branch after merge B) Triggering scans on every push and pull request commit C) Scanning only when a security label is added to an issue D) Manual execution of scans by developers Answer: B Explanation: Integrated security means scans are automatically executed on each commit and PR, providing continuous feedback. Question 5. Secret Scanning identifies high-confidence secrets using which of the following? A) Heuristic entropy analysis only B) Partner-provided regex patterns and GitHub’s built-in patterns C) Manual code review comments D) License file inspection Answer: B Explanation: GHAS combines partner-supplied patterns with its own curated list to detect secrets with high confidence. Question 6. Push Protection prevents secrets from entering a repository by: A) Deleting the repository after a secret is pushed B) Blocking the push and returning an error message to the client
Question 9. When defining a custom secret scanning pattern, which syntax is required? A) YAML list of strings B) JSON object with “pattern” key C) Regular Expression (regex) string D) Markdown code block Answer: C Explanation: Custom patterns are expressed as regular expressions that match the organization’s proprietary credentials. Question 10. Scanning only the current state of a repository (not history) is known as: A) Incremental Scan B) Real-time Scan C) Snapshot Scan D) Historical Scan Answer: C Explanation: A snapshot scan examines the latest file versions without traversing past commits. Question 11. Which file does GitHub use to generate a Software Bill of Materials (SBOM) for a Java project? A) pom.xml B) build.gradle C) settings.xml D) requirements.txt Answer: A
Explanation: The Maven pom.xml lists all dependencies, enabling GitHub to create an SBOM. Question 12. Dependabot alerts are sourced from which database? A) NVD (National Vulnerability Database) only B) GitHub Advisory Database C) OSV (Open Source Vulnerabilities) exclusively D) Private corporate CVE feed Answer: B Explanation: Dependabot queries the GitHub Advisory Database for known vulnerabilities in open-source packages. Question 13. A Dependabot Security Update PR aims to: A) Upgrade a dependency to the latest available version B) Downgrade a vulnerable dependency to an older safe version C) Upgrade to the minimum version that fixes the vulnerability D) Remove the vulnerable dependency altogether Answer: C Explanation: Security updates target the lowest version that resolves the issue, minimizing impact on the codebase. Question 14. Which Dependabot configuration key controls how often version update PRs are created? A) schedule B) updates C) versioning-strategy
B) QL (a variant of Datalog) C) Python D) JavaScript Answer: B Explanation: CodeQL uses QL, a query language based on Datalog, to perform semantic analysis. Question 18. Which default CodeQL suite includes queries for detecting injection vulnerabilities? A) security-extended B) codeql-go C) codeql-default D) security-and-quality Answer: D Explanation: The security-and-quality suite bundles both security and code-quality queries, including injection checks. Question 19. To trigger CodeQL analysis on a daily schedule, which on: event should be added to the workflow? A) push B) pull_request C) schedule with a cron expression D) workflow_dispatch Answer: C Explanation: The schedule event with a cron pattern runs the workflow at defined intervals.
Question 20. Which language requires a separate “compiled” step before CodeQL can create its database? A) Python B) JavaScript C) Go D) Ruby Answer: C Explanation: Go code must be compiled to generate the required CodeQL database; interpreted languages do not need this step. Question 21. In a matrix strategy for CodeQL, the language variable is used to: A) Choose the runner OS B) Specify which CodeQL pack to install C) Define the set of languages to analyze in parallel D) Set the GitHub token scope Answer: C Explanation: The matrix creates parallel jobs, each scanning a different language defined by the language variable. Question 22. SARIF files uploaded to the Security tab are primarily used for: A) Storing dependency graphs B) Displaying results from third-party static analysis tools C) Managing secret scanning alerts D) Configuring repository permissions Answer: B
D) Disabling “Allow merge commits” Answer: A Explanation: Branch protection can mandate that the CodeQL status check succeeds before a merge is permitted. Question 26. Copilot Autofix can automatically generate a fix for a vulnerability discovered by: A) Secret Scanning only B) Dependabot Version Updates only C) CodeQL security queries D) GitHub Actions linting rules Answer: C Explanation: Copilot Autofix leverages AI to suggest patches for CodeQL-detected issues. Question 27. Setting a status check condition “Fail on High or above” will: A) Block merges if any High, Critical, or Severe alerts are present B) Only block merges when Critical alerts exist C) Fail the entire workflow regardless of alert severity D) Ignore all alerts below Critical severity Answer: A Explanation: The condition treats High, Critical, and any higher severity alerts as blocking failures. Question 28. New Repository Defaults can be used to: A) Clone a repository automatically into a new organization
B) Enable GHAS features for all newly created repositories without manual setup C) Delete all secrets from a repository after creation D) Set default branch protection rules only for private repos Answer: B Explanation: New Repository Defaults allow administrators to pre-configure GHAS features for future repos. Question 29. Organization-wide security policies in GHAS can enforce which of the following? A) Mandatory use of a specific IDE B) Minimum CodeQL query version across all repos C) Automatic revocation of all leaked tokens after 24 hours D) Disallowing pushes from external contributors Answer: C Explanation: Policies can trigger automated revocation of leaked secrets via the Secret Scanning Partner Program. Question 30. When choosing a runner for resource-intensive CodeQL analysis, a self-hosted runner is preferred because: A) It provides unlimited concurrency for free B) It allows custom hardware and longer execution time limits C) It automatically disables secret scanning D) It eliminates the need for a GitHub token Answer: B Explanation: Self-hosted runners can be provisioned with more CPU/RAM and can run longer jobs than the GitHub-hosted limits.
Explanation: The Dependabot alerts page aggregates all open vulnerability alerts from the advisory database. Question 34. A custom secret scanning pattern that matches a 32-character hexadecimal token should use which regex quantifier? A) {32} B) {30,34} C) * D) + Answer: A Explanation: {32} enforces exactly 32 characters, matching the token length precisely. Question 35. When a secret scanning alert is marked “Valid” by GitHub’s automatic check, what does this indicate? A) The secret is still active and usable by an attacker B) The secret has been revoked by the provider C) The secret is a false positive D) The secret belongs to a test environment only Answer: A Explanation: “Valid” means the credential is still live, representing a real security risk. Question 36. Which of the following manifests is NOT parsed by GitHub’s Dependency Graph? A) package-lock.json B) Gemfile.lock
C) Dockerfile D) requirements.txt Answer: C Explanation: Dockerfiles describe container images, not language-specific dependencies, and are not used for the dependency graph. Question 37. In a Dependabot PR, the label “security” is automatically added when: A) The PR updates a dependency to a newer major version B) The update resolves a known vulnerability listed in the advisory database C) The PR modifies any dependency file D) The PR is created by a bot user Answer: B Explanation: Dependabot tags PRs with “security” when they address a vulnerability. Question 38. Which GitHub Action environment variable provides the name of the repository being scanned? A) GITHUB_REPOSITORY B) REPO_NAME C) ACTION_REPO D) GITHUB_PROJECT Answer: A Explanation: GITHUB_REPOSITORY contains the owner/repo identifier for the current workflow run.
Explanation: All listed reasons are acceptable dismissal reasons, allowing teams to document why an alert is not being acted upon immediately. Question 42. When using a self-hosted runner for CodeQL, which of the following must be ensured? A) The runner has Docker installed for container-based analysis B) The runner runs on Windows only C) The runner has the codeql CLI installed and accessible in PATH D) The runner disables all network access Answer: C Explanation: The codeql executable is required to build databases and run queries; Docker is optional. Question 43. A “high severity” CodeQL alert typically corresponds to which CWE range? A) CWE-1 to CWE- 100 B) CWE-200 to CWE- 300 C) CWE-400 to CWE- 500 D) CWE-600 to CWE- 700 Answer: B Explanation: High-severity findings often map to CWE- 200 – 300, covering authentication and session management issues. Question 44. Which GitHub API endpoint can be used to retrieve the list of all active secret scanning alerts for an organization? A) GET /orgs/{org}/secret-scanning/alerts B) GET /orgs/{org}/security/alerts
C) GET /orgs/{org}/code-scanning/alerts D) GET /orgs/{org}/dependabot/alerts Answer: A Explanation: The secret-scanning alerts endpoint provides organization-wide alert data. Question 45. In Dependabot’s updates block, the allow field is used to: A) Whitelist specific versions that should never be upgraded B) Specify which ecosystems (npm, Maven, etc.) are monitored C) Define version constraints for automatic updates D) Set the maximum number of PRs per day Answer: C Explanation: allow lets you restrict updates to versions that match given criteria (e.g., semver ranges). Question 46. Which of the following is true about the “isolated security review” mode? A) Scans are run only on the default branch after merge B) Developers must manually trigger scans for each PR C) Scans are executed in a separate, temporary environment not linked to CI D) All findings are automatically merged into the main branch Answer: C Explanation: Isolated reviews run scans in a detached environment, allowing a focused security audit without affecting the CI pipeline. Question 47. When a secret scanning alert is marked “revoked” by the provider, the alert status in GitHub changes to:
Question 50. Which GitHub feature provides a visual representation of a repository’s dependency network and its downstream projects? A) Dependency Graph B) Code Scanning Dashboard C) Secret Scanning Map D) Security Overview Matrix Answer: A Explanation: The Dependency Graph visualizes direct and transitive dependencies, as well as projects that depend on the repository. Question 51. When a secret scanning alert is dismissed with the reason “Won’t Fix,” what impact does it have on the organization’s risk score? A) The alert is excluded from risk calculations B) The alert remains counted as an open risk C) The risk score is increased by 10% D) The alert is deleted permanently Answer: A Explanation: Dismissing as “Won’t Fix” tells the system to ignore the alert for risk metrics. Question 52. Which of the following best describes the purpose of a CodeQL “suite”? A) A collection of related queries that can be run together B) A Docker image used for analysis C) A configuration file for secret scanning patterns D) A UI theme for the Security tab
Answer: A Explanation: Suites group multiple queries, allowing users to run a predefined set of analyses in one step. Question 53. In the context of GHAS, “push protection” can be bypassed by: A) Adding the file to .gitignore B) Using the --no-verify flag with git push and providing a justification comment in the PR C) Disabling the repository’s default branch protection rule D) Renaming the secret file extension Answer: B Explanation: Git allows bypassing client-side hooks with --no-verify; GHAS requires a justification comment to record why the push was allowed. Question 54. Which environment variable is automatically set to the GitHub token with repository read/write permissions in a GitHub Actions workflow? A) GITHUB_TOKEN B) ACTION_TOKEN C) CI_TOKEN D) REPO_TOKEN Answer: A Explanation: GITHUB_TOKEN is provided to each workflow run with appropriate scopes. Question 55. The “Security Overview” tab aggregates data from which of the following GHAS components? A) Secret Scanning, Dependabot alerts, CodeQL alerts, and Dependency Review