PrepIQ GitHub Advanced Security Ultimate Exam, Exams of Technology

This advanced GitHub certification exam evaluates knowledge in securing repositories and codebases. Topics include code scanning, secret scanning, dependency reviews, security advisories, vulnerability management, permissions, and branch protection rules. Passing confirms candidates’ ability to apply GitHub’s advanced security tools to safeguard development projects.

Typology: Exams

2025/2026

Available from 04/09/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 100

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ GitHub Advanced Security
Ultimate Exam
**Question 1.** Which GitHub Advanced Security (GHAS) feature is exclusive to
GitHub Enterprise Cloud (GHEC) and not available for public repositories?
A) Secret Scanning
B) Dependabot Security Updates
C) CodeQL Analysis
D) Security Overview Tab
Answer: C
Explanation: CodeQL analysis requires GHAS and is only provided for repositories on
GHEC or GHES; public repositories can use secret scanning and Dependabot, but
CodeQL requires an enterprise license.
**Question 2.** In the Security Overview tab, what primary metric indicates the
total number of unresolved security alerts across an organization?
A) Alert Density
B) Open Alerts Count
C) Risk Score
D) Dismissed Alerts Ratio
Answer: B
Explanation: The Open Alerts Count shows how many alerts are still active and need
attention, giving a quick health snapshot.
**Question 3.** Which role can **dismiss** a secret scanning alert but cannot
**configure** secret scanning patterns?
A) Organization Owner
B) Security Manager
C) Repository Admin
D) Read-only Collaborator
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download PrepIQ GitHub Advanced Security Ultimate Exam and more Exams Technology in PDF only on Docsity!

Ultimate Exam

Question 1. Which GitHub Advanced Security (GHAS) feature is exclusive to GitHub Enterprise Cloud (GHEC) and not available for public repositories? A) Secret Scanning B) Dependabot Security Updates C) CodeQL Analysis D) Security Overview Tab Answer: C Explanation: CodeQL analysis requires GHAS and is only provided for repositories on GHEC or GHES; public repositories can use secret scanning and Dependabot, but CodeQL requires an enterprise license. Question 2. In the Security Overview tab, what primary metric indicates the total number of unresolved security alerts across an organization? A) Alert Density B) Open Alerts Count C) Risk Score D) Dismissed Alerts Ratio Answer: B Explanation: The Open Alerts Count shows how many alerts are still active and need attention, giving a quick health snapshot. Question 3. Which role can dismiss a secret scanning alert but cannot configure secret scanning patterns? A) Organization Owner B) Security Manager C) Repository Admin D) Read-only Collaborator

Ultimate Exam

Answer: C Explanation: Repository admins can manage alerts within their repo, including dismissal, but only security managers or owners can modify scanning configuration. Question 4. Integrated security scanning in a CI pipeline is best described as: A) Running scans only on the default branch after merge B) Triggering scans on every push and pull request commit C) Scanning only when a security label is added to an issue D) Manual execution of scans by developers Answer: B Explanation: Integrated security means scans are automatically executed on each commit and PR, providing continuous feedback. Question 5. Secret Scanning identifies high-confidence secrets using which of the following? A) Heuristic entropy analysis only B) Partner-provided regex patterns and GitHub’s built-in patterns C) Manual code review comments D) License file inspection Answer: B Explanation: GHAS combines partner-supplied patterns with its own curated list to detect secrets with high confidence. Question 6. Push Protection prevents secrets from entering a repository by: A) Deleting the repository after a secret is pushed B) Blocking the push and returning an error message to the client

Ultimate Exam

Question 9. When defining a custom secret scanning pattern, which syntax is required? A) YAML list of strings B) JSON object with “pattern” key C) Regular Expression (regex) string D) Markdown code block Answer: C Explanation: Custom patterns are expressed as regular expressions that match the organization’s proprietary credentials. Question 10. Scanning only the current state of a repository (not history) is known as: A) Incremental Scan B) Real-time Scan C) Snapshot Scan D) Historical Scan Answer: C Explanation: A snapshot scan examines the latest file versions without traversing past commits. Question 11. Which file does GitHub use to generate a Software Bill of Materials (SBOM) for a Java project? A) pom.xml B) build.gradle C) settings.xml D) requirements.txt Answer: A

Ultimate Exam

Explanation: The Maven pom.xml lists all dependencies, enabling GitHub to create an SBOM. Question 12. Dependabot alerts are sourced from which database? A) NVD (National Vulnerability Database) only B) GitHub Advisory Database C) OSV (Open Source Vulnerabilities) exclusively D) Private corporate CVE feed Answer: B Explanation: Dependabot queries the GitHub Advisory Database for known vulnerabilities in open-source packages. Question 13. A Dependabot Security Update PR aims to: A) Upgrade a dependency to the latest available version B) Downgrade a vulnerable dependency to an older safe version C) Upgrade to the minimum version that fixes the vulnerability D) Remove the vulnerable dependency altogether Answer: C Explanation: Security updates target the lowest version that resolves the issue, minimizing impact on the codebase. Question 14. Which Dependabot configuration key controls how often version update PRs are created? A) schedule B) updates C) versioning-strategy

Ultimate Exam

B) QL (a variant of Datalog) C) Python D) JavaScript Answer: B Explanation: CodeQL uses QL, a query language based on Datalog, to perform semantic analysis. Question 18. Which default CodeQL suite includes queries for detecting injection vulnerabilities? A) security-extended B) codeql-go C) codeql-default D) security-and-quality Answer: D Explanation: The security-and-quality suite bundles both security and code-quality queries, including injection checks. Question 19. To trigger CodeQL analysis on a daily schedule, which on: event should be added to the workflow? A) push B) pull_request C) schedule with a cron expression D) workflow_dispatch Answer: C Explanation: The schedule event with a cron pattern runs the workflow at defined intervals.

Ultimate Exam

Question 20. Which language requires a separate “compiled” step before CodeQL can create its database? A) Python B) JavaScript C) Go D) Ruby Answer: C Explanation: Go code must be compiled to generate the required CodeQL database; interpreted languages do not need this step. Question 21. In a matrix strategy for CodeQL, the language variable is used to: A) Choose the runner OS B) Specify which CodeQL pack to install C) Define the set of languages to analyze in parallel D) Set the GitHub token scope Answer: C Explanation: The matrix creates parallel jobs, each scanning a different language defined by the language variable. Question 22. SARIF files uploaded to the Security tab are primarily used for: A) Storing dependency graphs B) Displaying results from third-party static analysis tools C) Managing secret scanning alerts D) Configuring repository permissions Answer: B

Ultimate Exam

D) Disabling “Allow merge commits” Answer: A Explanation: Branch protection can mandate that the CodeQL status check succeeds before a merge is permitted. Question 26. Copilot Autofix can automatically generate a fix for a vulnerability discovered by: A) Secret Scanning only B) Dependabot Version Updates only C) CodeQL security queries D) GitHub Actions linting rules Answer: C Explanation: Copilot Autofix leverages AI to suggest patches for CodeQL-detected issues. Question 27. Setting a status check condition “Fail on High or above” will: A) Block merges if any High, Critical, or Severe alerts are present B) Only block merges when Critical alerts exist C) Fail the entire workflow regardless of alert severity D) Ignore all alerts below Critical severity Answer: A Explanation: The condition treats High, Critical, and any higher severity alerts as blocking failures. Question 28. New Repository Defaults can be used to: A) Clone a repository automatically into a new organization

Ultimate Exam

B) Enable GHAS features for all newly created repositories without manual setup C) Delete all secrets from a repository after creation D) Set default branch protection rules only for private repos Answer: B Explanation: New Repository Defaults allow administrators to pre-configure GHAS features for future repos. Question 29. Organization-wide security policies in GHAS can enforce which of the following? A) Mandatory use of a specific IDE B) Minimum CodeQL query version across all repos C) Automatic revocation of all leaked tokens after 24 hours D) Disallowing pushes from external contributors Answer: C Explanation: Policies can trigger automated revocation of leaked secrets via the Secret Scanning Partner Program. Question 30. When choosing a runner for resource-intensive CodeQL analysis, a self-hosted runner is preferred because: A) It provides unlimited concurrency for free B) It allows custom hardware and longer execution time limits C) It automatically disables secret scanning D) It eliminates the need for a GitHub token Answer: B Explanation: Self-hosted runners can be provisioned with more CPU/RAM and can run longer jobs than the GitHub-hosted limits.

Ultimate Exam

Explanation: The Dependabot alerts page aggregates all open vulnerability alerts from the advisory database. Question 34. A custom secret scanning pattern that matches a 32-character hexadecimal token should use which regex quantifier? A) {32} B) {30,34} C) * D) + Answer: A Explanation: {32} enforces exactly 32 characters, matching the token length precisely. Question 35. When a secret scanning alert is marked “Valid” by GitHub’s automatic check, what does this indicate? A) The secret is still active and usable by an attacker B) The secret has been revoked by the provider C) The secret is a false positive D) The secret belongs to a test environment only Answer: A Explanation: “Valid” means the credential is still live, representing a real security risk. Question 36. Which of the following manifests is NOT parsed by GitHub’s Dependency Graph? A) package-lock.json B) Gemfile.lock

Ultimate Exam

C) Dockerfile D) requirements.txt Answer: C Explanation: Dockerfiles describe container images, not language-specific dependencies, and are not used for the dependency graph. Question 37. In a Dependabot PR, the label “security” is automatically added when: A) The PR updates a dependency to a newer major version B) The update resolves a known vulnerability listed in the advisory database C) The PR modifies any dependency file D) The PR is created by a bot user Answer: B Explanation: Dependabot tags PRs with “security” when they address a vulnerability. Question 38. Which GitHub Action environment variable provides the name of the repository being scanned? A) GITHUB_REPOSITORY B) REPO_NAME C) ACTION_REPO D) GITHUB_PROJECT Answer: A Explanation: GITHUB_REPOSITORY contains the owner/repo identifier for the current workflow run.

Ultimate Exam

Explanation: All listed reasons are acceptable dismissal reasons, allowing teams to document why an alert is not being acted upon immediately. Question 42. When using a self-hosted runner for CodeQL, which of the following must be ensured? A) The runner has Docker installed for container-based analysis B) The runner runs on Windows only C) The runner has the codeql CLI installed and accessible in PATH D) The runner disables all network access Answer: C Explanation: The codeql executable is required to build databases and run queries; Docker is optional. Question 43. A “high severity” CodeQL alert typically corresponds to which CWE range? A) CWE-1 to CWE- 100 B) CWE-200 to CWE- 300 C) CWE-400 to CWE- 500 D) CWE-600 to CWE- 700 Answer: B Explanation: High-severity findings often map to CWE- 200 – 300, covering authentication and session management issues. Question 44. Which GitHub API endpoint can be used to retrieve the list of all active secret scanning alerts for an organization? A) GET /orgs/{org}/secret-scanning/alerts B) GET /orgs/{org}/security/alerts

Ultimate Exam

C) GET /orgs/{org}/code-scanning/alerts D) GET /orgs/{org}/dependabot/alerts Answer: A Explanation: The secret-scanning alerts endpoint provides organization-wide alert data. Question 45. In Dependabot’s updates block, the allow field is used to: A) Whitelist specific versions that should never be upgraded B) Specify which ecosystems (npm, Maven, etc.) are monitored C) Define version constraints for automatic updates D) Set the maximum number of PRs per day Answer: C Explanation: allow lets you restrict updates to versions that match given criteria (e.g., semver ranges). Question 46. Which of the following is true about the “isolated security review” mode? A) Scans are run only on the default branch after merge B) Developers must manually trigger scans for each PR C) Scans are executed in a separate, temporary environment not linked to CI D) All findings are automatically merged into the main branch Answer: C Explanation: Isolated reviews run scans in a detached environment, allowing a focused security audit without affecting the CI pipeline. Question 47. When a secret scanning alert is marked “revoked” by the provider, the alert status in GitHub changes to:

Ultimate Exam

Question 50. Which GitHub feature provides a visual representation of a repository’s dependency network and its downstream projects? A) Dependency Graph B) Code Scanning Dashboard C) Secret Scanning Map D) Security Overview Matrix Answer: A Explanation: The Dependency Graph visualizes direct and transitive dependencies, as well as projects that depend on the repository. Question 51. When a secret scanning alert is dismissed with the reason “Won’t Fix,” what impact does it have on the organization’s risk score? A) The alert is excluded from risk calculations B) The alert remains counted as an open risk C) The risk score is increased by 10% D) The alert is deleted permanently Answer: A Explanation: Dismissing as “Won’t Fix” tells the system to ignore the alert for risk metrics. Question 52. Which of the following best describes the purpose of a CodeQL “suite”? A) A collection of related queries that can be run together B) A Docker image used for analysis C) A configuration file for secret scanning patterns D) A UI theme for the Security tab

Ultimate Exam

Answer: A Explanation: Suites group multiple queries, allowing users to run a predefined set of analyses in one step. Question 53. In the context of GHAS, “push protection” can be bypassed by: A) Adding the file to .gitignore B) Using the --no-verify flag with git push and providing a justification comment in the PR C) Disabling the repository’s default branch protection rule D) Renaming the secret file extension Answer: B Explanation: Git allows bypassing client-side hooks with --no-verify; GHAS requires a justification comment to record why the push was allowed. Question 54. Which environment variable is automatically set to the GitHub token with repository read/write permissions in a GitHub Actions workflow? A) GITHUB_TOKEN B) ACTION_TOKEN C) CI_TOKEN D) REPO_TOKEN Answer: A Explanation: GITHUB_TOKEN is provided to each workflow run with appropriate scopes. Question 55. The “Security Overview” tab aggregates data from which of the following GHAS components? A) Secret Scanning, Dependabot alerts, CodeQL alerts, and Dependency Review