GH-500 GitHub Advanced Security Exam Questions and Answers

Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your repository. This graph includes both direct and transitive dependencies. It then compares this graph against the GitHub Advisory Database, which includes curated, security-reviewed advisories.

This method provides a comprehensive and automated way to discover all known vulnerabilities across your dependency tree.

The best way to prioritize secret scanning alerts is to filter by active secrets — these are secrets GitHub has confirmed are still valid and could be exploited. This allows security teams to focus on high-risk exposures that require immediate attention.

Sorting by time or filtering by custom patterns won’t help with risk prioritization directly.

Comprehensive and Detailed Explanation:

When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:​

Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.​

Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.​

GitHub Docs

These actions ensure that responsible parties are informed promptly to address the vulnerability.​

To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must have Admin access on the repository. This is because modifying these settings falls under repository configuration privileges.

Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.

Comprehensive and Detailed Explanation:

Secret scanning push protection is a proactive feature that scans for secrets in your code during the push process. If a secret is detected, the push is blocked, preventing the secret from being added to the repository. This helps prevent accidental exposure of sensitive information.​

GitHub Docs

Comprehensive and Detailed Explanation:

A CodeQL database contains a representation of your codebase, including the build of the code and extracted data. This database is used to run CodeQL queries to analyze your code for potential vulnerabilities and errors.​

GitHub Docs

GitHub automatically closes a code scanning alert when the vulnerable code is fixed in the same branch where the alert was generated, usually via a commit inside a pull request. Simply clicking or triaging an alert does not resolve it. The alert is re-evaluated after each push to the branch, and if the issue no longer exists, it is marked as resolved.

Query suite definitions in CodeQL are stored using the .qls file extension. A query suite defines a collection of queries to be run during an analysis and allows for grouping them based on categories like language, security relevance, or custom filters.

In contrast:

.ql files are individual queries.

.qll files are libraries used by .ql queries.

.yml is used for workflows, not query suites.

By default, secret scanning is enabled automatically for all public repositories. For private or internal repositories, secret scanning must be enabled manually unless configured at the organization or enterprise level.

This default behavior helps protect open-source projects without requiring additional configuration.

To proactively address secret scanning:

Webhooks can be configured to listen for secret scanning events. This allows automation, logging, or alerting in real-time when secrets are detected.

Documenting secure development practices (like using environment variables or secret managers) helps reduce the likelihood of developers committing secrets in the first place.

Dismissal based on age is not a best practice without triage. SCIM deals with user provisioning, not scanning alerts.

Dependabot alerts utilize standardized identifiers to describe vulnerabilities:​

CVE (Common Vulnerabilities and Exposures): A widely recognized identifier for publicly known cybersecurity vulnerabilities.​

CWE (Common Weakness Enumeration): A category system for software weaknesses and vulnerabilities.​

These identifiers help developers understand the nature of the vulnerabilities and facilitate the search for more information or remediation strategies.​

The GitHub Code Scanning API includes endpoints that allow you to:

List alerts for a repository (filtered by branch, state, or tool) — useful for monitoring security over time.

Get a single alert by its ID to inspect its metadata, status, and locations in the code.

However, GitHub does not support modifying the severity of alerts via API — severity is defined by the scanning tool (e.g., CodeQL). Likewise, alerts cannot be deleted via the API; they are resolved by fixing the code or dismissing them manually.

When dealing with a data flow issue in a code scanning alert, clicking on "Show paths" provides a detailed view of the data's journey through the code. This includes the source of the data, the path it takes, and where it ends up (the sink). This information is crucial for understanding how untrusted data might reach sensitive parts of your application and helps in identifying where to implement proper validation or sanitization.​

Code scanning is a static analysis feature that examines your source code to identify security vulnerabilities and coding errors. It runs either on every push, pull request, or a scheduled time depending on the workflow configuration.

It does not automatically contact maintainers, scan full Git history, or block pushes unless explicitly configured to do so.

The first step when you receive a secret scanning alert is to revoke the secret if it is still valid. This ensures the secret can no longer be used maliciously. Only after revoking it should you proceed to remove it from the code history and apply other mitigation steps.

Simply deleting the secret from the code does not remove the risk if it hasn’t been revoked — especially since it may already be exposed in commit history.

If an alert is raised on a pull request dependency, best practice is to update the dependency to a secure version before merging the PR. This prevents the vulnerable version from entering the main codebase.

Merging or deploying the PR without fixing the issue exposes your production environment to known risks.

The Security tab in a GitHub repository provides a central location for viewing security-related information, especially when GitHub Advanced Security is enabled. The following can be accessed:

Number of alerts related to:

Code scanning

Secret scanning

Dependency (Dependabot) alerts

Summary and visibility into open, closed, and dismissed security issues.

It does not show 2FA options, access control settings, or configuration panels for GHAS itself. Those belong to account or organization-level settings.

Comprehensive and Detailed Explanation:

In private repositories, users with write access can fix code scanning alerts. They can do this by committing changes that address the issues identified by the code scanning tools. This level of access ensures that only trusted contributors can modify the code to resolve potential security vulnerabilities.​

GitHub Docs

Users with read or triage roles do not have the necessary permissions to make code changes, and the security manager role is primarily focused on managing security settings rather than directly modifying code.​

Secret scanning is a feature provided by GitHub that scans the contents of your GitHub repositories for known types of secrets, such as API keys and tokens. It operates within the GitHub environment and does not scan external systems, services, or repositories outside of GitHub. Its primary function is to prevent the accidental exposure of sensitive information within your GitHub-hosted code.​