GitHub-Advanced-Security GitHub Advanced Security GHAS Exam Questions and Answers

In a repository'sSecuritytab, you can view:

Secret scanning alerts: Exposed credentials or tokens

Dependabot alerts: Vulnerable dependencies from the advisory database

Code scanning alerts: Vulnerabilities in code detected via static analysis (e.g., CodeQL)

Youwon’t seegeneral "security status alerts" (not a formal category) or permission-related alerts here.

The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.

This file is considered a GitHub best practice and, when present, activates a “Report a vulnerability” button in the repository’sSecuritytab.

Youmust enable secret scanningbefore defining custom patterns. Secret scanning provides the foundational capability for detecting exposed credentials, and custom patterns build upon that by allowing organizations to specify their own regex-based patterns for secrets unique to their environment.

Without enabling secret scanning, GitHub will not process or apply custom patterns.

Secret validationchecks whether a secret found in your repository is still valid and active with the issuing provider (e.g., AWS, GitHub, Stripe). If a secret is confirmed to be active, the alert ismarked as verified, which means it's considered ahigh-priority issuebecause it presents an immediate security risk.

This helps teams respond faster tovalid, exploitablesecrets rather than wasting time on expired or fake tokens.

If an alert is raised on apull request dependency, best practice is toupdate the dependencyto a secure versionbeforemerging the PR. This prevents the vulnerable version from entering the main codebase.

Merging or deploying the PR without fixing the issue exposes your production environment to known risks.

To proactively address secret scanning:

Webhookscan be configured to listen for secret scanning events. This allows automation, logging, or alerting in real-time when secrets are detected.

Documenting secure development practices(like using environment variables or secret managers) helps reduce the likelihood of developers committing secrets in the first place.

Dismissal based on age is not a best practice without triage. SCIM deals with user provisioning, not scanning alerts.

Comprehensive and Detailed Explanation:

Secret scanning push protection is a proactive feature that scans for secrets in your code during the push process. If a secret is detected, the push is blocked, preventing the secret from being added to the repository. This helps prevent accidental exposure of sensitive information.​

GitHub Docs

To detect and blockvulnerable dependencies before merge, developers should use theDependency Review GitHub Actionin their pull request workflows. It scans all proposed dependency changes and flags any packages with known vulnerabilities.

This is apreventative measureduring development, unlike Dependabot, which reactsafter the fact.

Comprehensive and Detailed Explanation:

By default, users with write access to a repository have the ability to merge pull requests, including those created by Dependabot for security updates. This access level allows contributors to manage and integrate changes, ensuring that vulnerabilities are addressed promptly.​

Users with only read access cannot merge pull requests, and enterprise administrators do not automatically have merge rights unless they have write or higher permissions on the specific repository.​

Comprehensive and Detailed Explanation:

In the advanced setup for CodeQL code scanning, GitHub generates a workflow file named codeql-analysis.yml. This file is located in the .github/workflows directory of your repository. It defines the configuration for the CodeQL analysis, including the languages to analyze, the events that trigger the analysis, and the steps to perform during the workflow.​

Comprehensive and Detailed Explanation:

In private repositories, users with write access can fix code scanning alerts. They can do this by committing changes that address the issues identified by the code scanning tools. This level of access ensures that only trusted contributors can modify the code to resolve potential security vulnerabilities.​

GitHub Docs

Users with read or triage roles do not have the necessary permissions to make code changes, and the security manager role is primarily focused on managing security settings rather than directly modifying code.​

You shoulddismissa code scanning alert if the flagged code isnot a true security concern, such as:

Code in test files

Code paths that are unreachable or safe by design

False positives from the scanner

Fixing the code would automaticallyresolvethe alert — not dismiss it. Dismissing is for valid exceptions or noise reduction.

Comprehensive and Detailed Explanation:

A CodeQL database contains a representation of your codebase, including the build of the code and extracted data. This database is used to run CodeQL queries to analyze your code for potential vulnerabilities and errors.​

GitHub Docs

In aquery suite(a .qls file), the **query** key is used to specify the paths to one or more .ql files that should be included in the suite.

Example:

- query: path/to/query.ql

qls is the file format.

qlpack is used for packaging queries, not in suite syntax.

Whenmultiple instances of the same secret valueappear in a repository,only one alertis generated. Secret scanning works by identifying exposed credentials and token patterns, and it groups identical matches into asingle alertto reduce noise and avoid duplication.

This makes triaging easier and helps teams focus on remediating the actual exposed credential rather than reviewing multiple redundant alerts.

When integrating CodeQL outside of GitHub Actions (e.g., in Jenkins, CircleCI):

Install the CLI: Needed to run CodeQL commands.

Analyze code: Perform the CodeQL analysis on your project with the CLI.

Upload scan results: Export the results in SARIF format and use GitHub’s API to upload them to your repo’s security tab.

You don’t need to write custom queries unless extending functionality. “Processing alerts” happens after GitHub receives the results.

When secret scanning is enabled on a private repository,GitHub performs a read-only analysisof the repository's contents. This includes the entire Git history and files to identify strings that match known secret patterns or custom-defined patterns.

GitHub does not alter the repository, and enabling secret scanningdoes not automatically enablecode scanning or dependency review — each must be configured separately.

Comprehensive and Detailed Explanation:

When configuring Dependabot via the dependabot.yml file, the following fields are mandatory for each update configuration:

directory: Specifies the location of the package manifest within the repository. This tellsDependabot where to look for dependency files.​

package-ecosystem: Indicates the type of package manager (e.g., npm, pip, maven) used in the specified directory.​

schedule.interval: Defines how frequently Dependabot checks for updates (e.g., daily, weekly). This ensures regular scanning for outdated or vulnerable dependencies.​

The milestone field is optional and used for associating pull requests with milestones. The allow field is also optional and used to specify which dependencies to update.​

GitLab

A Dependabot alert is marked asresolvedonly after the relatedpull request is mergedinto the repository. This indicates that the vulnerable dependency has been officially replaced with a secure version in the active codebase.

Simply generating a PR or passing checks does not change the alert status; merging is the key step.