Practice Free GH-500 GitHub Advanced Security Exam Exam Questions Answers With Explanation

These three features provide a complete layer of defense:

Code scanning identifies security flaws in your source code

Secret scanning detects exposed credentials

Dependency review shows the impact of package changes during a pull request

Together, they give developers actionable insight into risk and coverage throughout the SDLC.

Dependency review runs as part of a pull request and shows which dependencies are being added, removed, or changed — and highlights vulnerabilities associated with any added packages.

It works in real-time and is specifically designed for use during pull request workflows.

The dependency graph is an overview, Dependabot alerts notify post-merge, and the Security tab shows the aggregated alert list.

A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory. This file informs contributors and security researchers about how to responsibly report vulnerabilities. It improves your project’s transparency and ensures timely communication and mitigation of any reported issues.

Adding this file also enables a “Report a vulnerability” button in the repository’s Security tab.

When a vulnerability is detected, GitHub shows a warning that includes a brief description of the vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue, severity level, and potential impact. The message also links to additional advisory data from the GitHub Advisory Database.

This helps developers understand the context and urgency of the vulnerability before applying the fix.

Comprehensive and Detailed Explanation:

For code scanning to be triggered on a specific branch, the branch must contain the appropriate workflow file, typically located in the .github/workflows directory. This YAML file defines the code scanning configuration and specifies the events that trigger the scan (e.g., push, pull_request).?

Without the workflow file in the branch, GitHub Actions will not execute the code scanning process for that branch. The repository's visibility (private or public), the status of secret scanning, or the activity level of developers do not directly influence the triggering of code scanning.?

If a secret is intentionally used in a test environment and poses no real-world security risk, you may close the alert with the reason "used in tests". This helps reduce noise and clarify that the alert was reviewed and accepted as non-critical.

Just being in a test file isn't enough unless its purpose is purely for testing.

The Security tab in a GitHub repository provides a central location for viewing security-related information, especially when GitHub Advanced Security is enabled. The following can be accessed:

Number of alerts related to:

Code scanning

Secret scanning

Dependency (Dependabot) alerts

Summary and visibility into open, closed, and dismissed security issues.

It does not show 2FA options, access control settings, or configuration panels for GHAS itself. Those belong to account or organization-level settings.

When defining a custom pattern for secret scanning, two key fields are required:

Name of the pattern: A unique label to identify the pattern

Secret format: A regular expression that defines what the secret looks like (e.g., token format)

You can optionally specify additional match requirements (like required context keywords), but they’re not mandatory. Listing repositories is also not part of the required fields during pattern creation.

Comprehensive and Detailed Explanation:

When setting up CodeQL analysis for compiled languages, there are two primary methods to build your code:?

GitHub Docs

Autobuild: CodeQL attempts to automatically build your codebase using the most likely build method. This is suitable for standard build processes.?

GitHub Docs

Custom Build Steps: For complex or non-standard build processes, you can implement custom build steps by specifying explicit build commands in your workflow. This provides greater control over the build process.?

GitHub Docs

The init action initializes the CodeQL analysis but does not build the code. The jobs.analyze.runs-on specifies the operating system for the runner but is not directly related to building the code. Uploading compiled binaries is not a method supported by CodeQL for analysis.?

To exclude .txt and .md files from triggering workflows on pull requests to the main branch:

on: defines the event (e.g., pull_request)

pull_request: is the trigger

paths-ignore: is the key used to ignore file patterns

Example YAML:

yaml

CopyEdit

on:

pull_request:

branches:

- main

paths-ignore:

- '*.md'

- '*.txt'

Using paths: would include only specific files instead — not exclude. paths-ignore: is correct here.

In a workflow: GitHub Actions workflows are the most common place for CodeQL code scanning. The codeql-analysis.yml defines how the analysis runs and when it triggers.

In an external CI system: GitHub allows you to run CodeQL analysis outside of GitHub Actions. Once complete, the results can be uploaded using the upload-sarif action to make alerts visible in the repository.

You cannot run or trigger analysis from third-party repositories directly, and the Files changed tab in pull requests only shows diff — not analysis results.

To exclude specific files or directories from being scanned by secret scanning in GitHub Actions, you can use the paths-ignore: key within your YAML workflow file.

This tells GitHub to ignore specified paths when scanning for secrets, which can be useful for excluding test data or non-sensitive mock content.

Other options listed are invalid:

branches-ignore: excludes branches, not files.

decrypt_secret.sh is not a YAML key.

secret scanning.yml is not a recognized filename for configuration.

The best proactive control is push protection. It scans for secrets during a git push and blocks the commit before it enters the repository.

Other options (like CODEOWNERS or security managers) help with oversight but do not prevent secret leaks.

Making a repo public would increase the risk, not reduce it.

For compiled languages, CodeQL performs extraction by monitoring the normal build process. This means it watches your usual build commands (like make, javac, or dotnet build) and extracts the relevant data from the actual build steps being executed. CodeQL uses this information to construct a semantic database of the application.

This approach ensures that CodeQL captures a precise, real-world representation of the code and its behavior as it is compiled, including platform-specific configurations or conditional logic used during build.

To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must have Admin access on the repository. This is because modifying these settings falls under repository configuration privileges.

Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.

Comprehensive and Detailed Explanation:

Push protection for secret scanning custom patterns is an opt-in feature. This means that for each custom pattern defined in a repository, maintainers can choose to enable or disable push protection individually. This provides flexibility, allowing teams to enforce push protection on sensitive patterns while leaving it disabled for others.?

When using a SARIF-compatible tool within GitHub Actions, it's necessary to explicitly add a step in your workflow to upload the analysis results. This is typically done using the upload-sarif action, which takes the SARIF file generated by your tool and uploads it to GitHub for processing and display in the Security tab. Without this step, the results won't be available in GitHub's code scanning interface.?