Question 1

– [Use Code Scanning with CodeQL] When using CodeQL, what extension stores query suite definitions?

Accepted Answer

D

Explanation: A CodeQL query suite is a file with a .qls extension that defines a set of queries to run. These files use a specific YAML-based format to specify rules for selecting queries. You can include queries by their path, by the directory they are in, or by their metadata properties (e.g., @tags, @kind). This allows for the creation of custom, reusable sets of queries tailored for a specific analysis, such as running only high-precision security queries.

Question 2

– [Configure and Use Secret Scanning] What happens when you enable secret scanning on a private repository?

Accepted Answer

C

Explanation: When secret scanning is enabled for a repository, GitHub initiates a scan of the entire Git history across all branches. This process is a non-intrusive, read-only analysis where the content is checked against a set of patterns for known secret formats. This scan does not alter the repository's code or history. If a potential secret is identified, GitHub creates a security alert, which is visible to repository administrators and the organization owners, and notifies the committer.

Question 3

– [Configure and Use Dependency Management] A dependency has a known vulnerability. What does the warning message include?

Accepted Answer

D

Explanation: When GitHub's Dependabot detects a vulnerable dependency in a repository, it generates a security alert. This alert is based on information from the GitHub Advisory Database. A fundamental component of this alert is a description of the vulnerability, which explains the nature of the security flaw (e.g., Cross-Site Scripting, Remote Code Execution). This description, along with a severity level and recommended patched version, provides the necessary context for developers to understand the risk and take appropriate action.

Question 4

– [Configure and Use Secret Scanning] What is a prerequisite to define a custom pattern for a repository?

Accepted Answer

D

Explanation: Custom patterns are an extension of the core secret scanning functionality within GitHub Advanced Security. The ability to define, configure, and use these custom patterns is contingent upon the base secret scanning feature being active. Therefore, enabling secret scanning for the repository (or organization) is the fundamental prerequisite before you can proceed with defining any custom detection rules. Without the core service running, there is no mechanism to process or apply the custom patterns.

Question 5

– [Describe the GHAS Security Features and Functionality] What is a security policy?

Accepted Answer

C

Explanation: In the context of GitHub, a security policy is a specific file, SECURITY.md, that is added to a repository. The purpose of this file is to provide clear, public instructions to security researchers and users on the responsible and private process for reporting security vulnerabilities they may have discovered in the project. By centralizing these instructions, repository maintainers can manage incoming vulnerability reports more effectively and prevent premature public disclosure. GitHub integrates this file by linking to it from the repository's "Security" tab and when users open new issues.

Question 6

– [Configure GitHub Advanced Security Tools in GitHub Enterprise] What role is required to change a repository's code scanning severity threshold that fails a pull request status check?

Accepted Answer

D

Explanation: Configuring the rules for code scanning, including the severity thresholds that cause a pull request check to fail, is a critical repository security setting. According to official GitHub documentation, only users with administrative permissions for a repository have the authority to modify these settings. This restriction ensures that the repository's security posture is managed by authorized personnel and prevents contributors or maintainers from weakening security enforcement policies. The setting is located under the repository's "Settings" > "Code security and analysis" section, which is accessible only to administrators.

Question 7

– [Configure and Use Code Scanning] Who can fix a code scanning alert on a private repository?

Accepted Answer

C

Explanation: Fixing a code scanning alert requires modifying the source code and committing the changes to the repository. This action is fundamentally tied to the ability to write to the repository. According to GitHub's permission model, only users with 'write' permissions (or higher, such as 'maintain' or 'admin') can push commits to a repository's branches. While other roles can manage the alert itself (e.g., view or dismiss it), they lack the necessary permissions to alter the code and resolve the underlying vulnerability.

Question 8

– [Configure and Use Code Scanning] What is required to trigger code scanning on a specified branch?

Accepted Answer

D

Explanation: GitHub code scanning is implemented as a GitHub Actions workflow. For a workflow to execute in response to an event on a specific branch (e.g., a push or pullrequest), the YAML workflow file that defines the job and its triggers must be present in the .github/workflows directory of that branch. When an event occurs, GitHub checks the commit SHA associated with that event for a relevant workflow file. If the file does not exist in that branch's context, GitHub Actions has no instructions to run the code scan.

Question 9

– [Configure and Use Dependency Management] Which of the following workflow events would trigger a dependency review? (Each answer presents a complete solution. Choose two.)

Accepted Answer

A, B

Explanation: The dependency review feature in GitHub Advanced Security is implemented via the dependency-review-action. This action is primarily designed to run on the pullrequest event. This allows it to scan for dependency changes and vulnerabilities introduced in a pull request before they are merged into the main branch, displaying results directly in the pull request's "Files Changed" tab. The action can also be triggered manually using the workflowdispatch event. This provides the flexibility to run a dependency scan on-demand against any branch, outside of the standard pull request lifecycle, for auditing or specific security checks.

Question 10

– [Configure and Use Dependency Management] Assuming that no custom Dependabot behavior is configured, who has the ability to merge a pull request created via Dependabot security updates?

Accepted Answer

B

Explanation: Dependabot pull requests for security updates are managed like any other pull request within a repository. The ability to merge a pull request is determined by the repository's access permissions. The standard permission level required to merge pull requests is 'write' access. Users with this level of access can push changes to the repository and manage pull requests, including those automatically generated by Dependabot. Since the question specifies no custom configurations, these default GitHub permissions apply.

Question 11

– [Configure and Use Dependency Management]
In a private repository, what minimum requirements does GitHub need to generate a dependency
graph? (Each answer presents part of the solution. Choose two.)

Accepted Answer

B, D

Explanation: For GitHub to generate a dependency graph for a private repository, two fundamental requirements must be met. First, unlike public repositories where the feature is on by default, the dependency graph must be explicitly enabled for private repositories. This can be done at the individual repository level or set as a policy for new repositories at the organization level (Option B). Second, GitHub's analysis service requires read-only access specifically to the repository's dependency manifest and lock files (e.g., package.json, pom.xml, Gemfile.lock). This access allows GitHub to parse the declared dependencies and construct the graph (Option D).

Question 12

– [Configure and Use Dependency Management] Which Dependabot configuration fields are required? (Each answer presents part of the solution. Choose three.)

Accepted Answer

A, B, D

Explanation: The dependabot.yml configuration file requires a minimum set of fields for each package manager entry defined under the updates key. According to the official GitHub documentation, three fields are mandatory to define a basic update check: 1. package-ecosystem: Specifies the package manager to use (e.g., npm, maven, pip). 2. directory: Defines the location of the package manifest files (e.g., / for the root directory). 3. schedule.interval: Sets the frequency for checking for new versions (e.g., daily, weekly). Without these three fields, Dependabot cannot identify which dependencies to monitor, where to find them, or how often to check for updates.

Question 13

– [Configure and Use Secret Scanning] A secret scanning alert should be closed as "used in tests" when a secret is:

Accepted Answer

C

Explanation: The "used in tests" reason for closing a secret scanning alert is specifically for secrets that are not real, sensitive credentials but are instead mock or example tokens created exclusively for testing purposes. The defining characteristic is the secret's purpose and scope; it must have no access to production or other sensitive environments. Its presence in the codebase is considered safe only because the secret itself is non-functional outside of a controlled test context. The location of the secret (e.g., in a test file) is a common characteristic but not the definitive reason for dismissal; the nature of the secret is the critical factor.

Question 14

– [Configure and Use Dependency Management] A repository's dependency graph includes:

Accepted Answer

A

Explanation: The dependency graph for a specific repository is a feature that identifies all upstream dependencies and public downstream dependents. GitHub generates this graph by parsing manifest files (e.g., package.json, requirements.txt) and lock files (e.g., package-lock.json, Gemfile.lock) committed to the repository's default branch. This parsed information forms the basis of the graph, detailing the packages and versions the project relies on. Other security features, such as Dependabot alerts, then use this graph to identify vulnerabilities.

Question 15

– [Describe GitHub Advanced Security Best Practices] As a contributor, you discovered a vulnerability in a repository. Where should you look for the instructions on how to report the vulnerability?

Accepted Answer

D

Explanation: The SECURITY.md file is the officially recognized and standardized location within a GitHub repository for security-related information. Its primary purpose is to provide a security policy that instructs contributors and researchers on how to responsibly report security vulnerabilities they have discovered. When a SECURITY.md file is present in a repository's root, .github, or docs directory, GitHub automatically links to it from the repository's "Security" tab and when a user attempts to create a new issue, guiding them to the correct reporting process.

Free GitHub GitHub-Advanced-Security Actual Exam Questions