Free Microsoft GH-500 Actual Exam Questions

C. Secret scanning is specifically designed for GitHub repositories, not external services or CI systems. It scans commits and pushes to those repos to catch secrets before they get exposed. Public repos have it enabled by default, but private repos might need you to turn it on manually. So it doesn’t cover just any Git repo anywhere, only the ones hosted on GitHub. That rules out B and D pretty clearly.

Makes sense to exclude A since CI systems aren’t the main target here. Secret scanning is more about the repo content itself, so C fits best.

It’s A, since you shouldn’t dismiss alerts unless the issue’s actually fixed.

What about A? Fixing the issue seems like the main reason to dismiss alerts.

Guessing C since “solely used for tests” feels more precise than just “in a test file.”

Maybe B makes sense since test files are where test secrets typically live, so closing alerts for secrets found there could be standard practice without needing to verify exclusivity.

A/C? CWE is pretty common for categorizing types of weaknesses, which makes sense for describing alerts. CVE is definitely used to ID specific vulnerabilities, so that’s a solid pick too. VEX feels more like detailed exploit info rather than the alert format itself, and EPSS seems more predictive than descriptive. So I’d go with A and C here.

C imo, CVE is definitely used to identify vulnerabilities clearly. D also fits because VEX deals with sharing exploitability info, which is relevant to alerts.

D with A and B feels right since paths-ignore is for skipping files, and A and B cover all .md and .txt files broadly. E is too narrow, focusing only on docs/*.md.

Probably D, A, and B since paths-ignore with those patterns excludes all .md and .txt files globally.

Maybe A, it’s the only option that covers all three tools properly instead of just one or two parts. C just talks about dependencies, so doesn’t fully fit the question.

Option C fits since it focuses on alerts for vulnerable dependencies, which is a key benefit of dependency review. The others mention broader or slightly different features that don’t cover all three tools equally.

Maybe B, since dependency review highlights issues right in the pull request itself.

C/D? Dependabot alerts (C) notify about vulnerabilities but usually after the PR is created, while the Security tab (D) is more of a dashboard, not PR-specific. So C fits better for showing issues tied to a PR.

C/D? C fits because CodeQL finds vulnerabilities, but D also mentions scanning history for secrets, which sounds familiar. Not sure if CodeQL covers secrets or just code issues.

It mainly scans repos for vulnerabilities, so C.

Option A makes sense since the alert only closes when the fix gets merged, not just created or approved. The other options don’t change the alert status.

It’s A because the alert only closes once the fix is merged, not just created or approved. Just viewing or ignoring the alert doesn’t close it.

B D, you need to name it and refine the matching criteria clearly.

Maybe B and D. You need to name the pattern and specify how exactly it should match, which feels like the core of creating a custom pattern. The secret format might be covered by those match requirements.

Adeel A. imo, archiving the repo (A) is way too drastic as a first step. You want to fix the secret issue, not just lock everything down immediately. Better to focus on removing or revoking the secret first.

B tbh, updating dependencies is a quick way to fix if the secret comes from outdated or vulnerable libraries. Removing secrets is key, but sometimes the root cause is an old dependency.

A imo isn’t really about stopping secrets, it’s just about ownership and reviews. B makes no sense since public repos would expose secrets more, not prevent adding them. C sounds vague and more about oversight than prevention. D actually blocks pushes containing secrets, so it’s the most direct way to stop secrets from ever entering the repo. Even if the platform isn’t specified, D fits best for the question’s goal of prevention rather than detection.

Makes sense, but enabling push protection (D) directly stops secrets at commit time, so D.

I see where A and C come from, but I think B is worth considering too. The dependency graph isn’t just for mapping dependencies; it can highlight vulnerabilities once they’re known. If a vulnerability is discovered, it gets flagged there as part of the dependency info. So maybe the vulnerability could be disclosed or at least shown in the dependency graph itself alongside the affected packages. D seems off since manifest and lock files just list dependencies, not vulnerabilities. So my picks would be A and B.

A/C? The National Vulnerability Database is a known public source for disclosed vulnerabilities, and GitHub security advisories are another official channel where these get reported. B and D seem more like tools for managing or detecting the issue rather than sources of disclosure. So, the actual vulnerability details would originate from A and C, not from dependency graphs or manifest files.

Maybe A makes the most sense since public repos are open and more vulnerable, so secret scanning would be default there to protect sensitive info without extra setup.

Looks like secret scanning turns on automatically for public repos, which matches option A. Private repos need manual setup, so that rules out the others. A it is.

It’s C because it actively scans the PR before merging, unlike alerts or updates.

Option C makes the most sense to me because adding a workflow with the dependency review action actively checks each PR for issues, stopping vulnerable dependencies before they get merged. That’s more direct than just alerts or updates.