Free Microsoft GH-500 Actual Exam Questions - Question 12 Discussion
Which of the following is the best way to prevent developers from adding secrets to the repository?
A imo isn’t really about stopping secrets, it’s just about ownership and reviews. B makes no sense since public repos would expose secrets more, not prevent adding them. C sounds vague and more about oversight than prevention. D actually blocks pushes containing secrets, so it’s the most direct way to stop secrets from ever entering the repo. Even if the platform isn’t specified, D fits best for the question’s goal of prevention rather than detection.
Makes sense, but enabling push protection (D) directly stops secrets at commit time, so D.
It’s D for sure. Push protection actually stops the secret from ever entering the repo, rather than relying on someone to notice it later during review or after the fact. Options like CODEOWNERS or a security manager are more about catching issues after the fact or managing permissions, not prevention. Making the repo public (B) obviously doesn't prevent secrets either, and could make things worse. So D is the only one that directly blocks secrets from getting committed in the first place.
C/A? CODEOWNERS doesn't directly stop secrets, but it forces review by specific people who can catch issues before merge. Security manager might help but is less direct than code reviews.
D seems right. Enabling push protection would stop secrets from being pushed in the first place.