GitHub-Advanced-Security Exam Practice Test Instant Access

Question 1

-- [Configure and Use Secret Scanning]

What is a prerequisite to define a custom pattern for a repository?

AChange the repository visibility to Internal

BClose other secret scanning alerts

CSpecify additional match criteria

DEnable secret scanning

Answer : D

You must enable secret scanning before defining custom patterns. Secret scanning provides the foundational capability for detecting exposed credentials, and custom patterns build upon that by allowing organizations to specify their own regex-based patterns for secrets unique to their environment.

Without enabling secret scanning, GitHub will not process or apply custom patterns.

Question 2

-- [Configure and Use Dependency Management]

Assuming that no custom Dependabot behavior is configured, who has the ability to merge a pull request created via Dependabot security updates?

AAn enterprise administrator

BA user who has write access to the repository

CA user who has read access to the repository

DA repository member of an enterprise organization

Answer : B

Comprehensive and Detailed Explanation:

By default, users with write access to a repository have the ability to merge pull requests, including those created by Dependabot for security updates. This access level allows contributors to manage and integrate changes, ensuring that vulnerabilities are addressed promptly.

Users with only read access cannot merge pull requests, and enterprise administrators do not automatically have merge rights unless they have write or higher permissions on the specific repository.

Question 3

-- [Configure and Use Secret Scanning]

Which patterns are secret scanning validity checks available to?

AHigh entropy strings

BCustom patterns

CPartner patterns

DPush protection patterns

Answer : C

Validity checks --- where GitHub verifies if a secret is still active --- are available for partner patterns only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.

Custom patterns and high entropy patterns do not support automated validity checks.

Question 4

-- [Configure and Use Dependency Management]

Which key is required in the update settings of the Dependabot configuration file?

Arebase-strategy

Bcommit-message

Cassignees

Dpackage-ecosystem

Answer : D

In a dependabot.yml configuration file, package-ecosystem is a required key. It defines the package manager being used in that update configuration (e.g., npm, pip, maven, etc.).

Without this key, Dependabot cannot determine how to analyze or update dependencies. Other keys like rebase-strategy or commit-message are optional and used for customizing behavior.

Question 5

-- [Configure and Use Secret Scanning]

What happens when you enable secret scanning on a private repository?

ARepository administrators can view Dependabot alerts.

BYour team is subscribed to security alerts.

CGitHub performs a read-only analysis on the repository.

DDependency review, secret scanning, and code scanning are enabled.

Answer : C

When secret scanning is enabled on a private repository, GitHub performs a read-only analysis of the repository's contents. This includes the entire Git history and files to identify strings that match known secret patterns or custom-defined patterns.

GitHub does not alter the repository, and enabling secret scanning does not automatically enable code scanning or dependency review --- each must be configured separately.

Question 6

-- [Use Code Scanning with CodeQL]

As a developer with write access, you navigate to a code scanning alert in your repository. When will GitHub close this alert?

AAfter you triage the pull request containing the alert

BWhen you use data-flow analysis to find potential security issues in code

CAfter you find the code and click the alert within the pull request

DAfter you fix the code by committing within the pull request

Answer : D

GitHub automatically closes a code scanning alert when the vulnerable code is fixed in the same branch where the alert was generated, usually via a commit inside a pull request. Simply clicking or triaging an alert does not resolve it. The alert is re-evaluated after each push to the branch, and if the issue no longer exists, it is marked as resolved.

Question 7

-- [Describe GitHub Advanced Security Best Practices]

Which of the following tasks can be performed by a security team as a proactive measure to help address secret scanning alerts? (Each answer presents a complete solution. Choose two.)

ADismiss alerts that are older than 90 days.

BConfigure a webhook to monitor for secret scanning alert events.

CEnable system for cross-domain identity management (SCIM) provisioning for the enterprise.

DDocument alternatives to storing secrets in the source code.

Answer : B, D

To proactively address secret scanning:

Webhooks can be configured to listen for secret scanning events. This allows automation, logging, or alerting in real-time when secrets are detected.

Documenting secure development practices (like using environment variables or secret managers) helps reduce the likelihood of developers committing secrets in the first place.

Dismissal based on age is not a best practice without triage. SCIM deals with user provisioning, not scanning alerts.

GitHub-Advanced-Security GitHub Advanced Security GHAS Exam Practice Test