GitHub-Advanced-Security Exam Practice Test Instant Access

Question 1

-- [Use Code Scanning with CodeQL]

When using CodeQL, how does extraction for compiled languages work?

ABy generating one language at a time

BBy resolving dependencies to give an accurate representation of the codebase

CBy monitoring the normal build process

DBy running directly on the source code

Answer : C

For compiled languages, CodeQL performs extraction by monitoring the normal build process. This means it watches your usual build commands (like make, javac, or dotnet build) and extracts the relevant data from the actual build steps being executed. CodeQL uses this information to construct a semantic database of the application.

This approach ensures that CodeQL captures a precise, real-world representation of the code and its behavior as it is compiled, including platform-specific configurations or conditional logic used during build.

Question 2

-- [Configure and Use Dependency Management]

A repository's dependency graph includes:

ADependencies parsed from a repository's manifest and lock files.

BAnnotated code scanning alerts from your repository's dependencies.

CA summary of the dependencies used in your organization's repositories.

DDependencies from all your repositories.

Answer : A

The dependency graph in a repository is built by parsing manifest and lock files (like package.json, pom.xml, requirements.txt). It helps GitHub detect dependencies and cross-reference them with known vulnerability databases for alerting.

It is specific to each repository and does not show org-wide or cross-repo summaries.

Question 3

-- [Configure and Use Dependency Management]

Which of the following is the most complete method for Dependabot to find vulnerabilities in third-party dependencies?

ADependabot reviews manifest files in the repository

BCodeQL analyzes the code and raises vulnerabilities in third-party dependencies

CA dependency graph is created, and Dependabot compares the graph to the GitHub Advisory database

DThe build tool finds the vulnerable dependencies and calls the Dependabot API

Answer : C

Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your repository. This graph includes both direct and transitive dependencies. It then compares this graph against the GitHub Advisory Database, which includes curated, security-reviewed advisories.

This method provides a comprehensive and automated way to discover all known vulnerabilities across your dependency tree.

Question 4

-- [Configure and Use Secret Scanning]

Which of the following statements best describes secret scanning push protection?

ACommits that contain secrets are blocked before code is added to the repository.

BSecret scanning alerts must be closed before a branch can be merged into the repository.

CButtons for sensitive actions in the GitHub UI are disabled.

DUsers need to reply to a 2FA challenge before any push events.

Answer : A

Comprehensive and Detailed Explanation:

Secret scanning push protection is a proactive feature that scans for secrets in your code during the push process. If a secret is detected, the push is blocked, preventing the secret from being added to the repository. This helps prevent accidental exposure of sensitive information.

GitHub Docs

Question 5

-- [Configure and Use Secret Scanning]

Where in the repository can you give additional users access to secret scanning alerts?

ASecurity

BSettings

CSecrets

DInsights

Answer : B

To grant specific users access to view and manage secret scanning alerts, you do this via the Settings tab of the repository. From there, under the 'Code security and analysis' section, you can add individuals or teams with roles such as security manager.

The Security tab only displays alerts; access control is handled in Settings.

Question 6

-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]

What role is required to change a repository's code scanning severity threshold that fails a pull request status check?

AMaintain

BWrite

CTriage

DAdmin

Answer : D

To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must have Admin access on the repository. This is because modifying these settings falls under repository configuration privileges.

Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.

Question 7

-- [Configure and Use Secret Scanning]

What is the first step you should take to fix an alert in secret scanning?

AArchive the repository.

BUpdate your dependencies.

CRevoke the alert if the secret is still valid.

DRemove the secret in a commit to the main branch.

Answer : C

The first step when you receive a secret scanning alert is to revoke the secret if it is still valid. This ensures the secret can no longer be used maliciously. Only after revoking it should you proceed to remove it from the code history and apply other mitigation steps.

Simply deleting the secret from the code does not remove the risk if it hasn't been revoked --- especially since it may already be exposed in commit history.

GitHub-Advanced-Security GitHub Advanced Security GHAS Exam Practice Test