Microsoft GitHub Advanced Security GH-500 Exam Questions

Page: 1 / 14
Total 75 questions
Question 1

-- [Configure and Use Secret Scanning]

How many alerts are created when two instances of the same secret value are in the same repository?



Answer : A

When multiple instances of the same secret value appear in a repository, only one alert is generated. Secret scanning works by identifying exposed credentials and token patterns, and it groups identical matches into a single alert to reduce noise and avoid duplication.

This makes triaging easier and helps teams focus on remediating the actual exposed credential rather than reviewing multiple redundant alerts.


Question 2

-- [Configure and Use Dependency Management]

In the pull request, how can developers avoid adding new dependencies with known vulnerabilities?



Answer : C

To detect and block vulnerable dependencies before merge, developers should use the Dependency Review GitHub Action in their pull request workflows. It scans all proposed dependency changes and flags any packages with known vulnerabilities.

This is a preventative measure during development, unlike Dependabot, which reacts after the fact.


Question 3

-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]

What role is required to change a repository's code scanning severity threshold that fails a pull request status check?



Answer : D

To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must have Admin access on the repository. This is because modifying these settings falls under repository configuration privileges.

Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.


Question 4

-- [Use Code Scanning with CodeQL]

When using CodeQL, what extension stores query suite definitions?



Answer : D

Query suite definitions in CodeQL are stored using the .qls file extension. A query suite defines a collection of queries to be run during an analysis and allows for grouping them based on categories like language, security relevance, or custom filters.

In contrast:

.ql files are individual queries.

.qll files are libraries used by .ql queries.

.yml is used for workflows, not query suites.


Question 5

-- [Configure and Use Dependency Management]

A dependency has a known vulnerability. What does the warning message include?



Answer : D

When a vulnerability is detected, GitHub shows a warning that includes a brief description of the vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue, severity level, and potential impact. The message also links to additional advisory data from the GitHub Advisory Database.

This helps developers understand the context and urgency of the vulnerability before applying the fix.


Question 6

-- [Use Code Scanning with CodeQL]

As a developer with write access, you navigate to a code scanning alert in your repository. When will GitHub close this alert?



Answer : D

GitHub automatically closes a code scanning alert when the vulnerable code is fixed in the same branch where the alert was generated, usually via a commit inside a pull request. Simply clicking or triaging an alert does not resolve it. The alert is re-evaluated after each push to the branch, and if the issue no longer exists, it is marked as resolved.


Question 7

-- [Use Code Scanning with CodeQL]

Which CodeQL query suite provides queries of lower severity than the default query suite?



Answer : C

The security-extended query suite includes additional CodeQL queries that detect lower severity issues than those in the default security-and-quality suite.

It's often used when projects want broader visibility into code hygiene and potential weak spots beyond critical vulnerabilities.

The other options listed are paths to language packs, not query suites themselves.


Page:    1 / 14   
Total 75 questions