Microsoft GH-500 Exam Practice Test Instant Access

Question 1

-- [Describe GitHub Advanced Security Best Practices]

As a contributor, you discovered a vulnerability in a repository. Where should you look for the instructions on how to report the vulnerability?

Asupport.md

Breadme.md

Ccontributing.md

Dsecurity.md

Answer : D

The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.

This file is considered a GitHub best practice and, when present, activates a ''Report a vulnerability'' button in the repository's Security tab.

Question 2

-- [Use Code Scanning with CodeQL]

Which CodeQL query suite provides queries of lower severity than the default query suite?

Agithub/codeql-go/ql/src@main

Bgithub/codeql/cpp/ql/src@main

Csecurity-extended

Answer : C

The security-extended query suite includes additional CodeQL queries that detect lower severity issues than those in the default security-and-quality suite.

It's often used when projects want broader visibility into code hygiene and potential weak spots beyond critical vulnerabilities.

The other options listed are paths to language packs, not query suites themselves.

Question 3

-- [Use Code Scanning with CodeQL]

Which of the following options are code scanning application programming interface (API) endpoints? (Each answer presents part of the solution. Choose two.)

AList all open code scanning alerts for the default branch

BModify the severity of an open code scanning alert

CGet a single code scanning alert

DDelete all open code scanning alerts

Answer : A, C

The GitHub Code Scanning API includes endpoints that allow you to:

List alerts for a repository (filtered by branch, state, or tool) --- useful for monitoring security over time.

Get a single alert by its ID to inspect its metadata, status, and locations in the code.

However, GitHub does not support modifying the severity of alerts via API --- severity is defined by the scanning tool (e.g., CodeQL). Likewise, alerts cannot be deleted via the API; they are resolved by fixing the code or dismissing them manually.

Question 4

-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]

What step is required to run a SARIF-compatible (Static Analysis Results Interchange Format) tool on GitHub Actions?

AUpdate the workflow to include a final step that uploads the results.

BBy default, the CodeQL runner automatically uploads results to GitHub on completion.

CThe CodeQL action uploads the SARIF file automatically when it completes analysis.

DUse the CLI to upload results to GitHub.

Answer : A

When using a SARIF-compatible tool within GitHub Actions, it's necessary to explicitly add a step in your workflow to upload the analysis results. This is typically done using the upload-sarif action, which takes the SARIF file generated by your tool and uploads it to GitHub for processing and display in the Security tab. Without this step, the results won't be available in GitHub's code scanning interface.

Question 5

-- [Configure and Use Dependency Management]

Assuming there is no custom Dependabot behavior configured, where possible, what does Dependabot do after sending an alert about a vulnerable dependency in a repository?

ACreates a pull request to upgrade the vulnerable dependency to the minimum possible secure version

BScans repositories for vulnerable dependencies on a schedule and adds those files to a manifest

CConstructs a graph of all the repository's dependencies and public dependents for the default branch

DScans any push to all branches and generates an alert for each vulnerable repository

Answer : A

After generating an alert for a vulnerable dependency, Dependabot automatically attempts to create a pull request to upgrade that dependency to the minimum required secure version---if a fix is available and compatible with your project.

This automated PR helps teams fix vulnerabilities quickly with minimal manual intervention. You can also configure update behaviors using dependabot.yml, but in the default state, PR creation is automatic.

Question 6

-- [Configure and Use Dependency Management]

A dependency has a known vulnerability. What does the warning message include?

AThe security impact of these changes

BAn easily understandable visualization of dependency change

CHow many projects use these components

DA brief description of the vulnerability

Answer : D

When a vulnerability is detected, GitHub shows a warning that includes a brief description of the vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue, severity level, and potential impact. The message also links to additional advisory data from the GitHub Advisory Database.

This helps developers understand the context and urgency of the vulnerability before applying the fix.

Question 7

-- [Configure and Use Dependency Management]

You have enabled security updates for a repository. When does GitHub mark a Dependabot alert as resolved for that repository?

AWhen Dependabot creates a pull request to update dependencies

BWhen you dismiss the Dependabot alert

CWhen the pull request checks are successful

DWhen you merge a pull request that contains a security update

Answer : D

A Dependabot alert is marked as resolved only after the related pull request is merged into the repository. This indicates that the vulnerable dependency has been officially replaced with a secure version in the active codebase.

Simply generating a PR or passing checks does not change the alert status; merging is the key step.

Microsoft GitHub Advanced Security GH-500 Exam Practice Test