Microsoft GH-500 Exam Practice Test Instant Access

Question 1

-- [Configure and Use Dependency Management]

Assuming that notification and alert recipients are not customized, what does GitHub do when it identifies a vulnerable dependency in a repository where Dependabot alerts are enabled? (Each answer presents part of the solution. Choose two.)

AIt generates a Dependabot alert and displays it on the Security tab for the repository.

BIt notifies the repository administrators about the new alert.

CIt generates Dependabot alerts by default for all private repositories.

DIt consults with a security service and conducts a thorough vulnerability review.

Answer : A, B

Comprehensive and Detailed Explanation:

When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:

Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.

Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.

GitHub Docs

These actions ensure that responsible parties are informed promptly to address the vulnerability.

Question 2

-- [Use Code Scanning with CodeQL]

Which of the following steps should you follow to integrate CodeQL into a third-party continuous integration system? (Each answer presents part of the solution. Choose three.)

AProcess alerts

BAnalyze code

CUpload scan results

DInstall the CLI

EWrite queries

Answer : B, C, D

When integrating CodeQL outside of GitHub Actions (e.g., in Jenkins, CircleCI):

Install the CLI: Needed to run CodeQL commands.

Analyze code: Perform the CodeQL analysis on your project with the CLI.

Upload scan results: Export the results in SARIF format and use GitHub's API to upload them to your repo's security tab.

You don't need to write custom queries unless extending functionality. ''Processing alerts'' happens after GitHub receives the results.

Question 3

-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]

As a developer, you need to configure a code scanning workflow for a repository where GitHub Advanced Security is enabled. What minimum repository permission do you need?

AWrite

BNone

CAdmin

DRead

Answer : A

To create or modify a code scanning workflow file (typically under .github/workflows/codeql-analysis.yml), you must have Write access to the repository.

Write permission allows you to commit the workflow file, which is required to run or configure code scanning using GitHub Actions.

Question 4

-- [Configure and Use Secret Scanning]

Which of the following statements most accurately describes push protection for secret scanning custom patterns?

APush protection must be enabled for all, or none, of a repository's custom patterns.

BPush protection is an opt-in experience for each custom pattern.

CPush protection is not available for custom patterns.

DPush protection is enabled by default for new custom patterns.

Answer : B

Comprehensive and Detailed Explanation:

Push protection for secret scanning custom patterns is an opt-in feature. This means that for each custom pattern defined in a repository, maintainers can choose to enable or disable push protection individually. This provides flexibility, allowing teams to enforce push protection on sensitive patterns while leaving it disabled for others.

Question 5

-- [Configure and Use Dependency Management]

When does Dependabot alert you of a vulnerability in your software development process?

AWhen a pull request adding a vulnerable dependency is opened

BAs soon as a vulnerable dependency is detected

CAs soon as a pull request is opened by a contributor

DWhen Dependabot opens a pull request to update a vulnerable dependency

Answer : B

Dependabot alerts are generated as soon as GitHub detects a known vulnerability in one of your dependencies. GitHub does this by analyzing your repository's dependency graph and matching it against vulnerabilities listed in the GitHub Advisory Database. Once a match is found, the system raises an alert automatically without waiting for a PR or manual action.

This allows organizations to proactively mitigate vulnerabilities as early as possible, based on real-time detection.

Question 6

-- [Configure and Use Code Scanning]

After investigating a code scanning alert related to injection, you determine that the input is properly sanitized using custom logic. What should be your next step?

ADraft a pull request to update the open-source query.

BIgnore the alert.

COpen an issue in the CodeQL repository.

DDismiss the alert with the reason 'false positive.'

Answer : D

When you identify that a code scanning alert is a false positive---such as when your code uses a custom sanitization method not recognized by the analysis---you should dismiss the alert with the reason 'false positive.' This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.

As per GitHub's documentation:

'If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis.'

By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.

Question 7

-- [Configure and Use Dependency Management]

If default code security settings have not been changed at the repository, organization, or enterprise level, which repositories receive Dependabot alerts?

ARepositories owned by an enterprise account

BPrivate repositories

CNone

DRepositories owned by an organization

Answer : C

By default, no repositories receive Dependabot alerts unless configuration is explicitly enabled. GitHub does not enable Dependabot alerts automatically for any repositories unless:

The feature is turned on manually

It's configured at the organization or enterprise level via security policies

This includes public, private, and enterprise-owned repositories --- manual activation is required.

Microsoft GitHub Advanced Security GH-500 Exam Practice Test