Microsoft GH-500 Exam Questions Instant Access

Question 1

-- [Configure and Use Code Scanning]

After investigating a code scanning alert related to injection, you determine that the input is properly sanitized using custom logic. What should be your next step?

ADraft a pull request to update the open-source query.

BIgnore the alert.

COpen an issue in the CodeQL repository.

DDismiss the alert with the reason 'false positive.'

Answer : D

When you identify that a code scanning alert is a false positive---such as when your code uses a custom sanitization method not recognized by the analysis---you should dismiss the alert with the reason 'false positive.' This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.

As per GitHub's documentation:

'If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis.'

By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.

Question 2

-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]

What role is required to change a repository's code scanning severity threshold that fails a pull request status check?

AMaintain

BWrite

CTriage

DAdmin

Answer : D

To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must have Admin access on the repository. This is because modifying these settings falls under repository configuration privileges.

Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.

Question 3

-- [Configure and Use Secret Scanning]

How many alerts are created when two instances of the same secret value are in the same repository?

Answer : A

When multiple instances of the same secret value appear in a repository, only one alert is generated. Secret scanning works by identifying exposed credentials and token patterns, and it groups identical matches into a single alert to reduce noise and avoid duplication.

This makes triaging easier and helps teams focus on remediating the actual exposed credential rather than reviewing multiple redundant alerts.

Question 4

-- [Use Code Scanning with CodeQL]

When using CodeQL, what extension stores query suite definitions?

A.yml

B.ql

C.qll

D.qls

Answer : D

Query suite definitions in CodeQL are stored using the .qls file extension. A query suite defines a collection of queries to be run during an analysis and allows for grouping them based on categories like language, security relevance, or custom filters.

In contrast:

.ql files are individual queries.

.qll files are libraries used by .ql queries.

.yml is used for workflows, not query suites.

Question 5

-- [Configure and Use Dependency Management]

In the pull request, how can developers avoid adding new dependencies with known vulnerabilities?

AEnable Dependabot alerts.

BAdd Dependabot rules.

CAdd a workflow with the dependency review action.

DEnable Dependabot security updates.

Answer : C

To detect and block vulnerable dependencies before merge, developers should use the Dependency Review GitHub Action in their pull request workflows. It scans all proposed dependency changes and flags any packages with known vulnerabilities.

This is a preventative measure during development, unlike Dependabot, which reacts after the fact.

Question 6

-- [Configure and Use Dependency Management]

When does Dependabot alert you of a vulnerability in your software development process?

AWhen a pull request adding a vulnerable dependency is opened

BAs soon as a vulnerable dependency is detected

CAs soon as a pull request is opened by a contributor

DWhen Dependabot opens a pull request to update a vulnerable dependency

Answer : B

Dependabot alerts are generated as soon as GitHub detects a known vulnerability in one of your dependencies. GitHub does this by analyzing your repository's dependency graph and matching it against vulnerabilities listed in the GitHub Advisory Database. Once a match is found, the system raises an alert automatically without waiting for a PR or manual action.

This allows organizations to proactively mitigate vulnerabilities as early as possible, based on real-time detection.

Question 7

-- [Configure and Use Dependency Management]

A dependency has a known vulnerability. What does the warning message include?

AThe security impact of these changes

BAn easily understandable visualization of dependency change

CHow many projects use these components

DA brief description of the vulnerability

Answer : D

When a vulnerability is detected, GitHub shows a warning that includes a brief description of the vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue, severity level, and potential impact. The message also links to additional advisory data from the GitHub Advisory Database.

This helps developers understand the context and urgency of the vulnerability before applying the fix.

Microsoft GitHub Advanced Security GH-500 Exam Questions