Microsoft GH-500 Exam Practice Test Instant Access

Question 1

-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]

What step is required to run a SARIF-compatible (Static Analysis Results Interchange Format) tool on GitHub Actions?

AUpdate the workflow to include a final step that uploads the results.

BBy default, the CodeQL runner automatically uploads results to GitHub on completion.

CThe CodeQL action uploads the SARIF file automatically when it completes analysis.

DUse the CLI to upload results to GitHub.

Answer : A

When using a SARIF-compatible tool within GitHub Actions, it's necessary to explicitly add a step in your workflow to upload the analysis results. This is typically done using the upload-sarif action, which takes the SARIF file generated by your tool and uploads it to GitHub for processing and display in the Security tab. Without this step, the results won't be available in GitHub's code scanning interface.

Question 2

-- [Describe GitHub Advanced Security Best Practices]

As a contributor, you discovered a vulnerability in a repository. Where should you look for the instructions on how to report the vulnerability?

Asupport.md

Breadme.md

Ccontributing.md

Dsecurity.md

Answer : D

The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.

This file is considered a GitHub best practice and, when present, activates a ''Report a vulnerability'' button in the repository's Security tab.

Question 3

-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]

As a developer, you need to configure a code scanning workflow for a repository where GitHub Advanced Security is enabled. What minimum repository permission do you need?

AWrite

BNone

CAdmin

DRead

Answer : A

To create or modify a code scanning workflow file (typically under .github/workflows/codeql-analysis.yml), you must have Write access to the repository.

Write permission allows you to commit the workflow file, which is required to run or configure code scanning using GitHub Actions.

Question 4

-- [Use Code Scanning with CodeQL]

What does a CodeQL database of your repository contain?

AA build for Go projects to set up the project

BA build of the code and extracted data

CBuild commands for C/C++, C#, and Java

DA representation of all of the source code
GitHub
Agentic AI for AppSec Teams

Answer : B

Comprehensive and Detailed Explanation:

A CodeQL database contains a representation of your codebase, including the build of the code and extracted data. This database is used to run CodeQL queries to analyze your code for potential vulnerabilities and errors.

GitHub Docs

Question 5

-- [Configure and Use Dependency Management]

Assuming that notification and alert recipients are not customized, what does GitHub do when it identifies a vulnerable dependency in a repository where Dependabot alerts are enabled? (Each answer presents part of the solution. Choose two.)

AIt generates a Dependabot alert and displays it on the Security tab for the repository.

BIt notifies the repository administrators about the new alert.

CIt generates Dependabot alerts by default for all private repositories.

DIt consults with a security service and conducts a thorough vulnerability review.

Answer : A, B

Comprehensive and Detailed Explanation:

When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:

Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.

Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.

GitHub Docs

These actions ensure that responsible parties are informed promptly to address the vulnerability.

Question 6

-- [Configure and Use Secret Scanning]

What YAML syntax do you use to exclude certain files from secret scanning?

Adecrypt_secret.sh

Bpaths-ignore:

Cbranches-ignore:

Dsecret scanning.yml

Answer : B

To exclude specific files or directories from being scanned by secret scanning in GitHub Actions, you can use the paths-ignore: key within your YAML workflow file.

This tells GitHub to ignore specified paths when scanning for secrets, which can be useful for excluding test data or non-sensitive mock content.

Other options listed are invalid:

branches-ignore: excludes branches, not files.

decrypt_secret.sh is not a YAML key.

secret scanning.yml is not a recognized filename for configuration.

Question 7

-- [Configure and Use Dependency Management]

Which of the following options would close a Dependabot alert?

ACreating a pull request to resolve the vulnerability that will be approved and merged

BViewing the Dependabot alert on the Dependabot alerts tab of your repository

CViewing the dependency graph

DLeaving the repository in its current state

Answer : A

A Dependabot alert is only marked as resolved when the related vulnerability is no longer present in your code --- specifically after you merge a pull request that updates the vulnerable dependency.

Simply viewing alerts or graphs does not affect their status. Ignoring the alert by leaving the repo unchanged keeps the vulnerability active and unresolved.

Microsoft GitHub Advanced Security GH-500 Exam Practice Test