Microsoft GH-500 Exam Questions Instant Access

Question 1

-- [Describe GitHub Advanced Security Best Practices]

What kind of repository permissions do you need to request a Common Vulnerabilities and Exposures (CVE) identification number for a security advisory?

AMaintain

BAdmin

CTriage

DWrite

Answer : B

Requesting a CVE ID for a security advisory in a GitHub repository requires Admin permissions. This level of access is necessary because it involves managing sensitive security information and coordinating with external entities to assign a CVE, which is a formal process that can impact the public perception and security posture of the project.

Question 2

-- [Use Code Scanning with CodeQL]

Which of the following steps should you follow to integrate CodeQL into a third-party continuous integration system? (Each answer presents part of the solution. Choose three.)

AProcess alerts

BAnalyze code

CUpload scan results

DInstall the CLI

EWrite queries

Answer : B, C, D

When integrating CodeQL outside of GitHub Actions (e.g., in Jenkins, CircleCI):

Install the CLI: Needed to run CodeQL commands.

Analyze code: Perform the CodeQL analysis on your project with the CLI.

Upload scan results: Export the results in SARIF format and use GitHub's API to upload them to your repo's security tab.

You don't need to write custom queries unless extending functionality. ''Processing alerts'' happens after GitHub receives the results.

Question 3

-- [Configure and Use Dependency Management]

Assuming there is no custom Dependabot behavior configured, where possible, what does Dependabot do after sending an alert about a vulnerable dependency in a repository?

ACreates a pull request to upgrade the vulnerable dependency to the minimum possible secure version

BScans repositories for vulnerable dependencies on a schedule and adds those files to a manifest

CConstructs a graph of all the repository's dependencies and public dependents for the default branch

DScans any push to all branches and generates an alert for each vulnerable repository

Answer : A

After generating an alert for a vulnerable dependency, Dependabot automatically attempts to create a pull request to upgrade that dependency to the minimum required secure version---if a fix is available and compatible with your project.

This automated PR helps teams fix vulnerabilities quickly with minimal manual intervention. You can also configure update behaviors using dependabot.yml, but in the default state, PR creation is automatic.

Question 4

-- [Configure and Use Code Scanning]

After investigating a code scanning alert related to injection, you determine that the input is properly sanitized using custom logic. What should be your next step?

ADraft a pull request to update the open-source query.

BIgnore the alert.

COpen an issue in the CodeQL repository.

DDismiss the alert with the reason 'false positive.'

Answer : D

When you identify that a code scanning alert is a false positive---such as when your code uses a custom sanitization method not recognized by the analysis---you should dismiss the alert with the reason 'false positive.' This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.

As per GitHub's documentation:

'If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis.'

By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.

Question 5

-- [Configure and Use Dependency Management]

When does Dependabot alert you of a vulnerability in your software development process?

AWhen a pull request adding a vulnerable dependency is opened

BAs soon as a vulnerable dependency is detected

CAs soon as a pull request is opened by a contributor

DWhen Dependabot opens a pull request to update a vulnerable dependency

Answer : B

Dependabot alerts are generated as soon as GitHub detects a known vulnerability in one of your dependencies. GitHub does this by analyzing your repository's dependency graph and matching it against vulnerabilities listed in the GitHub Advisory Database. Once a match is found, the system raises an alert automatically without waiting for a PR or manual action.

This allows organizations to proactively mitigate vulnerabilities as early as possible, based on real-time detection.

Question 6

-- [Configure and Use Dependency Management]

Assuming that notification and alert recipients are not customized, what does GitHub do when it identifies a vulnerable dependency in a repository where Dependabot alerts are enabled? (Each answer presents part of the solution. Choose two.)

AIt generates a Dependabot alert and displays it on the Security tab for the repository.

BIt notifies the repository administrators about the new alert.

CIt generates Dependabot alerts by default for all private repositories.

DIt consults with a security service and conducts a thorough vulnerability review.

Answer : A, B

Comprehensive and Detailed Explanation:

When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:

Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.

Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.

GitHub Docs

These actions ensure that responsible parties are informed promptly to address the vulnerability.

Question 7

-- [Configure and Use Dependency Management]

What are Dependabot security updates?

AAutomated pull requests that help you update dependencies that have known vulnerabilities

BAutomated pull requests that keep your dependencies updated, even when they don't have any vulnerabilities

CAutomated pull requests to update the manifest to the latest version of the dependency

DCompatibility scores to let you know whether updating a dependency could cause breaking changes to your project

Answer : A

Dependabot security updates are automated pull requests triggered when GitHub detects a vulnerability in a dependency listed in your manifest or lockfile. These PRs upgrade the dependency to the minimum safe version that fixes the vulnerability.

This is separate from regular updates (which keep versions current even if not vulnerable).

Microsoft GitHub Advanced Security GH-500 Exam Questions