GitHub-Advanced-Security Exam Practice Test Instant Access

Question 1

-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]

As a repository owner, you want to receive specific notifications, including security alerts, for an individual repository. Which repository notification setting should you use?

AIgnore

BParticipating and @mentions

CAll Activity

DCustom

Answer : D

Using the Custom setting allows you to subscribe to specific event types, such as Dependabot alerts or vulnerability notifications, without being overwhelmed by all repository activity. This is essential for repository maintainers who need fine-grained control over what kinds of events trigger notifications.

This setting is configurable per repository and allows users to stay aware of critical issues while minimizing notification noise.

Question 2

-- [Use Code Scanning with CodeQL]

How would you build your code within the CodeQL analysis workflow? (Each answer presents a complete solution. Choose two.)

AUpload compiled binaries.

BUse CodeQL's init action.

CIgnore paths.

DImplement custom build steps.

EUse jobs.analyze.runs-on.

FUse CodeQL's autobuild action.

Answer : D, F

Comprehensive and Detailed Explanation:

When setting up CodeQL analysis for compiled languages, there are two primary methods to build your code:

GitHub Docs

Autobuild: CodeQL attempts to automatically build your codebase using the most likely build method. This is suitable for standard build processes.

GitHub Docs

Custom Build Steps: For complex or non-standard build processes, you can implement custom build steps by specifying explicit build commands in your workflow. This provides greater control over the build process.

GitHub Docs

The init action initializes the CodeQL analysis but does not build the code. The jobs.analyze.runs-on specifies the operating system for the runner but is not directly related to building the code. Uploading compiled binaries is not a method supported by CodeQL for analysis.

Question 3

-- [Configure and Use Secret Scanning]

How many alerts are created when two instances of the same secret value are in the same repository?

Answer : A

When multiple instances of the same secret value appear in a repository, only one alert is generated. Secret scanning works by identifying exposed credentials and token patterns, and it groups identical matches into a single alert to reduce noise and avoid duplication.

This makes triaging easier and helps teams focus on remediating the actual exposed credential rather than reviewing multiple redundant alerts.

Question 4

-- [Configure and Use Secret Scanning]

Which patterns are secret scanning validity checks available to?

AHigh entropy strings

BCustom patterns

CPartner patterns

DPush protection patterns

Answer : C

Validity checks --- where GitHub verifies if a secret is still active --- are available for partner patterns only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.

Custom patterns and high entropy patterns do not support automated validity checks.

Question 5

-- [Describe the GHAS Security Features and Functionality]

What is a security policy?

AAn automatic detection of security vulnerabilities and coding errors in new or modified code

BA security alert issued to a community in response to a vulnerability

CA file in a GitHub repository that provides instructions to users about how to report a security vulnerability

DAn alert about dependencies that are known to contain security vulnerabilities

Answer : C

A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory. This file informs contributors and security researchers about how to responsibly report vulnerabilities. It improves your project's transparency and ensures timely communication and mitigation of any reported issues.

Adding this file also enables a ''Report a vulnerability'' button in the repository's Security tab.

Question 6

-- [Use Code Scanning with CodeQL]

When using CodeQL, what extension stores query suite definitions?

A.yml

B.ql

C.qll

D.qls

Answer : D

Query suite definitions in CodeQL are stored using the .qls file extension. A query suite defines a collection of queries to be run during an analysis and allows for grouping them based on categories like language, security relevance, or custom filters.

In contrast:

.ql files are individual queries.

.qll files are libraries used by .ql queries.

.yml is used for workflows, not query suites.

Question 7

-- [Configure and Use Dependency Management]

Which of the following is the most complete method for Dependabot to find vulnerabilities in third-party dependencies?

ADependabot reviews manifest files in the repository

BCodeQL analyzes the code and raises vulnerabilities in third-party dependencies

CA dependency graph is created, and Dependabot compares the graph to the GitHub Advisory database

DThe build tool finds the vulnerable dependencies and calls the Dependabot API

Answer : C

Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your repository. This graph includes both direct and transitive dependencies. It then compares this graph against the GitHub Advisory Database, which includes curated, security-reviewed advisories.

This method provides a comprehensive and automated way to discover all known vulnerabilities across your dependency tree.

GitHub-Advanced-Security GitHub Advanced Security GHAS Exam Practice Test