GitHub Advanced Security Certification Practice Test Questions and Answers Part - 1

Table of Contents

GitHub Advanced Security Certification Practice Test Questions and Answers Part - 1

Also Read: GitHub Foundations Certification Practice Test Questions and Answers Part - 1

1. What are Dependabot auto-triage rules?

a) Dependabot auto-triage rules are used for automatically deleting old dependencies in your project.

b) It's a feature that allows Dependabot to automatically dismiss Dependabot alerts that match certain criteria.

c) Auto-triage rules are defined in the dependabot.yml configuration file to specify which package managers should be used to scan your project for vulnerabilities.

d) Auto triage rules define how often Dependabot should scan your project for vulnerabilities.

Ans. b) It's a feature that allows Dependabot to automatically dismiss Dependabot alerts that match certain criteria.

2. How can you automate dismissing low severity Dependabot alerts?

a) By using Dependabot's auto-triage rules.

b) By setting the severity field in dependabot.yml file to high

c) By setting the dismiss-severity field in dependabot.yml file to low

d) By removing all dependencies that cause low severity alerts

Ans. a) By using Dependabot's auto-triage rules.

3. To enable Dependabot security updates on all repositories in an organization you should:

a) Go to the organization's Code security and analysis settings and enable Dependabot Security Updates for all repositories at once.

b) Run the actions/enable-ghas GitHub Action with security-updates parameter set to true on all repositories in the organization.

c) Create a script that will enable Dependabot Security Updates on all repositories in the organization.

d) Make all repositories in the organization private.

Ans. a) Go to the organization's Code security and analysis settings and enable Dependabot Security Updates for all repositories at once.

4. The tool that checks if a pull request introduces any dependencies with security vulnerabilities is called:

a) Dependabot Security Updates

b) Dependabot Alerts

c) Dependency Review

d) Dependabot Version Updates

Ans. c) Dependency Review

5. You need GitHub Actions enabled for

a) None of these

b) All of these

c) Dependabot Security Updates

d) Dependency Review

e) Dependabot Version Updates

Ans. d) Dependency Review

6. What does CVSS stand for?

a) Code Verification Security System

b) Cybersecurity Validation Scoring Scheme

c) Common Vulnerability Scoring System

d) Critical Vulnerability Scanning Service

Ans. c) Common Vulnerability Scoring System

7. What does CVE stand for?

a) Cybersecurity Verification Entity

b) Common Virus Elimination

c) Code Validation and Enumeration

d) Common Vulnerabilities and Exposures

Ans. d) Common Vulnerabilities and Exposures

8. What does CWE stand for?

a) Code Wrapping Engine

b) Critical Web Elements

c) Common Weakness Enumeration

d) Cybersecurity Weakness Enumeration

Ans. c) Common Weakness Enumeration

9. Which Dependabot comment command will get a pull request successfully completed?

a) @dependabot merge

b) @dependabot rebase

c) @dependabot cancel merge

d) @dependabot close

Ans. a) @dependabot merge

10. Jobs that run on macOS runners that GitHub hosts consume minutes at __ rate as Linux runners consume

a) the same

b) 2x

c) 10x

d) 5x

Ans. c) 10x

11. What is CodeQL?

a) A code analysis tool

b) A programming language

c) A version control system

d) A text editor

Ans. a) A code analysis tool

12. What does shifting left mean in the context of Security?

a) Adopting security practices early in the development cycle

b) Writing code without worrying about security

c) Writing code in a language that is commonly used

d) Incorporating security practices right before hitting production

Ans. a) Adopting security practices early in the development cycle

13. What are Repository Security Advisories?

a) A private space where repository maintainers can discuss vulnerabilities and security issues within the codebase.

b) It's a place to gather and publicly discuss security issues in the open source community.

c) GitHub security experts that help GitHub Enterprise users with their security issues.

d) A list of security issues that are publicly available for anyone to see and stay away from.

Ans. a) A private space where repository maintainers can discuss vulnerabilities and security issues within the codebase.

14. Which tool helps you keep the repository dependencies up to date?

a) CodeQL

b) GitHub Actions

c) Dependabot

d) Security Advisories

Ans. c) Dependabot

15. Which of the following is a curated list of security vulnerabilities found in open source projects?

a) Dependabot

b) CodeQL

c) GitHub Advisory Database

d) GitHub Security Journal

Ans. c) GitHub Advisory Database

16. Which of these GitHub security features are available for FREE for both public and private personal repositories? (Choose four.)

a) Dependabot code scanning

b) Dependabot alerts and security updates

c) Security Policy

d) Dependabot version updates

e) Secret scanning

f) Code scanning

g) Security advisories

h) Dependabot secret scanning

Ans. b) Dependabot alerts and security updates

c) Security Policy

d) Dependabot version updates

g) Security advisories

17. Which of these best describes secret scanning?

a) Secret scanning scans your repository for secrets such as private keys or tokens.

b) Secret scanning scans your repository for potential code vulnerabilities that could expose secrets such as private keys or tokens.

c) Secret scanning is a git hook that will scan your commits for secrets such as private keys or tokens before they are pushed to GitHub.

d) Secret scanning is a tool for secure secret storage and management.

Ans. a) Secret scanning scans your repository for secrets such as private keys or tokens.

18. How many days in Git history are scanned by Secret scanning?

a) 90

b) 30

c) All history

d) 120

Ans. c) All history

19. Which branch(s) is/are scanned to detect the secrets?

a) All the branches

b) Active branch (last 30 days)

c) Default branch

d) Main/master branch

Ans. a) All the branches

20. Which GHAS feature allows you to prevent pushing a commit which contains a secret?

a) Commit scanning

b) Push scanning

c) Push protection

d) Check commit

Ans. c) Push protection

21. Can you add custom patterns to detect specific secrets?

a) No

b) Yes

Ans. b) Yes

22. Does Dependency graph scan your source code?

a) Yes

b) No

Ans. b) No

23. What are the CodeQL languages supported? (Choose three)

Select all that apply:

a) F#

b) Ruby on rail

c) Java

d) PHP

e) SQL

f) C/C++

g) Python

Ans. c) Java

f) C/C++

g) Python

24. What are the supported packages managers by Dependabot? (Choose three)

Select all that apply:

a) Yum

b) Men

c) Brew

d) PIP

e) APT

f) Yarn

g) Nuget

Ans. d) PIP

f) Yarn

g) Nuget

25. Which file format permits to integrate results for a 3rd party scanning tool?

a) PDF

b) GIF

c) SARIF

d) JPEG

Ans. c) SARIF

26. What are Dependabot security updates?

a) It's a Dependabot feature that creates a list of vulnerable dependencies in your repository.

b) It's a Dependabot feature that creates alerts when a security vulnerability is detected in one of your dependencies.

c) It's a Dependabot feature that automatically creates pull requests to update dependencies in your repository when they release a new version.

d) It's a Dependabot feature that automatically creates pull requests to update vulnerable dependencies in your repository.

Ans. d) It's a Dependabot feature that automatically creates pull requests to update vulnerable dependencies in your repository.

27. What is a CodeQL query suite?

a) CodeQL suite is a collection of CodeQL databases

b) CodeQL suite is a collection of CodeQL supported languages

c) CodeQL suite is a collection of CodeQL results

d) CodeQL suite is a collections of CodeQL queries

Ans. d) CodeQL suite is a collections of CodeQL queries

28. What is a CodeQL query pack?

a) It's a library used by CodeQL queries

b) It's a set of results that were generated in the process of analyzing a CodeQL database

c) It's a set of pre-compiled queries with all transitive dependencies such as libraries and models

d) It's a collection of CodeQL queries

Ans. c) It's a set of pre-compiled queries with all transitive dependencies such as libraries and models

29. What are the steps of CodeQL analysis workflow?

a) Running CodeQL queries -> Interpreting the results

b) Creating a CodeQL database -> Interpreting the results -> Running CodeQL queries

c) Running CodeQL queries -> Creating a CodeQL database -> Interpreting the results

d) Creating a CodeQL database -> Running CodeQL queries -> Interpreting the results

Ans. d) Creating a CodeQL database -> Running CodeQL queries -> Interpreting the results

30. What is the purpose of the `external-repository-token` parameter in `github/codeql-action/init` GitHub Action?

a) It allows the action to access a private GitHub repository that contains the source code to be analyzed.

b) It allows the action to access a private GitHub repository that contains configuration files, queries or packs that are required for the analysis.

c) It allows the action to upload the generated CodeQL database to a private GitHub repository.

d) It allows the action to upload the results of the analysis to a private GitHub repository.

Ans. b) It allows the action to access a private GitHub repository that contains configuration files, queries or packs that are required for the analysis.

31. How can you customize your advanced CodeQL scanning setup with additional CodeQL query suites? (Choose two)

Select all that apply:

a) By using the github/codeql-customizations GitHub Action

b) By using the CodeQL CLI with a custom configuration file to run the analysis

c) By defining the customizations in the CodeQL analysis GitHub Actions workflow as input parameters to the github/codeql-action/init action

d) By using a custom configuration file and defining additional queries there

e) By defining the customizations in the Security / Code scanning repository settings

Ans. c) By defining the customizations in the CodeQL analysis GitHub Actions workflow as input parameters to the github/codeql-action/init action

d) By using a custom configuration file and defining additional queries there

32. Where can you see when the last CodeQL analysis was run when using the default code scanning setup?

a) In the code scanning tool status page

b) In repository insights

c) You can't see that information with the default setup

d) In the Dependabot tab

Ans. a) In the code scanning tool status page

33. Which of the following statements about enabling CodeQL scanning default setup are true? (Choose two)

Select all that apply:

a) You can enable default setup on any repository, regardless of the contents of the repository

b) Default setup will scan the repository on a schedule that you can configure. For event-based scanning, you need to configure a GitHub Action workflow

c) GitHub Actions need to be enabled as a prerequisite

d) You can only use the default query suite with default CodeQL scanning setup

e) You can enable default setup for all eligible repositories in an organization at once in the organization settings

Ans. c) GitHub Actions need to be enabled as a prerequisite

e) You can enable default setup for all eligible repositories in an organization at once in the organization settings

34. What is the purpose of defining a SARIF category?

a) Use the category to distinguish files that contain vulnerabilities from files that do not contain vulnerabilities.

b) Use a different category for each file that has been analyzed to easily track back the vulnerabilities to the files that contain them.

c) Use the category to distinguish files that have been analyzed from files that have not been analyzed.

d) Use the category to distinguish between multiple analyses for the same tool or commit, but performed on different languages or different parts of the code.

Ans. d) Use the category to distinguish between multiple analyses for the same tool or commit, but performed on different languages or different parts of the code.

35. When viewing a code scanning alert what is the `Show paths` option used for?

a) It's used for showing the paths to the CodeQL queries that were used to find the vulnerability

b) It will show recommendations on how to fix the vulnerability

c) It will display the path through the code that leads to the issue causing the alert.

d) It's used for showing the file path to the CodeQL database that was used to find the vulnerability

Ans. c) It will display the path through the code that leads to the issue causing the alert.

36. What details can you find on a code scanning alert page? (Choose three)

Select all that apply:

a) Highlighted vulnerable code

b) Information how many times the vulnerability has been exploited

c) Assigned developer to fix the vulnerability

d) Severity of the vulnerability

e) Branches affected by the vulnerability

f) ID of the CodeQL database that was used to find the vulnerability

Ans. a) Highlighted vulnerable code

d) Severity of the vulnerability

e) Branches affected by the vulnerability

37. What is the purpose of the `codeql database analyze` command in CodeQL CLI?

a) Analyzing a CodeQL database and uploading the results to GitHub.

b) Analyzing a CodeQL database, producing results usually in the form of security advisories.

c) Analyzing the source code, producing a CodeQL database.

d) Analyzing a CodeQL database, producing results usually in the form of a SARIF file.

Ans. d) Analyzing a CodeQL database, producing results usually in the form of a SARIF file.

38. Which API endpoint can be used to retrieve a list of all code scanning alerts for a repository?

a) GET /orgs/{org}/{repo}/code-scanning/alerts

b) GET /{enterprise}/{org}/{repo}/code-scanning/alerts

c) GET /github/{repo}/code-scanning/alerts

d) GET /repos/{owner}/{repo}/code-scanning/alerts

Ans. d) GET /repos/{owner}/{repo}/code-scanning/alerts

39. Which API endpoint can be used to retrieve a list of all secret scanning alerts for an organization?

a) GET /github/{org}/secret-scanning/alerts

b) GET /enterprises/{enterprise}/secret-scanning/alerts

c) GET /repos/{owner}/{repo}/secret-scanning/alerts

d) GET /orgs/{org}/secret-scanning/alerts

Ans. d) GET /orgs/{org}/secret-scanning/alerts

40. Which API endpoint can be used to retrieve a list of all dependabot alerts for an enterprise?

a) GET /repos/{owner}/{repo}/dependabot/alerts

b) GET /enterprises/{enterprise}/dependabot/alerts

c) GET /orgs/{org}/dependabot/alerts

d) GET /github/{enterprise}/dependabot/alerts

Ans. b) GET /enterprises/{enterprise}/dependabot/alerts

41. When using CodeQL analysis in your GitHub Actions workflow, how often is the scan triggered?

a) Code scanning can be triggered on a configurable schedule or on pull requests.

b) Code scanning is triggered on every push to the repository.

c) Code scanning can be triggered for many different events that happen in the repository.

d) Code scanning is triggered on a configurable schedule.

Ans. c) Code scanning can be triggered for many different events that happen in the repository.

42. Which GitHub Advanced Security feature allows you to find, triage, and prioritize fixes for new and existing problems in your code?

a) Security policies

b) Dependabot alerts

c) Security advisories

d) Code scanning

Ans. d) Code scanning

43. An organization has recently started using CodeQL analysis for all pull requests on their repositories as well as running the analysis on an hourly schedule. Since then they are experiencing larger than usual GitHub Actions bills. What is the most likely cause of this?

a) Code scanning uses GitHub Actions and the organization is being billed for the additional usage.

b) Code scanning can only be run on a daily schedule and the organization is being billed for the additional usage.

c) The code scanning analysis is finding more issues than expected and is taking longer to complete.

d) There is no correlation between code scanning and GitHub Actions billing. The organization is being billed for other GitHub Actions workflows.

Ans. a) Code scanning uses GitHub Actions and the organization is being billed for the additional usage.

44. How can CodeQL be used in an external CI system together with GitHub repositories?

a) CodeQL cannot be used in external CI systems; it is exclusive to GitHub Actions.

b) Manually run CodeQL locally and email the results to the GitHub repository administrators.

c) Upload source code to GitHub for analysis and then download results for use in the CI system.

d) Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository.

Ans. d) Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository.

45. What does the default CodeQL analysis setup in GitHub do?

a) Requires separate installation of third-party scanning tools

b) Scans code only on a monthly basis

c) Manually requires users to specify languages and queries for each scan

d) Automatically chooses languages to analyze, query suite to run, and events that trigger scans

Ans. d) Automatically chooses languages to analyze, query suite to run, and events that trigger scans

46. Public repositories owned by personal users as well as public repositories owned by organizations can use secret scanning for free.

a) True

b) False

Ans. a) True

47. Which parts of the repository are scanned by secret scanning? (Choose two.)

a) GitHub Repository secrets

b) Entire git history on all branches in the repository

c) Titles, descriptions and comments in open and closed historical issues

d) Entire git history on all protected branches in the repository

e) GitHub Environment secrets

Ans. b) Entire git history on all branches in the repository

c) Titles, descriptions and comments in open and closed historical issues

48. What's the purpose of the Secret scanning partner program?

a) GitHub Partner program allows enterprises and organizations with GitHub Advanced Security license to use GitHub secret scanning to scan their repositories.

b) Service Providers can partner with GitHub so that the format of their secrets can be recognized by GitHub secret scanning.

c) GitHub partners with external security companies to provide secret scanning for GitHub repositories.

d) It's a program where registered security professionals can in good faith report to GitHub any secrets they find in GitHub repositories and get paid rewards for it.

Ans. b) Service Providers can partner with GitHub so that the format of their secrets can be recognized by GitHub secret scanning.

49. How can you prevent commits containing cloud provider credentials from being pushed to GitHub?

a) Create a GitHub Action that will scan your commits for secrets before they are pushed to GitHub.

b) Enable a branch protection rule for your repository.

c) Enable a secret scanning push protection rule for your repository or organization.

d) Include a .gitignore file in your repository that will ignore files containing secrets.

Ans. c) Enable a secret scanning push protection rule for your repository or organization.

50. Which of these is true about the GitHub secret scanning partner program? (Choose three.)

a) It is a program where service providers can provide GitHub with the regex patterns of secrets that they issue so GitHub secret scanning can recognize them.

b) It grants the partner access to the secret GitHub scanning API so that the service provider can scan GitHub repositories for secrets that match their format.

c) The partner can take actions upon receiving notification from GitHub about a leaked secret, such as revoking the secret and informing the owner of the compromised secret.

d) When GitHub identifies a secret from a partnered service provider, it notifies the service provider about the leaked secret.

e) GitHub has the ability to automatically revoke leaked secrets and notify the service provider that they have been invalidated by GitHub.

Ans. a) It is a program where service providers can provide GitHub with the regex patterns of secrets that they issue so GitHub secret scanning can recognize them.

c) The partner can take actions upon receiving notification from GitHub about a leaked secret, such as revoking the secret and informing the owner of the compromised secret.

d) When GitHub identifies a secret from a partnered service provider, it notifies the service provider about the leaked secret.

51. How can you exclude certain directories or files from secret scanning?

a) By creating a secret_scanning.yml file and including paths that should not be scanned

b) Include these files in the .gitignore file

c) It's not possible to exclude specific files and/or directories from being scanned. Once you enable secret scanning for a repository, all files and directories will be scanned.

d) By creating a dependabot.yml file and including paths which should not be scanned

Ans. a) By creating a secret_scanning.yml file and including paths that should not be scanned

52. You have included some fake secrets in your test code and they have been picked up by GitHub's secret scanning. What can you do to tell GitHub that these are fake secrets used in tests and can be ignored by secret scanning? (Choose two.)

a) By creating a secret_scanning.yml file within which you declare paths where fake secrets are located, so scans will omit them

b) Close the Secret Scanning Alert with Used in tests close reason

c) By creating a .github/codeql.yml file within which you declare paths where fake secrets are located, so scans will omit them

d) In your test files, add a comment #gh_ignore: fake secret on the line where the fake secret is located.

Ans. a) By creating a secret_scanning.yml file within which you declare paths where fake secrets are located, so scans will omit them

b) Close the Secret Scanning Alert with Used in tests close reason

53. You have accidentally committed your GitHub personal access token to a public repository. What actions should you take to prevent your account from being compromised?

a) Change the token's permissions to read-only

b) Overwrite the git history to mask the token

c) Consider the token compromised and delete it immediately

d) Check if this token is used in any of your applications, if so - delete it.

Ans. c) Consider the token compromised and delete it immediately

54. What is the behavior when a new secret pattern is added or updated in the GitHub secret scanning partner program?

a) GitHub will only scan for the new pattern in newly pushed commits in repositories with secret scanning enabled. If a secret of that pattern was already present in the repository, it will not be detected.

b) The GitHub partner has to deal with the historically leaked secrets and GitHub will only scan any new commits for the new pattern

c) GitHub will create an issue in all repositories with secret scanning enabled so the maintainers can check the repository for any secrets matching the new pattern

d) GitHub will run a scan of all historical code content in public repositories with secret scanning enabled

Ans. d) GitHub will run a scan of all historical code content in public repositories with secret scanning enabled

55. Who will be notified when a NEW secret is pushed and detected in a repository? (Choose five.)

a) Commit authors

b) All Organization owners and enterprise owners

c) Security Managers

d) Everyone with write access to the repository

e) Users with custom roles with read/write access

f) Organization owners and enterprise owners, but only if they are administrators of repositories where secrets were leaked

g) Repository Administrators

Ans. a) Commit authors

c) Security Managers

e) Users with custom roles with read/write access

f) Organization owners and enterprise owners, but only if they are administrators of repositories where secrets were leaked

g) Repository Administrators

56. When GitHub runs a scan of all historical code in enterprise repositories what is the notification behavior? (Select two.)

a) GitHub notifies the enterprise owners and security managers, even if no secrets are found.

b) GitHub notifies Repository administrators, security managers, and users with custom roles with read/write access whenever a secret is detected in a repository.

c) GitHub notifies the commit authors of the commits that contain exposed secrets.

d) GitHub notifies the enterprise owners and security managers, only if it detects exposed secrets.

Ans. a) GitHub notifies the enterprise owners and security managers, even if no secrets are found.

b) GitHub notifies Repository administrators, security managers, and users with custom roles with read/write access whenever a secret is detected in a repository.

57. Does GitHub use the same set of secret scanning patterns for both user alerts and push protection alerts?

a) No, these are different sets of secret patterns

b) Yes, its the same set of secret patterns

Ans. a) No, these are different sets of secret patterns

58. What are the three different sets of secret scanning patterns that GitHub maintains? (Select three.)

a) Enterprise alert patterns

b) Partner patterns

c) User alert patterns

d) Cloud provider patterns

e) Push protection patterns

f) Open source alert patterns

Ans. b) Partner patterns

c) User alert patterns

e) Push protection patterns

59. Multiple public repositories that you are contributing to do not have secret scanning push protection option enabled. What can you do to protect yourself from accidentally pushing secrets to these repositories?

a) It's not possible, push protection has to be enabled on any of repository, organization or enterprise level

b) Download the GitHub push protection web plugin

c) Add the files containing secrets to .gitignore file in all of the repositories

d) Enable Push protection for yourself, in your personal GitHub account settings

Ans. d) Enable Push protection for yourself, in your personal GitHub account settings

60. Which file is typically used to configure CodeQL analysis in a repository?

a) .github/workflows/codeql-analysis.yml

b) .github/codeql-config.yml

c) codeql-analysis-config.json

d) .git/config

Ans. a) .github/workflows/codeql-analysis.yml

61. Which GitHub API can be used to automate security tasks?

a) GraphQL API

b) REST API

c) Both a and b

d) Neither a nor b

Ans. c) Both a and b

62. What should you do if a CodeQL scan produces false positives?

a) Disable CodeQL scanning

b) Modify the CodeQL query or use suppression comments

c) Delete the alert

d) Ignore the alert

Ans. b) Modify the CodeQL query or use suppression comments

63. Where can you view Dependabot alerts?

a) Security Tab > Dependabot Alerts

b) Issues Tab

c) Pull Requests

d) Actions Logs

Ans. a) Security Tab > Dependabot Alerts

64. Which branch is typically scanned for vulnerabilities by default?

a) Main branch

b) All branches

c) Development branch

d) Feature branches

Ans. a) Main branch

65. What type of file is .dependabot/config.yml?

a) A JSON configuration file

b) A YAML configuration file for Dependabot

c) A Git configuration file

d) A SARIF file for code scanning results

Ans. b) A YAML configuration file for Dependabot

66. Which GitHub role is required to configure Advanced Security settings?

a) Contributor

b) Repository Admin

c) Team Member

d) Fork Owner

Ans. b) Repository Admin

67. What is a primary use case for CodeQL Packs?

a) Managing dependency updates

b) Running pre-built queries on codebases

c) Automating CI/CD pipelines

d) Configuring repository permissions

Ans. b) Running pre-built queries on codebases

68. Which GitHub Action step can you use to trigger CodeQL scanning?

a) run-codeql

b) codeql/analyze

c) codeql-init

d) scan-code

Ans. b) codeql/analyze

69. What is the key difference between Secret Scanning and Push Protection?

a) Push Protection prevents secrets from being committed

b) Secret Scanning detects secrets in repository history

c) Push Protection works in real-time, Secret Scanning does not

d) Both a and c

Ans. d) Both a and c

70. How does GitHub Advanced Security integrate with CI/CD workflows?

a) By providing pre-merge security checks

b) By scanning builds for outdated dependencies

c) By enforcing deployment restrictions

d) By managing deployment keys

Ans. a) By providing pre-merge security checks

71. Which permission level is required to enable Advanced Security features?

a) Read access

b) Write access

c) Admin access

d) Maintainer access

Ans. c) Admin access

72. What does enabling two-factor authentication (2FA) improve?

a) Dependency management

b) Repository security

c) Workflow automation

d) Secret scanning accuracy

Ans. b) Repository security

73. Which file defines a GitHub Actions workflow for Advanced Security?

a) .github/workflows/security.yml

b) .github/advanced_security.yml

c) .github/workflows/codeql-analysis.yml

d) .github/codeql-config.json

Ans. c) .github/workflows/codeql-analysis.yml

74. Which of the following ensures that security updates are applied automatically?

a) Enable Dependabot security updates

b) Use branch protection rules

c) Configure manual dependency updates

d) Run periodic security scans

Ans. a) Enable Dependabot security updates

75. Your company has internal secrets that should not be pushed to GitHub repositories. The pattern of these secrets is not known by GitHub and therefore is not detected by secret scanning. What can companies do to protect their developers from accidentally pushing these secrets to repositories in their GitHub Organization?

a) Define regex patterns for these secrets and enable custom patterns for secret scanning for the organization.

b) In all repositories include secret_scanning.yml file which will define these custom secrets that should be scanned for.

c) Define custom GitHub Actions workflows for repositories in the organization that will scan for these secrets.

d) The company should join the GitHub partner program so the pattern of the companies secrets is recognized.

Ans. a) Define regex patterns for these secrets and enable custom patterns for secret scanning for the organization.

76. What information do Dependabot alerts provide?

a) Dependabot alerts tell you that your repository is being used by other public repositories.

b) Dependabot alerts tell you that your repository uses an untested version of a package.

c) Dependabot alerts tell you that your repository uses an outdated version of a package

d) Dependabot alerts tell you that your repository uses a package that is insecure.

Ans. d) Dependabot alerts tell you that your repository uses a package that is insecure.

77. What is the GitHub dependency graph?

a) It is a representation of a repository's dependencies and dependents.

b) There is no such thing as the GitHub dependency graph.

c) It is a tool that automatically proposes version updates to dependencies in a repository.

d) It is a GitHub maintained list of known vulnerabilities in open source software packages.

Ans. a) It is a representation of a repository's dependencies and dependents.

78. Is GitHub dependency graph available for free to all repositories?

a) No, it's available for free for public repositories only. Private repositories can use it if they have the GitHub Advanced Security license.

b) Yes, it's available for free for all repositories.

Ans. b) Yes, it's available for free for all repositories.

79. How does GitHub Dependency graph know what dependencies your project is using? (Choose two.)

a) GitHub scans the repository code for import statements of external packages

b) GitHub derives dependencies automatically from manifests and lock files committed to the repository

c) Dependencies can be manually added using the Dependency submission API

d) It's required to add a GitHub Actions workflow that uses the official actions/dependency-graph GitHub Action to add dependencies to the graph whenever a new commit is pushed to the repository

Ans. b) GitHub derives dependencies automatically from manifests and lock files committed to the repository

c) Dependencies can be manually added using the Dependency submission API

80. When will the GitHub Dependency graph for your repository be updated? (Choose two.)

a) When you push a commit to the repository's default branch, only if that changes or adds a supported manifest/lockfile.

b) When your repository publishes a new git tag.

c) When you push any commit to the repository's default branch.

d) When anyone pushes a change to the repository of one of your dependencies.

e) When the GitHub Actions workflow that uses the actions/dependency-graph GitHub Action is triggered.

f) When your repository publishes a new release.

Ans. a) When you push a commit to the repository's default branch, only if that changes or adds a supported manifest/lockfile.

d) When anyone pushes a change to the repository of one of your dependencies.

81. In what format can you export the GitHub Dependency graph of your repository?

a) YAML

b) SPDX

c) JSON

d) CSV

e) XML

Ans. b) SPDX

82. Can your repository use Dependency Graph without using Dependabot Alerts?

a) Yes

b) No

Ans. a) Yes

83. Which feature is a pre-requisite for using Dependabot Alerts on a repository?

a) Dependency security updates

b) Dependency review

c) Dependency graph

d) Dependency version updates

Ans. c) Dependency graph

84. Which of these statements about Dependabot Alerts are true? (Choose three.)

a) When GitHub identifies a vulnerable dependency, they generate a Dependabot alert and display it on the Security tab for the repository

b) Dependabot alerts tell you that your repository uses an outdated version of a package

c) They partially rely on the GitHub Advisory Database

d) To enable Dependabot Alerts you first need to have Dependency Graph enabled on your repository

e) Dependabot Alerts are enabled by default for all public repositories

f) Dependabot Alerts are enabled by default for all repositories

Ans. a) When GitHub identifies a vulnerable dependency, they generate a Dependabot alert and display it on the Security tab for the repository

c) They partially rely on the GitHub Advisory Database

d) To enable Dependabot Alerts you first need to have Dependency Graph enabled on your repository

85. What are the primary benefits of the Security Overview feature in GitHub?

a) Real-time threat detection

b) Automated dependency updates

c) Automatic code review for every push

d) Centralized view of security alerts and policy management in an organization

Ans. d) Centralized view of security alerts and policy management in an organization

86. What do Dependabot alerts indicate in GitHub?

a) Conflicts between different dependencies

b) Errors in dependency configuration files

c) Outdated dependencies that need to be updated

d) The presence of a vulnerable dependency or malware in your repository

Ans. d) The presence of a vulnerable dependency or malware in your repository

87. What is the purpose of code scanning in GitHub?

a) To identify vulnerabilities and errors in code

b) To check code formatting and style

c) To synchronize code with production servers

d) To review pull requests automatically

Ans. a) To identify vulnerabilities and errors in code

88. How can you identify which repository contributors have access to Advanced Security alerts?

a) Review the repository's Collaborators settings

b) Use the Security Tab > Access Insights

c) Check the Code Scanning configuration file

d) None of the above

Ans. b) Use the Security Tab > Access Insights

89. What type of file does GitHub Actions use to define workflows?

a) .yml or .yaml

b) .json

c) .ini

d) .config

Ans. a) .yml or .yaml

90. Is secret scanning available for both public and private repositories on GitHub?

a) Yes, with no additional requirements

b) Yes, but for private repositories, it requires a license for GitHub Advanced Security

c) No, it is only available for private repositories

d) No, it is only available for public repositories

Ans. b) Yes, but for private repositories, it requires a license for GitHub Advanced Security

91. What is the main purpose of using the CodeQL CLI?

a) To manage repository settings and permissions

b) To automatically merge pull requests

c) To generate a database representation of a codebase, a CodeQL database

d) To schedule regular maintenance tasks in a repository

Ans. c) To generate a database representation of a codebase, a CodeQL database

92. Which of the following languages is NOT supported by CodeQL for code scanning?

a) C/C++

b) Python

c) JavaScript/TypeScript

d) PHP

Ans. d) PHP

93. How does CodeQL analyze code in GitHub?

a) It uses machine learning to predict potential vulnerabilities based on past commits

b) It performs manual code reviews submitted by GitHub community members

c) It relies solely on third-party tools for code analysis

d) It generates a CodeQL database and runs queries to identify problems, displaying results as code scanning alerts

Ans. d) It generates a CodeQL database and runs queries to identify problems, displaying results as code scanning alerts

94. How can CodeQL be used in an external CI system together with GitHub repositories?

a) Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository

b) Manually run CodeQL locally and email the results to the GitHub repository administrators

c) CodeQL cannot be used in external CI systems; it is exclusive to GitHub Actions

d) Upload source code to GitHub for analysis and then download results for use in the CI system

Ans. a) Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository

95. Which of these statements isn't true about secret scanning on GitHub?

a) Secret scanning will scan titles, descriptions, and comments, in open and closed historical issues for secrets.

b) Secret scanning is a tool for secure secret storage and management.

c) Secret scanning can prevent supported secrets from being pushed into your enterprise, organization, or repository.

d) Secret scanning will scan your entire Git history on all branches present in your GitHub repository for secrets.

Ans. b) Secret scanning is a tool for secure secret storage and management.

96. How does GitHub ensure that secret scanning covers new patterns?

a) By allowing custom pattern definitions

b) Through regular updates to GitHub’s pattern database

c) By integrating with third-party APIs

d) By enabling user feedback

Ans. b) Through regular updates to GitHub’s pattern database

97. Which top-level keys are required in the dependabot.yml file?

a) version and package-ecosystem

b) updates and directory

c) version and updates

d) assignees and directory

Ans. c) version and updates

98. Which GitHub Action can be used to upload a third-party SARIF file?

a) actions/upload-sarif

b) github/codeql-action

c) github/codeql-action/upload-sarif

d) codeql-upload-sarif

Ans. c) github/codeql-action/upload-sarif

99. Which tool can be used in a third-party CI system to upload code analysis results to GitHub?

a) CodeQL API

b) CodeQL CLI

c) GitHub CLI

d) GitHub Actions github/codeql-action

Ans. b) CodeQL CLI

100. What is required for a CI server to upload SARIF results to GitHub?

a) A direct connection to the GitHub Advisory Database.

b) A GitHub App or personal access token with security_events write permission.

c) Administrator access to the GitHub repository.

d) A special plugin installed in the CI system.

Ans. b) A GitHub App or personal access token with security_events write permission.

Cyberithub

GitHub Advanced Security Certification Practice Test Questions and Answers Part - 1

1. What are Dependabot auto-triage rules?

2. How can you automate dismissing low severity Dependabot alerts?

3. To enable Dependabot security updates on all repositories in an organization you should:

4. The tool that checks if a pull request introduces any dependencies with security vulnerabilities is called:

5. You need GitHub Actions enabled for

6. What does CVSS stand for?

7. What does CVE stand for?

8. What does CWE stand for?

9. Which Dependabot comment command will get a pull request successfully completed?

10. Jobs that run on macOS runners that GitHub hosts consume minutes at __ rate as Linux runners consume

11. What is CodeQL?

12. What does shifting left mean in the context of Security?

13. What are Repository Security Advisories?

14. Which tool helps you keep the repository dependencies up to date?

15. Which of the following is a curated list of security vulnerabilities found in open source projects?

16. Which of these GitHub security features are available for FREE for both public and private personal repositories? (Choose four.)

17. Which of these best describes secret scanning?

18. How many days in Git history are scanned by Secret scanning?

19. Which branch(s) is/are scanned to detect the secrets?

20. Which GHAS feature allows you to prevent pushing a commit which contains a secret?

21. Can you add custom patterns to detect specific secrets?

22. Does Dependency graph scan your source code?

23. What are the CodeQL languages supported? (Choose three)

24. What are the supported packages managers by Dependabot? (Choose three)

25. Which file format permits to integrate results for a 3rd party scanning tool?

26. What are Dependabot security updates?

27. What is a CodeQL query suite?

28. What is a CodeQL query pack?

29. What are the steps of CodeQL analysis workflow?

30. What is the purpose of the `external-repository-token` parameter in `github/codeql-action/init` GitHub Action?

31. How can you customize your advanced CodeQL scanning setup with additional CodeQL query suites? (Choose two)

32. Where can you see when the last CodeQL analysis was run when using the default code scanning setup?

33. Which of the following statements about enabling CodeQL scanning default setup are true? (Choose two)

34. What is the purpose of defining a SARIF category?

35. When viewing a code scanning alert what is the `Show paths` option used for?

36. What details can you find on a code scanning alert page? (Choose three)

37. What is the purpose of the `codeql database analyze` command in CodeQL CLI?

38. Which API endpoint can be used to retrieve a list of all code scanning alerts for a repository?

39. Which API endpoint can be used to retrieve a list of all secret scanning alerts for an organization?

40. Which API endpoint can be used to retrieve a list of all dependabot alerts for an enterprise?

41. When using CodeQL analysis in your GitHub Actions workflow, how often is the scan triggered?

42. Which GitHub Advanced Security feature allows you to find, triage, and prioritize fixes for new and existing problems in your code?

43. An organization has recently started using CodeQL analysis for all pull requests on their repositories as well as running the analysis on an hourly schedule. Since then they are experiencing larger than usual GitHub Actions bills. What is the most likely cause of this?

44. How can CodeQL be used in an external CI system together with GitHub repositories?

45. What does the default CodeQL analysis setup in GitHub do?

46. Public repositories owned by personal users as well as public repositories owned by organizations can use secret scanning for free.

47. Which parts of the repository are scanned by secret scanning? (Choose two.)

48. What's the purpose of the Secret scanning partner program?

49. How can you prevent commits containing cloud provider credentials from being pushed to GitHub?

50. Which of these is true about the GitHub secret scanning partner program? (Choose three.)

51. How can you exclude certain directories or files from secret scanning?

52. You have included some fake secrets in your test code and they have been picked up by GitHub's secret scanning. What can you do to tell GitHub that these are fake secrets used in tests and can be ignored by secret scanning? (Choose two.)

53. You have accidentally committed your GitHub personal access token to a public repository. What actions should you take to prevent your account from being compromised?

54. What is the behavior when a new secret pattern is added or updated in the GitHub secret scanning partner program?

55. Who will be notified when a NEW secret is pushed and detected in a repository? (Choose five.)

56. When GitHub runs a scan of all historical code in enterprise repositories what is the notification behavior? (Select two.)

57. Does GitHub use the same set of secret scanning patterns for both user alerts and push protection alerts?

58. What are the three different sets of secret scanning patterns that GitHub maintains? (Select three.)

59. Multiple public repositories that you are contributing to do not have secret scanning push protection option enabled. What can you do to protect yourself from accidentally pushing secrets to these repositories?

60. Which file is typically used to configure CodeQL analysis in a repository?

61. Which GitHub API can be used to automate security tasks?

62. What should you do if a CodeQL scan produces false positives?

63. Where can you view Dependabot alerts?

64. Which branch is typically scanned for vulnerabilities by default?

65. What type of file is .dependabot/config.yml?

66. Which GitHub role is required to configure Advanced Security settings?

67. What is a primary use case for CodeQL Packs?

68. Which GitHub Action step can you use to trigger CodeQL scanning?

69. What is the key difference between Secret Scanning and Push Protection?

70. How does GitHub Advanced Security integrate with CI/CD workflows?

71. Which permission level is required to enable Advanced Security features?

72. What does enabling two-factor authentication (2FA) improve?

73. Which file defines a GitHub Actions workflow for Advanced Security?

74. Which of the following ensures that security updates are applied automatically?

76. What information do Dependabot alerts provide?

77. What is the GitHub dependency graph?

78. Is GitHub dependency graph available for free to all repositories?

79. How does GitHub Dependency graph know what dependencies your project is using? (Choose two.)