GitHub Advanced Security Certification Practice Test Questions and Answers Part - 2

Table of Contents

GitHub Advanced Security Certification Practice Test Questions and Answers Part - 2

Also Read: GitHub Foundations Certification Practice Test Questions and Answers Part - 1

1. What file should you use to create documentation for collaborators that lists supported versions of the project?

a) SECURITY.md

b) CONTRIBUTING.md

c) SUPPORT.md

Ans. a) SECURITY.md

2. What tool should you use to automate part of your security process?

a) Add Dependabot to your code base.

b) Add access restrictions to your enterprise.

c) Create security documentation.

d) Add advisories for your users.

Ans. a) Add Dependabot to your code base.

3. Which two pieces of information should be included in a security advisory?

a) Product affected and severity.

b) Severity and exposure list.

c) Administrator name and severity.

d) Exposures list and administrator name.

Ans. a) Product affected and severity.

4. Which two pieces of information are included in your organization's log?

a) The user that performed the action and the date and time of the action.

b) The date and time of the action and changes in permissions.

c) Changes in permissions and users being promoted to administrators.

d) Users being promoted to administrators and the user that performed the action.

Ans. a) The user that performed the action and the date and time of the action.

5. Which GitHub Advanced Security feature isn't available on public repositories?

a) Secret scanning.

b) Security Overview.

c) Code scanning.

Ans. b) Security Overview

6. Where can you enable GitHub Advanced Security for all the private and internal repositories in an organization?

a) The setting is in the Site admin page of your enterprise account.

b) The setting is in the organization's Security tab.

c) The setting is in the organization's Code and security settings.

Ans. c) The setting is in the organization's Code and security settings.

7. What can you do to ensure that everyone in your organization is using GitHub Advanced Security?

a) Give access to security alerts to users and teams with write permission on their repositories.

b) Add a SECURITY.md file to the root, docs, or .github folder of your organization's repositories.

c) Set a security policy at the organization level.

Ans. c) Set a security policy at the organization level.

8. What should you keep in mind when using GitHub Actions for your security workflows?

a) You should select the Send write tokens to workflows from pull requests option in the GitHub Actions settings.

b) You should make sure to use the Code Scanning API endpoints.

c) You should correctly set up the permissions for the GITHUB_TOKEN used to make authenticated API calls.

Ans. c) You should correctly set up the permissions for the GITHUB_TOKEN used to make authenticated API calls.

9. When code scanning is enabled, what is one default event that triggers a scan?

a) Creating a new branch.

b) Pushing a change.

c) Deleting a branch.

Ans. b) Pushing a change.

10. Which of the following are the tools used to upload a SARIF file?

a) The tools used are GitHub Actions, the code scanning API, and the CodeQL CLI.

b) The tools used are GitHub Actions, the ESLint analysis tool, the code scanning API, and the CodeQL CLI.

c) The tools used are the partialFingerprints property, GitHub Actions, the code scanning API, and the CodeQL CLI.

Ans. a) The tools used are GitHub Actions, the code scanning API, and the CodeQL CLI.

11. What is the difference between scheduled versus triggered events in code scanning?

a) Scheduled events are more difficult to configure than triggered events.

b) Scheduled events run based on a specified schedule and triggered events run on code events such a push.

c) Triggered events run less frequently than scheduled events.

Ans. b) Scheduled events run based on a specified schedule and triggered events run on code events such a push.

12. What does CodeQL first do when you're creating a database?

a) Analyzes both compiled languages and interpreted languages.

b) Extracts a single relational representation of each source file.

c) Converts results produced during query execution into a meaningful form.

Ans. b) Extracts a single relational representation of each source file.

13. What is the format of the command for creating and analyzing a CodeQL database from the CLI?

a) codeql [command] [subcommand]

b) codeql [subcommand] [command]

c) [command] [subcommand] codeql

Ans. a) codeql [command] [subcommand]

14. What is an extractor?

a) A hierarchical representation of the code.

b) A representation of the abstract syntax tree.

c) A tool that produces the relational data.

Ans. c) A tool that produces the relational data.

15. The CLI's built-in search operations do which of the following?

a) They automatically look in parent directories for the files used in database creation and analysis.

b) When they're manually prompted, they look in sibling directories for the files used in database creation and analysis.

c) They automatically look in all the sibling directories for the files used in database creation and analysis.

Ans. c) They automatically look in all the sibling directories for the files used in database creation and analysis.

16. By default, which severity level causes a pull-request check failure during code scanning?

a) Error

b) Warning

c) Medium

Ans. a) Error

17. Which is one way to optimize CodeQL analysis runtimes?

a) Analyze multiple languages.

b) Increase the memory.

c) Increase the amount of code analyzed.

Ans. b) Increase the memory.

18. What do you need to do if you want to change the settings for secret scanning on a public repository?

a) Enable secret scanning on the repository.

b) Switch the repository to a private one with GitHub Advanced Security.

c) Get admin permissions on the repository.

Ans. b) Switch the repository to a private one with GitHub Advanced Security.

19. Where can you configure the recipients of secret scanning alerts?

a) In the Code security and analysis settings of a repository

b) In the Manage Access settings of a repository

c) In the Watch settings of a repository

Ans. a) In the Code security and analysis settings of a repository

20. How many custom patterns can you create for an organization?

a) 100

b) 5,000

c) 500

Ans. c) 500

21. What are direct dependencies?

a) Dependencies that are explicitly defined in the manifest or lock file.

b) Dependencies used by packages that are dependencies of your project.

c) Dependencies that aren't referenced in the manifest file.

Ans. a) Dependencies that are explicitly defined in the manifest or lock file.

22. When is a Dependabot alert generated?

a) When a new advisory is added to the GitHub Advisory Database or the dependency graph for a repository changes.

b) Whenever a pull request attempts to merge changes into the main branch that contain no dependency changes.

c) Whenever a new vulnerability is removed from the GitHub Advisory Database.

Ans. a) When a new advisory is added to the GitHub Advisory Database or the dependency graph for a repository changes.

23. What is a prerequisite for Dependabot to automatically enable security updates for a repository?

a) Repository is public.

b) Repository is a fork.

c) Repository is archived.

Ans. a) Repository is public.

24. What query can you use to view all the notifications marked as done?

a) is:done

b) is:saved

c) is:complete

Ans. a) is:done

25. What is GitHub Advanced Security (GHAS)?

a) An automated tool for managing project dependencies.

b) An application security solution that empowers developers.

c) A tool for analyzing source code for security vulnerabilities.

d) A platform for tracking the full impact of changes to dependencies in a project.

Ans. b) An application security solution that empowers developers.

26. How does code scanning contribute to the security of a software development project?

a) By preventing unauthorized access to sensitive information.

b) By automating the management of project dependencies.

c) By identifying and addressing security vulnerabilities in the codebase.

d) By analyzing source code for potential coding errors.

Ans. c) By identifying and addressing security vulnerabilities in the codebase.

27. How does Dependabot use the dependency graph in GitHub Advanced Security (GHAS)?

a) To identify and address security vulnerabilities in the codebase.

b) To automatically update project dependencies to their latest, secure versions.

c) To generate alerts for potential security vulnerabilities in project dependencies.

d) To cross-reference dependency data with the GitHub Advisory Database.

Ans. a) To identify and address security vulnerabilities in the codebase.

28. How does GitHub Advanced Security (GHAS) help integrate security into each step of the software development life cycle?

a) By providing a comprehensive dashboard summarizing the security status of the repository.

b) By automating security checks with every pull request, surfacing issues in the context of the development workflow.

c) By generating alerts for outdated dependencies in a project.

d) By providing access to curated security intelligence from millions of developers and security researchers around the world.

Ans. b) By automating security checks with every pull request, surfacing issues in the context of the development workflow.

29. What happens when a second SARIF results file is uploaded to GitHub for a single commit?

a) It replaces the original set of data.

b) It appends the results to the existing file.

c) It creates a new branch in the repository

d) It is ignored by GitHub.

Ans. a) It replaces the original set of data.

30. How can users exclude specific directories from secret scanning alerts on GitHub?

a) Through the repository's Settings tab, in the Code security and analysis menu.

b) By editing the repository's README.md file.

c) Through the repository's Security tab, in the Secret scanning menu.

d) By configuring a secret_scanning.yml file, under the .github path in the repository.

Ans. d) By configuring a secret_scanning.yml file, under the .github path in the repository.

31. Which key should be used in a secret_scanning.yml file to exclude directories from secret scanning alerts in GitHub?

a) exclude-paths:

b) paths-ignore:

c) ignore-directories

d) paths-exclude:

Ans. b) paths-ignore:

32. What is the maximum number of custom patterns that can be defined for secret scanning on GitHub?

a) 100 for organizations, enterprises and repositories.

b) There's no limit to the number of custom patterns you can define for secret scanning in GitHub.

c) 500 for organizations/enterprises and 100 for repositories.

d) 100 for organizations/enterprises and 500 for repositories.

Ans. c) 500 for organizations/enterprises and 100 for repositories.

33. Fill in the blank: GitHub __________ is a feature that you can use to analyze code in a GitHub repository to find security vulnerabilities and coding errors.

a) Security Advisories

b) Dependency Graph

c) Vulnerability Detection

d) Code Scanning

Ans. d) Code Scanning

34. Which GitHub Advanced Security feature allows you to find, triage, and prioritize fixes for new and existing problems in your code?

a) Security policies

b) Dependabot alerts

c) Security advisories

d) Code scanning

Ans. d) Code scanning

35. How can you enable code scanning for a repository?

a) Add a .github/codeql.ymlconfiguration file to the repository.

b) Go to the security tab of the repository settings and enable code scanning with default or advanced setup.

c) Go to the security tab of the repository settings and answer a questionnaire about the repository contents. Based on the answers, GitHub will enable code scanning with the appropriate configuration.

d) Go to your user settings and enable code scanning, you can choose to enable it for all or only selected repositories.

Ans. b) Go to the security tab of the repository settings and enable code scanning with default or advanced setup.

36. How can you configure your GitHub repository to run CodeQL analysis on a schedule? (Choose two.)

a) By adding a schedule property to the .github/codeql.yml configuration file.

b) By raising a request with GitHub support to enable scheduled CodeQL analysis for the repository.

c) By using the default CodeQL analysis setup.

d) By creating a GitHub Actions workflow with a schedule trigger. The workflow should leverage actions from the github/codeql-action repository.

e) By setting the codeql.trigger property in the repository settings to schedule.

Ans. c) By using the default CodeQL analysis setup.

d) By creating a GitHub Actions workflow with a schedule trigger. The workflow should leverage actions from the github/codeql-action repository.

37. An organization has recently started using CodeQL analysis for all pull requests on their repositories as well as running the analysis on an hourly schedule. Since then they are experiencing larger than usual GitHub Actions bills. What is the most likely cause of this?

a) Code scanning uses GitHub Actions and the organization is being billed for the additional usage.

b) The code scanning analysis is finding more issues than expected and is taking longer to complete.

c) Code scanning can only be run on a daily schedule and the organization is being billed for the additional usage.

d) There is no correlation between code scanning and GitHub Actions billing. The organization is being billed for other GitHub Actions workflows.

Ans. a) Code scanning uses GitHub Actions and the organization is being billed for the additional usage.

38. If you don't want to use GitHub Actions, you can run code scanning in an external CI system, then upload the results to GitHub.

a) True

b) False

Ans. a) True

39. When using a third party CI system to run code scanning, what GitHub tool do you need to analyze the codebase?

a) You need to install the GitHub Code Scanning tool.

b) You need to install CodeQL CLI

c) You don't specifically need a GitHub tool, any static analysis tool that can produce results in SARIF format will work.

d) You need to install GitHub CLI

Ans. c) You don't specifically need a GitHub tool, any static analysis tool that can produce results in SARIF format will work.

40. When using GitHub Actions as your CI system and a third party tool to run code scanning, how can you upload the SARIF results to GitHub?

a) By using the actions/upload-artifact GitHub Action

b) When using GitHub Actions the SARIF results are automatically uploaded to GitHub.

c) By using the github/codeql-action/upload-sarif GitHub Action

d) You can only use CodeQL when running code scanning in GitHub Actions. Third party code scanning tools are not supported.

Ans. c) By using the github/codeql-action/upload-sarif GitHub Action

41. Can you use CodeQL analysis with third party CI systems?

a) Yes, you just need to use the CodeQL CLI

b) No, because it requires using the github/codeql-action GitHub Action

Ans. a) Yes, you just need to use the CodeQL CLI

42. Which of these is true about code scanning? (Choose two.)

a) Code scanning scans your code to search for all dependencies and their versions to find any vulnerable dependencies.

b) Code scanning can be integrated into the CI pipeline to find security issues early in the development process.

c) Code scanning helps finding any leaked credentials in the codebase such as API keys or cloud credentials.

d) Code scanning helps finding insecure code patterns which can be missed by manual code review.

e) Code scanning is a replacement for manual code review.

Ans. b) Code scanning can be integrated into the CI pipeline to find security issues early in the development process.

d) Code scanning helps finding insecure code patterns which can be missed by manual code review.

43. When using CodeQL analysis in your GitHub Actions workflow, how often is the scan triggered?

a) Code scanning can be triggered on a configurable schedule or on pull requests.

b) Code scanning is triggered on every push to the repository.

c) Code scanning can be triggered for many different events that happen in the repository.

d) Code scanning is triggered on a configurable schedule

Ans. c) Code scanning can be triggered for many different events that happen in the repository.

44. What is the effect of adding the paths-ignore keyword to your code scanning GitHub Actions workflow?

.github/workflows/codeql-analysis.yml

on:
pull_request:
branches: [main]
paths-ignore:
- '**/*.md'
- '**/*.txt'

a) It tells CodeQL to omit all *.txt and *.md files from the analysis.

b) Avoiding unnecessary scans when files that are not relevant to the analysis are changed.

c) Preventing the CodeQL analysis from running on pull requests that change files with the specified extensions.

d) Pull request checks will ignore any CodeQL vulnerabilities that are found in *.txt and *.md files.

Ans. b) Avoiding unnecessary scans when files that are not relevant to the analysis are changed.

45. CodeQL scanning supports:

a) Only compiled languages

b) All programming languages

c) Only interpreted languages

d) Both compiled and interpreted languages

Ans. d) Both compiled and interpreted languages

46. What are CodeQL queries used for?

a) CodeQL queries can be run against a CodeQL database to identify patterns that may indicate coding errors or security vulnerabilities.

b) CodeQL queries analyze your codebase and are used to create a CodeQL database.

c) CodeQL queries are used for code review purposes in GitHub.

d) CodeQL queries are text-based questions you can ask the CodeQL engine about your codebase.

Ans. a) CodeQL queries can be run against a CodeQL database to identify patterns that may indicate coding errors or security vulnerabilities.

47. What is QL?

a) QL is a query language that underlies CodeQL

b) QL is a similar product to CodeQL but is used for scanning text files instead of code

c) QL stands for Quality Level and is a metric used by CodeQL

d) QL is a npm package that is used by CodeQL to scan code

Ans. a) QL is a query language that underlies CodeQL

48. What is a CodeQL query suite?

a) CodeQL suite is a collection of CodeQL databases

b) CodeQL suite is a collection of CodeQL supported languages

c) CodeQL suite is a collection of CodeQL results

d) CodeQL suite is a collections of CodeQL queries

Ans. d) CodeQL suite is a collections of CodeQL queries

49. What are the different types of CodeQL packs? (Choose three.)

a) Vulnerability packs

b) Model packs

c) Code packs

d) Query packs

e) Language packs

f) Library packs

Ans. b) Model packs

d) Query packs

f) Library packs

50. What are the steps of CodeQL analysis workflow?

a) Creating a CodeQL database -> Running CodeQL queries -> Interpreting the results

b) Running CodeQL queries -> Interpreting the results

c) Running CodeQL queries -> Creating a CodeQL database -> Interpreting the results

d) Creating a CodeQL database -> Interpreting the results -> Running CodeQL queries

Ans. a) Creating a CodeQL database -> Running CodeQL queries -> Interpreting the results

51. What is extraction in the context of CodeQL code analysis?

a) Extraction is the action of running CodeQL queries against a CodeQL database and extracting the results.

b) Extraction is the process of exporting data from a CodeQL database.

c) Extraction is the process of creating a relational representation of each source file in the codebase.

d) Extraction is the process of creating CodeQL queries specific to the codebase.

Ans. c) Extraction is the process of creating a relational representation of each source file in the codebase.

52. Which of these statements are true regarding running CodeQL analysis on codebases with multiple programming languages? (Choose two.)

a) CodeQL creates separate databases for each programming language

b) CodeQL creates one database for all programming languages in the codebase, as long as they are supported by CodeQL

c) CodeQL database schema is the same for each programming language

d) CodeQL uses a different extractor for each programming language

Ans. a) CodeQL creates separate databases for each programming language

d) CodeQL uses a different extractor for each programming language

53. What are the differences when running CodeQL database creation for compiled and interpreted languages? (Choose two.)

a) For compiled languages, the extractor runs directly on the source code.

b) For compiled languages, the extractor runs on the executable file.

c) For interpreted languages, extraction works by monitoring the build process. All information is collected each time the interpreter is invoked to process a source file.

d) For compiled languages, extraction works by monitoring the build process. All information is collected each time the compiler is invoked to process a source file.

e) For interpreted languages, the extractor runs on the executable file.

f) For interpreted languages, the extractor runs directly on the source code.

Ans. d) For compiled languages, extraction works by monitoring the build process. All information is collected each time the compiler is invoked to process a source file.

f) For interpreted languages, the extractor runs directly on the source code.

54. Where can you see when the last CodeQL analysis was run when using the default code scanning setup?

a) In repository insights

b) In the code scanning tool status page

c) In the Dependabot tab

d) You can't see that information with the default setup

Ans. b) In the code scanning tool status page

55. Which of the following statements about enabling CodeQL scanning default setup are true? (Choose three.)

a) Default setup will scan the repository on a schedule that you can configure. For event based scanning, you need to configure a GitHub Action workflow

b) You can enable default setup for all eligible repositories in an organization at once in the organization settings

c) You can only use the default query suite with default CodeQL scanning setup

d) You can only enable default setup on repositories that contain at least one CodeQL-supported language

e) GitHub Actions need to be enabled as a prerequisite

f) You can enable default setup on any repository, regardless of the contents of the repository

Ans. b) You can enable default setup for all eligible repositories in an organization at once in the organization settings

e) GitHub Actions need to be enabled as a prerequisite

f) You can enable default setup on any repository, regardless of the contents of the repository

56. How can you customize your advanced CodeQL scanning setup with additional CodeQL query suites? (Choose two.)

a) By using a custom configuration file and defining additional queries there

b) By using the CodeQL CLI with a custom configuration file to run the analysis

c) By defining the customizations in the Security / Code scanning repository settings

d) By using the github/codeql-customizations GitHub Action

e) By defining the customizations in the CodeQL analysis GitHub Actions workflow as input parameters to the github/codeql-action/init action

Ans. a) By using a custom configuration file and defining additional queries there

e) By defining the customizations in the CodeQL analysis GitHub Actions workflow as input parameters to the github/codeql-action/init action

57. When running CodeQL analysis in GitHub Actions, what Actions should you use? (Choose three.)

a) github/codeql-action/analyze only for interpreted programming languages

b) github/codeql-action/init

c) github/codeql-action/init only for compiled programming languages

d) github/codeql-action/analyze

e) github/codeql-action/autobuild only for compiled programming languages

f) github/codeql-action/autobuild

Ans. b) github/codeql-action/init

d) github/codeql-action/analyze

e) github/codeql-action/autobuild only for compiled programming languages

58. What is the simplest method to execute CodeQL analysis concurrently for each language in a multi-language repository using GitHub Actions?

a) By creating a languages matrix for the job and then reference it in the github/codeql-action/init action's languages input parameter

b) Define the parallelism in the github/codeql-action/analyze action

c) By calling the github/codeql-action/analyze action in separate steps for each language

d) By creating a separate workflow for each language

Ans. a) By creating a languages matrix for the job and then reference it in the github/codeql-action/init action's languages input parameter

59. How can you use a custom CodeQL configuration file in a GitHub Actions workflow?

a) By storing the configuration in .github/codeql/config-config.yml file. The github/codeql-action/init action will automatically detect the file and use it

b) By uploading that file in the Code Scanning section of the Security tab in the repository

c) By explicitly providing the configuration file path in the config-file input parameter of the github/codeql-action/init action

d) By storing the configuration in .github/workflows/codeql-analysis.yml file. The github/codeql-action/init action will automatically detect the file and use it

Ans. c) By explicitly providing the configuration file path in the config-file input parameter of the github/codeql-action/init action

60. Where can you specify the CodeQL queries to run in a GitHub Actions workflow? (Choose two.)

a) In the Code Scanning section of the Security tab in the repository

b) In the queries input parameter of the github/codeql-action/init action

c) In the paths input parameter of the github/codeql-action/queries action

d) In a CodeQL configuration YAML file

e) In the codeql field of the .github/settings.yml file

Ans. b) In the queries input parameter of the github/codeql-action/init action

d) In a CodeQL configuration YAML file

61. What is the purpose of the external-repository-token parameter in github/codeql-action/init GitHub Action?

a) It allows the action to upload the results of the analysis to a private GitHub repository.

b) It allows the action to access a private GitHub repository that contains configuration files, queries or packs that are required for the analysis.

c) It allows the action to access a private GitHub repository that contains the source code to be analyzed.

d) It allows the action to upload the generated CodeQL database to a private GitHub repository.

Ans. b) It allows the action to access a private GitHub repository that contains configuration files, queries or packs that are required for the analysis.

62. What CodeQL CLI command is used to create a CodeQL database?

a) codeql database create

b) qlcli database create

c) gh codeql-database create

d) ql database generate

Ans. a) codeql database create

63. What is the purpose of the codeql database analyze command in CodeQL CLI?

a) Analyzing a CodeQL database and uploading the results to GitHub.

b) Analyzing the source code, producing a CodeQL database.

c) Analyzing a CodeQL database, producing results usually in the form of security advisories.

d) Analyzing a CodeQL database, producing results usually in the form of a SARIF file.

Ans. d) Analyzing a CodeQL database, producing results usually in the form of a SARIF file.

64. As part of your Jenkins CI pipeline you've successfully created and then analyzed a CodeQL database, therefore producing a SARIF file. How can you upload the SARIF file to GitHub? (Choose two.)

a) Using the GitHub REST API POST /repos/{owner}/{repo}/code-scanning/sarifs endpoint

b) By committing the SARIF file to the GitHub repository

c) Using the gh codeql upload-results command from GitHub CLI

d) Using the github/codeql-action/upload-sarif GitHub Action

e) Using the codeql github upload-results command from CodeQL CLI

Ans. a) Using the GitHub REST API POST /repos/{owner}/{repo}/code-scanning/sarifs endpoint

e) Using the codeql github upload-results command from CodeQL CLI

65. What details can you find on a code scanning alert page? (Choose three.)

a) Information how many times the vulnerability has been exploited

b) Branches affected by the vulnerability

c) ID of the CodeQL database that was used to find the vulnerability

d) Highlighted vulnerable code

e) Severity of the vulnerability

f) Assigned developer to fix the vulnerability

Ans. b) Branches affected by the vulnerability

d) Highlighted vulnerable code

e) Severity of the vulnerability

66. Which of these statements regarding viewing the results of a CodeQL analysis are true? (Choose two.)

a) Anyone with read permission for a repository can see code scanning annotations on pull requests.

b) You need write permission to view a summary of all the alerts for a repository in the Security tab.

c) Anyone with read permissions for a repository can view code scanning alerts in the Security tab.

d) Only the repository owner can see the code scanning alerts in the Security tab.

e) You need write permission to view code scanning annotations on pull requests.

Ans. c) Anyone with read permissions for a repository can view code scanning alerts in the Security tab.

e) You need write permission to view code scanning annotations on pull requests.

67. When a CodeQL analysis GitHub Actions workflow detects a new vulnerability on a pull request, where can you find the information about that vulnerability?

a) Directly in the pull request in the form of a PR comment and a check failure

b) In the security tab of the repository

c) In the workflow run logs

d) The CodeQL analysis workflow will fail and produce an artifact with the results

Ans. a) Directly in the pull request in the form of a PR comment and a check failure

68. When viewing a code scanning alert what is the Show paths option used for?

a) It's used for showing the paths to the CodeQL queries that were used to find the vulnerability

b) It's used for showing the file path to the CodeQL database that was used to find the vulnerability

c) It will display the path through the code that leads to the issue causing the alert.

d) It will show recommendations on how to fix the vulnerability

Ans. c) It will display the path through the code that leads to the issue causing the alert.

69. What does it mean to dismiss a code scanning alert?

a) Closing an alert that you don't think needs to be fixed

b) Closing the alert after fixing the vulnerability in the code

Ans. a) Closing an alert that you don't think needs to be fixed

70. Which of these is NOT a valid approach one can take to reduce the time it takes for CodeQL analysis workflow to complete?

a) Ignore irrelevant files and directories from the analysis

b) Parallelize the analysis for multi-language codebases

c) Run the analysis on every push event

d) Reduce the number of queries that are run

e) Use runners with more CPU/RAM resources

Ans. c) Run the analysis on every push event

71. What is the purpose of defining a SARIF category?

a) Use the category to distinguish files that have been analyzed from files that have not been analyzed.

b) Use the category to distinguish files that contain vulnerabilities from files that do not contain vulnerabilities.

c) Use the category to distinguish between multiple analyses for the same tool or commit, but performed on different languages or different parts of the code.

d) Use a different category for each file that has been analyzed to easily track back the vulnerabilities to the files that contain them.

Ans. c) Use the category to distinguish between multiple analyses for the same tool or commit, but performed on different languages or different parts of the code.

72. How can you enable GitHub Advanced Security features on GitHub Enterprise Server? (Choose two.)

a) By setting the github.advanced_security.enabled configuration option to true in the config.yml file in the .github repository.

b) In the Security tab of the Site admin management console

c) By setting the github.advanced_security.enabled configuration option to true in the config.yml file in the /etc/github directory on the GitHub Enterprise Server instance.

d) By connecting directly to the GitHub Enterprise Server instance through SSH and using the administrative shell ghe-config commands.

e) By requesting an upgrade from GitHub Support

Ans. b) In the Security tab of the Site admin management console

d) By connecting directly to the GitHub Enterprise Server instance through SSH and using the administrative shell ghe-config commands.

73. How can you enable GitHub Advanced Security features for all repositories in an organization in GitHub Enterprise Cloud?

a) By connecting directly to the GitHub Enterprise Cloud instance through SSH and using the administrative shell ghe-config commands.

b) In the Site admin page of your enterprise account

c) By requesting an upgrade from GitHub Support

d) In Code security and analysis section of the organization settings

Ans. d) In Code security and analysis section of the organization settings

74. As a repository maintainer where should you put instructions on how to report a security vulnerability in your codebase?

a) In the CODE_OF_CONDUCT.md file

b) In the SECURITY.md file

c) In the README.md file

d) In the CONTRIBUTING.md file

Ans. b) In the SECURITY.md file

75. What is a GitHub security policy?

a) It's a feature that allows you to encrypt your repository.

b) A GitHub security policy is a subscription service that provides antivirus protection for your projects.

c) It's a tool for automatically fixing security vulnerabilities in your code.

d) It's a document that instructs users on how to responsibly report security vulnerabilities in a project. It's typically defined in a SECURITY.md file in a repository.

Ans. d) It's a document that instructs users on how to responsibly report security vulnerabilities in a project. It's typically defined in a SECURITY.md file in a repository.

76. How can you set a default security policy for all repositories in my-org GitHub Organization?

a) Default security policies can only be set by GitHub support

b) By creating a SECURITY.md file in the my-org/.github repository

c) By editing the security policy in the organization's Code Security and analysis settings

d) You can set a default security policy for all repositories in my-org GitHub Organization by adding a SECURITY.md file to each individual repository.

Ans. b) By creating a SECURITY.md file in the my-org/.github repository

77. Which API endpoint can be used to retrieve a list of all Dependabot alerts for an enterprise?

a) GET /enterprises/{enterprise}/dependabot/alerts

b) GET /orgs/{org}/dependabot/alerts

c) GET /github/{enterprise}/dependabot/alerts

d) GET /repos/{owner}/{repo}/dependabot/alerts

Ans. a) GET /enterprises/{enterprise}/dependabot/alerts

78. Which API endpoint can be used to retrieve a list of all secret scanning alerts for an organization?

a) GET /github/{org}/secret-scanning/alerts

b) GET /repos/{owner}/{repo}/secret-scanning/alerts

c) GET /orgs/{org}/secret-scanning/alerts

d) GET /enterprises/{enterprise}/secret-scanning/alerts

Ans. c) GET /orgs/{org}/secret-scanning/alerts

79. Which API endpoint can be used to retrieve a list of all code scanning alerts for a repository?

a) GET /repos/{owner}/{repo}/code-scanning/alerts

b) GET /github/{repo}/code-scanning/alerts

c) GET /orgs/{org}/{repo}/code-scanning/alerts

d) GET /{enterprise}/{org}/{repo}/code-scanning/alerts

Ans. a) GET /repos/{owner}/{repo}/code-scanning/alerts

80. Which of these statements best defines a vulnerable dependency?

a) A vulnerable dependency is dependency that a project relies on, which has not been updated in a long time.

b) A vulnerable dependency is dependency that a project relies on, which is not widely used or popular.

c) A vulnerable dependency is dependency that a project relies on, which contains security flaws that could potentially be exploited, compromising the project's security.

d) A vulnerable dependency is dependency that a project relies on, which is not verified by GitHub.

Ans. c) A vulnerable dependency is dependency that a project relies on, which contains security flaws that could potentially be exploited, compromising the project's security.

81. Which file is crucial for configuring GitHub Actions-based code scanning?

a) codeql-analysis.yml

b) actions.yml

c) codeql-config.yml

d) main.yml

Ans. a) codeql-analysis.yml

82. Dependabot Alerts are enabled by default on:

a) Only private repositories.

b) Dependabot Alerts are not enabled by default on any repositories.

c) Only public repositories.

d) All repositories.

Ans. b) Dependabot Alerts are not enabled by default on any repositories.

83. Who can enable Dependabot alerts on a repository?

a) Dependabot alerts are enabled by adding a GitHub Action to the repository, so anyone with write access to the repository can enable them.

b) Repository owners and people with admin access

c) Dependabot alerts are enabled on all repositories by GitHub and can't be disabled or enabled by any individual.

d) Only the repository owner

Ans. b) Repository owners and people with admin access

84. What's the lowest access level needed to see Dependabot alerts in a repository within an organization?

a) Read

b) Admin

c) Triage

d) Write

e) Maintain

Ans. d) Write

85. To enable Dependabot Alerts on all repositories in an organization you should:

a) Create a script that will enable Dependabot Alerts on all repositories in the organization.

b) Go to the organization's Code security and analysis settings and enable Dependabot Alerts for all repositories at once.

c) On all repositories in the organization - run the actions/enable-ghas GitHub Action with alerts parameter set to true

d) Make all repositories in the organization private.

Ans. b) Go to the organization's Code security and analysis settings and enable Dependabot Alerts for all repositories at once.

86. Which of these is a valid dependabot.yml configuration file?

version: 2
updates:
-  package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "everyday"

version: 2
config:
- directory: "/"
    schedule:
      interval: "daily"

version: 2
config:
- package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"

version: 2
updates:
- package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"

Ans. d)

version: 2
updates:
- package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"

87. Which of these is not a GitHub supported channel for receiving Dependabot alerts?

a) GitHub Mobile

b) github.com notification inbox

c) Email

d) GitHub CLI

e) SMS/Call

Ans. e) SMS/Call

88. What is an important consideration when referencing a CodeQL query ?

a) The size of the codebase

b) The number of collaborators in the project

c) The specific security vulnerability targeted

d) The programming language used

Ans. c) The specific security vulnerability targeted

89. What type of security issues is CodeQL most effective at identifying?

a) Complex security vulnerabilities

b) Performance Bottlenecks

c) Basic syntax errors

d) User interface flows

Ans. a) Complex security vulnerabilities

90. When configuring secret scanning, what should be considered?

a) The main programming language used

b) The number of branches in the repository

c) Type of secrets to be scanned for

d) The frequency of code updates

Ans. c) Type of secrets to be scanned for

91. How can administrators customize GitHub Advanced Security alerts?

a) By customizing the coding language

b) By changing repository visibility settings

c) By setting alert thresholds

d) By modifying project timelines

Ans. c) By setting alert thresholds

92. Which CodeQL feature enhances its capability to identify newly emerging vulnerabilities?

a) Regularly updated query sets

b) Automated learning from past analyses

c) User-contributed query repositories

d) Integration with third-party databases

Ans. a) Regularly updated query sets

93. How does integrating code scanning with CI/CD help?

a) Improves team collaboration

b) Automates the deployment process

c) Detects vulnerabilities before deployment

d) Increases project visibility

e) Reduces manual review workload

f) It ensures code quality

Ans. c) Detects vulnerabilities before deployment

e) Reduces manual review workload

94. In what scenario might CodeQL be particularly useful?

a) For codebases written in a single language

b) For small, simple codebases

c) In a large project with complex code

d) For projects without external dependencies

Ans. c) In a large project with complex code

95. How does secret scanning in GitHub Advanced Security enhance code security?

a) By automating code deployment

b) By tracking code changes

c) By improving code compilation time

d) By detecting exposed secrets in the code

Ans. d) By detecting exposed secrets in the code

96. What does "Reference a CodeQL query" typically involve?

a) Linking to an external query database

b) Selecting a query from the CodeQL library

c) Writing a custom query for specific analysis

d) Integrating third-party analysis tools

Ans. b) Selecting a query from the CodeQL library

97. In the CodeQL language matrix configuration, what aspect is crucial?

a) Compatibility with different build systems

b) Balancing the depth and breadth of analysis

c) The number of languages included

d) Ensuring coverage of all major programming languages

Ans. d) Ensuring coverage of all major programming languages

98. What approach is recommended for scrubbing sensitive data from a GitHub Repository?

a) Employing the 'git filter-branch' command

b) Using 'git rebase'

c) Manually deleting files

d) Archiving the repository

Ans. a) Employing the 'git filter-branch' command

99. When configuring code scanning, what is a best practice?

a) Scanning only on release branches

b) Scanning on a scheduled basis

c) Scanning all branches regularly

d) Scanning only the master branch

Ans. c) Scanning all branches regularly

100. How can CodeQL results be used to improve code quality?

a) By refactoring code based on findings

b) By documenting vulnerabilities for future reference

c) By sharing results with all team members

d) By integrating results into training materials

Ans. a) By refactoring code based on findings

Cyberithub

GitHub Advanced Security Certification Practice Test Questions and Answers Part - 2

1. What file should you use to create documentation for collaborators that lists supported versions of the project?

2. What tool should you use to automate part of your security process?

3. Which two pieces of information should be included in a security advisory?

4. Which two pieces of information are included in your organization's log?

5. Which GitHub Advanced Security feature isn't available on public repositories?

6. Where can you enable GitHub Advanced Security for all the private and internal repositories in an organization?

7. What can you do to ensure that everyone in your organization is using GitHub Advanced Security?

8. What should you keep in mind when using GitHub Actions for your security workflows?

9. When code scanning is enabled, what is one default event that triggers a scan?

10. Which of the following are the tools used to upload a SARIF file?

11. What is the difference between scheduled versus triggered events in code scanning?

12. What does CodeQL first do when you're creating a database?

13. What is the format of the command for creating and analyzing a CodeQL database from the CLI?

14. What is an extractor?

15. The CLI's built-in search operations do which of the following?

16. By default, which severity level causes a pull-request check failure during code scanning?

17. Which is one way to optimize CodeQL analysis runtimes?

18. What do you need to do if you want to change the settings for secret scanning on a public repository?

19. Where can you configure the recipients of secret scanning alerts?

20. How many custom patterns can you create for an organization?

21. What are direct dependencies?

22. When is a Dependabot alert generated?

23. What is a prerequisite for Dependabot to automatically enable security updates for a repository?

24. What query can you use to view all the notifications marked as done?

25. What is GitHub Advanced Security (GHAS)?

26. How does code scanning contribute to the security of a software development project?

27. How does Dependabot use the dependency graph in GitHub Advanced Security (GHAS)?

28. How does GitHub Advanced Security (GHAS) help integrate security into each step of the software development life cycle?

29. What happens when a second SARIF results file is uploaded to GitHub for a single commit?

30. How can users exclude specific directories from secret scanning alerts on GitHub?

31. Which key should be used in a secret_scanning.yml file to exclude directories from secret scanning alerts in GitHub?

32. What is the maximum number of custom patterns that can be defined for secret scanning on GitHub?

33. Fill in the blank: GitHub __________ is a feature that you can use to analyze code in a GitHub repository to find security vulnerabilities and coding errors.

34. Which GitHub Advanced Security feature allows you to find, triage, and prioritize fixes for new and existing problems in your code?

35. How can you enable code scanning for a repository?

36. How can you configure your GitHub repository to run CodeQL analysis on a schedule? (Choose two.)

37. An organization has recently started using CodeQL analysis for all pull requests on their repositories as well as running the analysis on an hourly schedule. Since then they are experiencing larger than usual GitHub Actions bills. What is the most likely cause of this?

38. If you don't want to use GitHub Actions, you can run code scanning in an external CI system, then upload the results to GitHub.

39. When using a third party CI system to run code scanning, what GitHub tool do you need to analyze the codebase?

40. When using GitHub Actions as your CI system and a third party tool to run code scanning, how can you upload the SARIF results to GitHub?

41. Can you use CodeQL analysis with third party CI systems?

42. Which of these is true about code scanning? (Choose two.)

43. When using CodeQL analysis in your GitHub Actions workflow, how often is the scan triggered?

44. What is the effect of adding the paths-ignore keyword to your code scanning GitHub Actions workflow?

45. CodeQL scanning supports:

46. What are CodeQL queries used for?

47. What is QL?

48. What is a CodeQL query suite?

49. What are the different types of CodeQL packs? (Choose three.)

50. What are the steps of CodeQL analysis workflow?

51. What is extraction in the context of CodeQL code analysis?

52. Which of these statements are true regarding running CodeQL analysis on codebases with multiple programming languages? (Choose two.)

53. What are the differences when running CodeQL database creation for compiled and interpreted languages? (Choose two.)

54. Where can you see when the last CodeQL analysis was run when using the default code scanning setup?

55. Which of the following statements about enabling CodeQL scanning default setup are true? (Choose three.)

56. How can you customize your advanced CodeQL scanning setup with additional CodeQL query suites? (Choose two.)

57. When running CodeQL analysis in GitHub Actions, what Actions should you use? (Choose three.)

58. What is the simplest method to execute CodeQL analysis concurrently for each language in a multi-language repository using GitHub Actions?

59. How can you use a custom CodeQL configuration file in a GitHub Actions workflow?

60. Where can you specify the CodeQL queries to run in a GitHub Actions workflow? (Choose two.)

61. What is the purpose of the external-repository-token parameter in github/codeql-action/init GitHub Action?

62. What CodeQL CLI command is used to create a CodeQL database?

63. What is the purpose of the codeql database analyze command in CodeQL CLI?

64. As part of your Jenkins CI pipeline you've successfully created and then analyzed a CodeQL database, therefore producing a SARIF file. How can you upload the SARIF file to GitHub? (Choose two.)

65. What details can you find on a code scanning alert page? (Choose three.)

66. Which of these statements regarding viewing the results of a CodeQL analysis are true? (Choose two.)

67. When a CodeQL analysis GitHub Actions workflow detects a new vulnerability on a pull request, where can you find the information about that vulnerability?

68. When viewing a code scanning alert what is the Show paths option used for?

69. What does it mean to dismiss a code scanning alert?

70. Which of these is NOT a valid approach one can take to reduce the time it takes for CodeQL analysis workflow to complete?

71. What is the purpose of defining a SARIF category?

72. How can you enable GitHub Advanced Security features on GitHub Enterprise Server? (Choose two.)

73. How can you enable GitHub Advanced Security features for all repositories in an organization in GitHub Enterprise Cloud?

74. As a repository maintainer where should you put instructions on how to report a security vulnerability in your codebase?

75. What is a GitHub security policy?

76. How can you set a default security policy for all repositories in my-org GitHub Organization?

77. Which API endpoint can be used to retrieve a list of all Dependabot alerts for an enterprise?

78. Which API endpoint can be used to retrieve a list of all secret scanning alerts for an organization?