Table of Contents
In this article, we will go through series of practice test questions and answers for GitHub Advanced Security Certification exam. This exam is designed specifically for those who are looking to get an expertise on GitHub Advanced Security features which include tools like Code Scanning, Secret Scanning, and Dependabot to enhance the security of software development workflows. Passing this exam would give you an edge over other candidates in a job interview and will certainly help building your career. To ensure, you pass this exam successfully, we will provide you the best practice questions and answers to boost your confidence.
GitHub Advanced Security Certification Practice Test Questions and Answers Part - 1
Also Read: GitHub Foundations Certification Practice Test Questions and Answers Part - 1
1. What are Dependabot auto-triage rules?
a) Dependabot auto-triage rules are used for automatically deleting old dependencies in your project.
b) It's a feature that allows Dependabot to automatically dismiss Dependabot alerts that match certain criteria.
c) Auto-triage rules are defined in the dependabot.yml configuration file to specify which package managers should be used to scan your project for vulnerabilities.
d) Auto triage rules define how often Dependabot should scan your project for vulnerabilities.
Ans. b) It's a feature that allows Dependabot to automatically dismiss Dependabot alerts that match certain criteria.
2. How can you automate dismissing low severity Dependabot alerts?
a) By using Dependabot's auto-triage rules.
b) By setting the severity field in dependabot.yml file to high
c) By setting the dismiss-severity field in dependabot.yml file to low
d) By removing all dependencies that cause low severity alerts
Ans. a) By using Dependabot's auto-triage rules.
3. To enable Dependabot security updates on all repositories in an organization you should:
a) Go to the organization's Code security and analysis settings and enable Dependabot Security Updates for all repositories at once.
b) Run the actions/enable-ghas GitHub Action with security-updates parameter set to true on all repositories in the organization.
c) Create a script that will enable Dependabot Security Updates on all repositories in the organization.
d) Make all repositories in the organization private.
Ans. a) Go to the organization's Code security and analysis settings and enable Dependabot Security Updates for all repositories at once.
4. The tool that checks if a pull request introduces any dependencies with security vulnerabilities is called:
a) Dependabot Security Updates
b) Dependabot Alerts
c) Dependency Review
d) Dependabot Version Updates
Ans. c) Dependency Review
5. You need GitHub Actions enabled for
a) None of these
b) All of these
c) Dependabot Security Updates
d) Dependency Review
e) Dependabot Version Updates
Ans. d) Dependency Review
6. What does CVSS stand for?
a) Code Verification Security System
b) Cybersecurity Validation Scoring Scheme
c) Common Vulnerability Scoring System
d) Critical Vulnerability Scanning Service
Ans. c) Common Vulnerability Scoring System
7. What does CVE stand for?
a) Cybersecurity Verification Entity
b) Common Virus Elimination
c) Code Validation and Enumeration
d) Common Vulnerabilities and Exposures
Ans. d) Common Vulnerabilities and Exposures
8. What does CWE stand for?
a) Code Wrapping Engine
b) Critical Web Elements
c) Common Weakness Enumeration
d) Cybersecurity Weakness Enumeration
Ans. c) Common Weakness Enumeration
9. Which Dependabot comment command will get a pull request successfully completed?
a) @dependabot merge
b) @dependabot rebase
c) @dependabot cancel merge
d) @dependabot close
Ans. a) @dependabot merge
10. Jobs that run on macOS runners that GitHub hosts consume minutes at __ rate as Linux runners consume
a) the same
b) 2x
c) 10x
d) 5x
Ans. c) 10x
11. What is CodeQL?
a) A code analysis tool
b) A programming language
c) A version control system
d) A text editor
Ans. a) A code analysis tool
12. What does shifting left mean in the context of Security?
a) Adopting security practices early in the development cycle
b) Writing code without worrying about security
c) Writing code in a language that is commonly used
d) Incorporating security practices right before hitting production
Ans. a) Adopting security practices early in the development cycle
13. What are Repository Security Advisories?
a) A private space where repository maintainers can discuss vulnerabilities and security issues within the codebase.
b) It's a place to gather and publicly discuss security issues in the open source community.
c) GitHub security experts that help GitHub Enterprise users with their security issues.
d) A list of security issues that are publicly available for anyone to see and stay away from.
Ans. a) A private space where repository maintainers can discuss vulnerabilities and security issues within the codebase.
14. Which tool helps you keep the repository dependencies up to date?
a) CodeQL
b) GitHub Actions
c) Dependabot
d) Security Advisories
Ans. c) Dependabot
15. Which of the following is a curated list of security vulnerabilities found in open source projects?
a) Dependabot
b) CodeQL
c) GitHub Advisory Database
d) GitHub Security Journal
Ans. c) GitHub Advisory Database
16. Which of these GitHub security features are available for FREE for both public and private personal repositories? (Choose four.)
a) Dependabot code scanning
b) Dependabot alerts and security updates
c) Security Policy
d) Dependabot version updates
e) Secret scanning
f) Code scanning
g) Security advisories
h) Dependabot secret scanning
Ans. b) Dependabot alerts and security updates
c) Security Policy
d) Dependabot version updates
g) Security advisories
17. Which of these best describes secret scanning?
a) Secret scanning scans your repository for secrets such as private keys or tokens.
b) Secret scanning scans your repository for potential code vulnerabilities that could expose secrets such as private keys or tokens.
c) Secret scanning is a git hook that will scan your commits for secrets such as private keys or tokens before they are pushed to GitHub.
d) Secret scanning is a tool for secure secret storage and management.
Ans. a) Secret scanning scans your repository for secrets such as private keys or tokens.
18. How many days in Git history are scanned by Secret scanning?
a) 90
b) 30
c) All history
d) 120
Ans. c) All history
19. Which branch(s) is/are scanned to detect the secrets?
a) All the branches
b) Active branch (last 30 days)
c) Default branch
d) Main/master branch
Ans. a) All the branches
20. Which GHAS feature allows you to prevent pushing a commit which contains a secret?
a) Commit scanning
b) Push scanning
c) Push protection
d) Check commit
Ans. c) Push protection
21. Can you add custom patterns to detect specific secrets?
a) No
b) Yes
Ans. b) Yes
22. Does Dependency graph scan your source code?
a) Yes
b) No
Ans. b) No
23. What are the CodeQL languages supported? (Choose three)
Select all that apply:
a) F#
b) Ruby on rail
c) Java
d) PHP
e) SQL
f) C/C++
g) Python
Ans. c) Java
f) C/C++
g) Python
24. What are the supported packages managers by Dependabot? (Choose three)
Select all that apply:
a) Yum
b) Men
c) Brew
d) PIP
e) APT
f) Yarn
g) Nuget
Ans. d) PIP
f) Yarn
g) Nuget
25. Which file format permits to integrate results for a 3rd party scanning tool?
a) PDF
b) GIF
c) SARIF
d) JPEG
Ans. c) SARIF
26. What are Dependabot security updates?
a) It's a Dependabot feature that creates a list of vulnerable dependencies in your repository.
b) It's a Dependabot feature that creates alerts when a security vulnerability is detected in one of your dependencies.
c) It's a Dependabot feature that automatically creates pull requests to update dependencies in your repository when they release a new version.
d) It's a Dependabot feature that automatically creates pull requests to update vulnerable dependencies in your repository.
Ans. d) It's a Dependabot feature that automatically creates pull requests to update vulnerable dependencies in your repository.
27. What is a CodeQL query suite?
a) CodeQL suite is a collection of CodeQL databases
b) CodeQL suite is a collection of CodeQL supported languages
c) CodeQL suite is a collection of CodeQL results
d) CodeQL suite is a collections of CodeQL queries
Ans. d) CodeQL suite is a collections of CodeQL queries
28. What is a CodeQL query pack?
a) It's a library used by CodeQL queries
b) It's a set of results that were generated in the process of analyzing a CodeQL database
c) It's a set of pre-compiled queries with all transitive dependencies such as libraries and models
d) It's a collection of CodeQL queries
Ans. c) It's a set of pre-compiled queries with all transitive dependencies such as libraries and models
29. What are the steps of CodeQL analysis workflow?
a) Running CodeQL queries -> Interpreting the results
b) Creating a CodeQL database -> Interpreting the results -> Running CodeQL queries
c) Running CodeQL queries -> Creating a CodeQL database -> Interpreting the results
d) Creating a CodeQL database -> Running CodeQL queries -> Interpreting the results
Ans. d) Creating a CodeQL database -> Running CodeQL queries -> Interpreting the results
30. What is the purpose of the `external-repository-token` parameter in `github/codeql-action/init` GitHub Action?
a) It allows the action to access a private GitHub repository that contains the source code to be analyzed.
b) It allows the action to access a private GitHub repository that contains configuration files, queries or packs that are required for the analysis.
c) It allows the action to upload the generated CodeQL database to a private GitHub repository.
d) It allows the action to upload the results of the analysis to a private GitHub repository.
Ans. b) It allows the action to access a private GitHub repository that contains configuration files, queries or packs that are required for the analysis.
31. How can you customize your advanced CodeQL scanning setup with additional CodeQL query suites? (Choose two)
Select all that apply:
a) By using the github/codeql-customizations GitHub Action
b) By using the CodeQL CLI with a custom configuration file to run the analysis
c) By defining the customizations in the CodeQL analysis GitHub Actions workflow as input parameters to the github/codeql-action/init action
d) By using a custom configuration file and defining additional queries there
e) By defining the customizations in the Security / Code scanning repository settings
Ans. c) By defining the customizations in the CodeQL analysis GitHub Actions workflow as input parameters to the github/codeql-action/init action
d) By using a custom configuration file and defining additional queries there
32. Where can you see when the last CodeQL analysis was run when using the default code scanning setup?
a) In the code scanning tool status page
b) In repository insights
c) You can't see that information with the default setup
d) In the Dependabot tab
Ans. a) In the code scanning tool status page
33. Which of the following statements about enabling CodeQL scanning default setup are true? (Choose two)
Select all that apply:
a) You can enable default setup on any repository, regardless of the contents of the repository
b) Default setup will scan the repository on a schedule that you can configure. For event-based scanning, you need to configure a GitHub Action workflow
c) GitHub Actions need to be enabled as a prerequisite
d) You can only use the default query suite with default CodeQL scanning setup
e) You can enable default setup for all eligible repositories in an organization at once in the organization settings
Ans. c) GitHub Actions need to be enabled as a prerequisite
e) You can enable default setup for all eligible repositories in an organization at once in the organization settings
34. What is the purpose of defining a SARIF category?
a) Use the category to distinguish files that contain vulnerabilities from files that do not contain vulnerabilities.
b) Use a different category for each file that has been analyzed to easily track back the vulnerabilities to the files that contain them.
c) Use the category to distinguish files that have been analyzed from files that have not been analyzed.
d) Use the category to distinguish between multiple analyses for the same tool or commit, but performed on different languages or different parts of the code.
Ans. d) Use the category to distinguish between multiple analyses for the same tool or commit, but performed on different languages or different parts of the code.
35. When viewing a code scanning alert what is the `Show paths` option used for?
a) It's used for showing the paths to the CodeQL queries that were used to find the vulnerability
b) It will show recommendations on how to fix the vulnerability
c) It will display the path through the code that leads to the issue causing the alert.
d) It's used for showing the file path to the CodeQL database that was used to find the vulnerability
Ans. c) It will display the path through the code that leads to the issue causing the alert.
36. What details can you find on a code scanning alert page? (Choose three)
Select all that apply:
a) Highlighted vulnerable code
b) Information how many times the vulnerability has been exploited
c) Assigned developer to fix the vulnerability
d) Severity of the vulnerability
e) Branches affected by the vulnerability
f) ID of the CodeQL database that was used to find the vulnerability
Ans. a) Highlighted vulnerable code
d) Severity of the vulnerability
e) Branches affected by the vulnerability
37. What is the purpose of the `codeql database analyze` command in CodeQL CLI?
a) Analyzing a CodeQL database and uploading the results to GitHub.
b) Analyzing a CodeQL database, producing results usually in the form of security advisories.
c) Analyzing the source code, producing a CodeQL database.
d) Analyzing a CodeQL database, producing results usually in the form of a SARIF file.
Ans. d) Analyzing a CodeQL database, producing results usually in the form of a SARIF file.
38. Which API endpoint can be used to retrieve a list of all code scanning alerts for a repository?
a) GET /orgs/{org}/{repo}/code-scanning/alerts
b) GET /{enterprise}/{org}/{repo}/code-scanning/alerts
c) GET /github/{repo}/code-scanning/alerts
d) GET /repos/{owner}/{repo}/code-scanning/alerts
Ans. d) GET /repos/{owner}/{repo}/code-scanning/alerts
39. Which API endpoint can be used to retrieve a list of all secret scanning alerts for an organization?
a) GET /github/{org}/secret-scanning/alerts
b) GET /enterprises/{enterprise}/secret-scanning/alerts
c) GET /repos/{owner}/{repo}/secret-scanning/alerts
d) GET /orgs/{org}/secret-scanning/alerts
Ans. d) GET /orgs/{org}/secret-scanning/alerts
40. Which API endpoint can be used to retrieve a list of all dependabot alerts for an enterprise?
a) GET /repos/{owner}/{repo}/dependabot/alerts
b) GET /enterprises/{enterprise}/dependabot/alerts
c) GET /orgs/{org}/dependabot/alerts
d) GET /github/{enterprise}/dependabot/alerts
Ans. b) GET /enterprises/{enterprise}/dependabot/alerts
41. When using CodeQL analysis in your GitHub Actions workflow, how often is the scan triggered?
a) Code scanning can be triggered on a configurable schedule or on pull requests.
b) Code scanning is triggered on every push to the repository.
c) Code scanning can be triggered for many different events that happen in the repository.
d) Code scanning is triggered on a configurable schedule.
Ans. c) Code scanning can be triggered for many different events that happen in the repository.
42. Which GitHub Advanced Security feature allows you to find, triage, and prioritize fixes for new and existing problems in your code?
a) Security policies
b) Dependabot alerts
c) Security advisories
d) Code scanning
Ans. d) Code scanning
43. An organization has recently started using CodeQL analysis for all pull requests on their repositories as well as running the analysis on an hourly schedule. Since then they are experiencing larger than usual GitHub Actions bills. What is the most likely cause of this?
a) Code scanning uses GitHub Actions and the organization is being billed for the additional usage.
b) Code scanning can only be run on a daily schedule and the organization is being billed for the additional usage.
c) The code scanning analysis is finding more issues than expected and is taking longer to complete.
d) There is no correlation between code scanning and GitHub Actions billing. The organization is being billed for other GitHub Actions workflows.
Ans. a) Code scanning uses GitHub Actions and the organization is being billed for the additional usage.
44. How can CodeQL be used in an external CI system together with GitHub repositories?
a) CodeQL cannot be used in external CI systems; it is exclusive to GitHub Actions.
b) Manually run CodeQL locally and email the results to the GitHub repository administrators.
c) Upload source code to GitHub for analysis and then download results for use in the CI system.
d) Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository.
Ans. d) Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository.
45. What does the default CodeQL analysis setup in GitHub do?
a) Requires separate installation of third-party scanning tools
b) Scans code only on a monthly basis
c) Manually requires users to specify languages and queries for each scan
d) Automatically chooses languages to analyze, query suite to run, and events that trigger scans
Ans. d) Automatically chooses languages to analyze, query suite to run, and events that trigger scans
46. Public repositories owned by personal users as well as public repositories owned by organizations can use secret scanning for free.
a) True
b) False
Ans. a) True
47. Which parts of the repository are scanned by secret scanning? (Choose two.)
a) GitHub Repository secrets
b) Entire git history on all branches in the repository
c) Titles, descriptions and comments in open and closed historical issues
d) Entire git history on all protected branches in the repository
e) GitHub Environment secrets
Ans. b) Entire git history on all branches in the repository
c) Titles, descriptions and comments in open and closed historical issues
48. What's the purpose of the Secret scanning partner program?
a) GitHub Partner program allows enterprises and organizations with GitHub Advanced Security license to use GitHub secret scanning to scan their repositories.
b) Service Providers can partner with GitHub so that the format of their secrets can be recognized by GitHub secret scanning.
c) GitHub partners with external security companies to provide secret scanning for GitHub repositories.
d) It's a program where registered security professionals can in good faith report to GitHub any secrets they find in GitHub repositories and get paid rewards for it.
Ans. b) Service Providers can partner with GitHub so that the format of their secrets can be recognized by GitHub secret scanning.
49. How can you prevent commits containing cloud provider credentials from being pushed to GitHub?
a) Create a GitHub Action that will scan your commits for secrets before they are pushed to GitHub.
b) Enable a branch protection rule for your repository.
c) Enable a secret scanning push protection rule for your repository or organization.
d) Include a .gitignore file in your repository that will ignore files containing secrets.
Ans. c) Enable a secret scanning push protection rule for your repository or organization.
50. Which of these is true about the GitHub secret scanning partner program? (Choose three.)
a) It is a program where service providers can provide GitHub with the regex patterns of secrets that they issue so GitHub secret scanning can recognize them.
b) It grants the partner access to the secret GitHub scanning API so that the service provider can scan GitHub repositories for secrets that match their format.
c) The partner can take actions upon receiving notification from GitHub about a leaked secret, such as revoking the secret and informing the owner of the compromised secret.
d) When GitHub identifies a secret from a partnered service provider, it notifies the service provider about the leaked secret.
e) GitHub has the ability to automatically revoke leaked secrets and notify the service provider that they have been invalidated by GitHub.
Ans. a) It is a program where service providers can provide GitHub with the regex patterns of secrets that they issue so GitHub secret scanning can recognize them.
c) The partner can take actions upon receiving notification from GitHub about a leaked secret, such as revoking the secret and informing the owner of the compromised secret.
d) When GitHub identifies a secret from a partnered service provider, it notifies the service provider about the leaked secret.
51. How can you exclude certain directories or files from secret scanning?
a) By creating a secret_scanning.yml file and including paths that should not be scanned
b) Include these files in the .gitignore file
c) It's not possible to exclude specific files and/or directories from being scanned. Once you enable secret scanning for a repository, all files and directories will be scanned.
d) By creating a dependabot.yml file and including paths which should not be scanned
Ans. a) By creating a secret_scanning.yml file and including paths that should not be scanned
52. You have included some fake secrets in your test code and they have been picked up by GitHub's secret scanning. What can you do to tell GitHub that these are fake secrets used in tests and can be ignored by secret scanning? (Choose two.)
a) By creating a secret_scanning.yml file within which you declare paths where fake secrets are located, so scans will omit them
b) Close the Secret Scanning Alert with Used in tests close reason
c) By creating a .github/codeql.yml file within which you declare paths where fake secrets are located, so scans will omit them
d) In your test files, add a comment #gh_ignore: fake secret on the line where the fake secret is located.
Ans. a) By creating a secret_scanning.yml file within which you declare paths where fake secrets are located, so scans will omit them
b) Close the Secret Scanning Alert with Used in tests close reason
53. You have accidentally committed your GitHub personal access token to a public repository. What actions should you take to prevent your account from being compromised?
a) Change the token's permissions to read-only
b) Overwrite the git history to mask the token
c) Consider the token compromised and delete it immediately
d) Check if this token is used in any of your applications, if so - delete it.
Ans. c) Consider the token compromised and delete it immediately
54. What is the behavior when a new secret pattern is added or updated in the GitHub secret scanning partner program?
a) GitHub will only scan for the new pattern in newly pushed commits in repositories with secret scanning enabled. If a secret of that pattern was already present in the repository, it will not be detected.
b) The GitHub partner has to deal with the historically leaked secrets and GitHub will only scan any new commits for the new pattern
c) GitHub will create an issue in all repositories with secret scanning enabled so the maintainers can check the repository for any secrets matching the new pattern
d) GitHub will run a scan of all historical code content in public repositories with secret scanning enabled
Ans. d) GitHub will run a scan of all historical code content in public repositories with secret scanning enabled
55. Who will be notified when a NEW secret is pushed and detected in a repository? (Choose five.)
a) Commit authors
b) All Organization owners and enterprise owners
c) Security Managers
d) Everyone with write access to the repository
e) Users with custom roles with read/write access
f) Organization owners and enterprise owners, but only if they are administrators of repositories where secrets were leaked
g) Repository Administrators
Ans. a) Commit authors
c) Security Managers
e) Users with custom roles with read/write access
f) Organization owners and enterprise owners, but only if they are administrators of repositories where secrets were leaked
g) Repository Administrators
56. When GitHub runs a scan of all historical code in enterprise repositories what is the notification behavior? (Select two.)
a) GitHub notifies the enterprise owners and security managers, even if no secrets are found.
b) GitHub notifies Repository administrators, security managers, and users with custom roles with read/write access whenever a secret is detected in a repository.
c) GitHub notifies the commit authors of the commits that contain exposed secrets.
d) GitHub notifies the enterprise owners and security managers, only if it detects exposed secrets.
Ans. a) GitHub notifies the enterprise owners and security managers, even if no secrets are found.
b) GitHub notifies Repository administrators, security managers, and users with custom roles with read/write access whenever a secret is detected in a repository.
57. Does GitHub use the same set of secret scanning patterns for both user alerts and push protection alerts?
a) No, these are different sets of secret patterns
b) Yes, its the same set of secret patterns
Ans. a) No, these are different sets of secret patterns
58. What are the three different sets of secret scanning patterns that GitHub maintains? (Select three.)
a) Enterprise alert patterns
b) Partner patterns
c) User alert patterns
d) Cloud provider patterns
e) Push protection patterns
f) Open source alert patterns
Ans. b) Partner patterns
c) User alert patterns
e) Push protection patterns
59. Multiple public repositories that you are contributing to do not have secret scanning push protection option enabled. What can you do to protect yourself from accidentally pushing secrets to these repositories?
a) It's not possible, push protection has to be enabled on any of repository, organization or enterprise level
b) Download the GitHub push protection web plugin
c) Add the files containing secrets to .gitignore file in all of the repositories
d) Enable Push protection for yourself, in your personal GitHub account settings
Ans. d) Enable Push protection for yourself, in your personal GitHub account settings
60. Which file is typically used to configure CodeQL analysis in a repository?
a) .github/workflows/codeql-analysis.yml
b) .github/codeql-config.yml
c) codeql-analysis-config.json
d) .git/config
Ans. a) .github/workflows/codeql-analysis.yml
61. Which GitHub API can be used to automate security tasks?
a) GraphQL API
b) REST API
c) Both a and b
d) Neither a nor b
Ans. c) Both a and b
62. What should you do if a CodeQL scan produces false positives?
a) Disable CodeQL scanning
b) Modify the CodeQL query or use suppression comments
c) Delete the alert
d) Ignore the alert
Ans. b) Modify the CodeQL query or use suppression comments
63. Where can you view Dependabot alerts?
a) Security Tab > Dependabot Alerts
b) Issues Tab
c) Pull Requests
d) Actions Logs
Ans. a) Security Tab > Dependabot Alerts
64. Which branch is typically scanned for vulnerabilities by default?
a) Main branch
b) All branches
c) Development branch
d) Feature branches
Ans. a) Main branch
65. What type of file is .dependabot/config.yml?
a) A JSON configuration file
b) A YAML configuration file for Dependabot
c) A Git configuration file
d) A SARIF file for code scanning results
Ans. b) A YAML configuration file for Dependabot
66. Which GitHub role is required to configure Advanced Security settings?
a) Contributor
b) Repository Admin
c) Team Member
d) Fork Owner
Ans. b) Repository Admin
67. What is a primary use case for CodeQL Packs?
a) Managing dependency updates
b) Running pre-built queries on codebases
c) Automating CI/CD pipelines
d) Configuring repository permissions
Ans. b) Running pre-built queries on codebases
68. Which GitHub Action step can you use to trigger CodeQL scanning?
a) run-codeql
b) codeql/analyze
c) codeql-init
d) scan-code
Ans. b) codeql/analyze
69. What is the key difference between Secret Scanning and Push Protection?
a) Push Protection prevents secrets from being committed
b) Secret Scanning detects secrets in repository history
c) Push Protection works in real-time, Secret Scanning does not
d) Both a and c
Ans. d) Both a and c
70. How does GitHub Advanced Security integrate with CI/CD workflows?
a) By providing pre-merge security checks
b) By scanning builds for outdated dependencies
c) By enforcing deployment restrictions
d) By managing deployment keys
Ans. a) By providing pre-merge security checks
71. Which permission level is required to enable Advanced Security features?
a) Read access
b) Write access
c) Admin access
d) Maintainer access
Ans. c) Admin access
72. What does enabling two-factor authentication (2FA) improve?
a) Dependency management
b) Repository security
c) Workflow automation
d) Secret scanning accuracy
Ans. b) Repository security
73. Which file defines a GitHub Actions workflow for Advanced Security?
a) .github/workflows/security.yml
b) .github/advanced_security.yml
c) .github/workflows/codeql-analysis.yml
d) .github/codeql-config.json
Ans. c) .github/workflows/codeql-analysis.yml
74. Which of the following ensures that security updates are applied automatically?
a) Enable Dependabot security updates
b) Use branch protection rules
c) Configure manual dependency updates
d) Run periodic security scans
Ans. a) Enable Dependabot security updates
75. Your company has internal secrets that should not be pushed to GitHub repositories. The pattern of these secrets is not known by GitHub and therefore is not detected by secret scanning. What can companies do to protect their developers from accidentally pushing these secrets to repositories in their GitHub Organization?
a) Define regex patterns for these secrets and enable custom patterns for secret scanning for the organization.
b) In all repositories include secret_scanning.yml file which will define these custom secrets that should be scanned for.
c) Define custom GitHub Actions workflows for repositories in the organization that will scan for these secrets.
d) The company should join the GitHub partner program so the pattern of the companies secrets is recognized.
Ans. a) Define regex patterns for these secrets and enable custom patterns for secret scanning for the organization.
76. What information do Dependabot alerts provide?
a) Dependabot alerts tell you that your repository is being used by other public repositories.
b) Dependabot alerts tell you that your repository uses an untested version of a package.
c) Dependabot alerts tell you that your repository uses an outdated version of a package
d) Dependabot alerts tell you that your repository uses a package that is insecure.
Ans. d) Dependabot alerts tell you that your repository uses a package that is insecure.
77. What is the GitHub dependency graph?
a) It is a representation of a repository's dependencies and dependents.
b) There is no such thing as the GitHub dependency graph.
c) It is a tool that automatically proposes version updates to dependencies in a repository.
d) It is a GitHub maintained list of known vulnerabilities in open source software packages.
Ans. a) It is a representation of a repository's dependencies and dependents.
78. Is GitHub dependency graph available for free to all repositories?
a) No, it's available for free for public repositories only. Private repositories can use it if they have the GitHub Advanced Security license.
b) Yes, it's available for free for all repositories.
Ans. b) Yes, it's available for free for all repositories.
79. How does GitHub Dependency graph know what dependencies your project is using? (Choose two.)
a) GitHub scans the repository code for import statements of external packages
b) GitHub derives dependencies automatically from manifests and lock files committed to the repository
c) Dependencies can be manually added using the Dependency submission API
d) It's required to add a GitHub Actions workflow that uses the official actions/dependency-graph GitHub Action to add dependencies to the graph whenever a new commit is pushed to the repository
Ans. b) GitHub derives dependencies automatically from manifests and lock files committed to the repository
c) Dependencies can be manually added using the Dependency submission API
80. When will the GitHub Dependency graph for your repository be updated? (Choose two.)
a) When you push a commit to the repository's default branch, only if that changes or adds a supported manifest/lockfile.
b) When your repository publishes a new git tag.
c) When you push any commit to the repository's default branch.
d) When anyone pushes a change to the repository of one of your dependencies.
e) When the GitHub Actions workflow that uses the actions/dependency-graph GitHub Action is triggered.
f) When your repository publishes a new release.
Ans. a) When you push a commit to the repository's default branch, only if that changes or adds a supported manifest/lockfile.
d) When anyone pushes a change to the repository of one of your dependencies.
81. In what format can you export the GitHub Dependency graph of your repository?
a) YAML
b) SPDX
c) JSON
d) CSV
e) XML
Ans. b) SPDX
82. Can your repository use Dependency Graph without using Dependabot Alerts?
a) Yes
b) No
Ans. a) Yes
83. Which feature is a pre-requisite for using Dependabot Alerts on a repository?
a) Dependency security updates
b) Dependency review
c) Dependency graph
d) Dependency version updates
Ans. c) Dependency graph
84. Which of these statements about Dependabot Alerts are true? (Choose three.)
a) When GitHub identifies a vulnerable dependency, they generate a Dependabot alert and display it on the Security tab for the repository
b) Dependabot alerts tell you that your repository uses an outdated version of a package
c) They partially rely on the GitHub Advisory Database
d) To enable Dependabot Alerts you first need to have Dependency Graph enabled on your repository
e) Dependabot Alerts are enabled by default for all public repositories
f) Dependabot Alerts are enabled by default for all repositories
Ans. a) When GitHub identifies a vulnerable dependency, they generate a Dependabot alert and display it on the Security tab for the repository
c) They partially rely on the GitHub Advisory Database
d) To enable Dependabot Alerts you first need to have Dependency Graph enabled on your repository
85. What are the primary benefits of the Security Overview feature in GitHub?
a) Real-time threat detection
b) Automated dependency updates
c) Automatic code review for every push
d) Centralized view of security alerts and policy management in an organization
Ans. d) Centralized view of security alerts and policy management in an organization
86. What do Dependabot alerts indicate in GitHub?
a) Conflicts between different dependencies
b) Errors in dependency configuration files
c) Outdated dependencies that need to be updated
d) The presence of a vulnerable dependency or malware in your repository
Ans. d) The presence of a vulnerable dependency or malware in your repository
87. What is the purpose of code scanning in GitHub?
a) To identify vulnerabilities and errors in code
b) To check code formatting and style
c) To synchronize code with production servers
d) To review pull requests automatically
Ans. a) To identify vulnerabilities and errors in code
88. How can you identify which repository contributors have access to Advanced Security alerts?
a) Review the repository's Collaborators settings
b) Use the Security Tab > Access Insights
c) Check the Code Scanning configuration file
d) None of the above
Ans. b) Use the Security Tab > Access Insights
89. What type of file does GitHub Actions use to define workflows?
a) .yml or .yaml
b) .json
c) .ini
d) .config
Ans. a) .yml or .yaml
90. Is secret scanning available for both public and private repositories on GitHub?
a) Yes, with no additional requirements
b) Yes, but for private repositories, it requires a license for GitHub Advanced Security
c) No, it is only available for private repositories
d) No, it is only available for public repositories
Ans. b) Yes, but for private repositories, it requires a license for GitHub Advanced Security
91. What is the main purpose of using the CodeQL CLI?
a) To manage repository settings and permissions
b) To automatically merge pull requests
c) To generate a database representation of a codebase, a CodeQL database
d) To schedule regular maintenance tasks in a repository
Ans. c) To generate a database representation of a codebase, a CodeQL database
92. Which of the following languages is NOT supported by CodeQL for code scanning?
a) C/C++
b) Python
c) JavaScript/TypeScript
d) PHP
Ans. d) PHP
93. How does CodeQL analyze code in GitHub?
a) It uses machine learning to predict potential vulnerabilities based on past commits
b) It performs manual code reviews submitted by GitHub community members
c) It relies solely on third-party tools for code analysis
d) It generates a CodeQL database and runs queries to identify problems, displaying results as code scanning alerts
Ans. d) It generates a CodeQL database and runs queries to identify problems, displaying results as code scanning alerts
94. How can CodeQL be used in an external CI system together with GitHub repositories?
a) Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository
b) Manually run CodeQL locally and email the results to the GitHub repository administrators
c) CodeQL cannot be used in external CI systems; it is exclusive to GitHub Actions
d) Upload source code to GitHub for analysis and then download results for use in the CI system
Ans. a) Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository
95. Which of these statements isn't true about secret scanning on GitHub?
a) Secret scanning will scan titles, descriptions, and comments, in open and closed historical issues for secrets.
b) Secret scanning is a tool for secure secret storage and management.
c) Secret scanning can prevent supported secrets from being pushed into your enterprise, organization, or repository.
d) Secret scanning will scan your entire Git history on all branches present in your GitHub repository for secrets.
Ans. b) Secret scanning is a tool for secure secret storage and management.
96. How does GitHub ensure that secret scanning covers new patterns?
a) By allowing custom pattern definitions
b) Through regular updates to GitHub’s pattern database
c) By integrating with third-party APIs
d) By enabling user feedback
Ans. b) Through regular updates to GitHub’s pattern database
97. Which top-level keys are required in the dependabot.yml file?
a) version and package-ecosystem
b) updates and directory
c) version and updates
d) assignees and directory
Ans. c) version and updates
98. Which GitHub Action can be used to upload a third-party SARIF file?
a) actions/upload-sarif
b) github/codeql-action
c) github/codeql-action/upload-sarif
d) codeql-upload-sarif
Ans. c) github/codeql-action/upload-sarif
99. Which tool can be used in a third-party CI system to upload code analysis results to GitHub?
a) CodeQL API
b) CodeQL CLI
c) GitHub CLI
d) GitHub Actions github/codeql-action
Ans. b) CodeQL CLI
100. What is required for a CI server to upload SARIF results to GitHub?
a) A direct connection to the GitHub Advisory Database.
b) A GitHub App or personal access token with security_events write permission.
c) Administrator access to the GitHub repository.
d) A special plugin installed in the CI system.
Ans. b) A GitHub App or personal access token with security_events write permission.