Questions for the GH-500 were updated on : Nov 24 ,2025
– [Configure and Use Secret Scanning]
What filter or sort settings can be used to prioritize the secret scanning alerts that present the most
risk?
C
Explanation:
The best way to prioritize secret scanning alerts is to filter by active secrets — these are secrets
GitHub has confirmed are still valid and could be exploited. This allows security teams to focus on
high-risk exposures that require immediate attention.
Sorting by time or filtering by custom patterns won’t help with risk prioritization directly.
Reference: GitHub Docs – Filtering Secret Scanning Alerts
– [Configure and Use Dependency Management]
A repository's dependency graph includes:
A
Explanation:
The dependency graph in a repository is built by parsing manifest and lock files (like package.json,
pom.xml, requirements.txt). It helps GitHub detect dependencies and cross-reference them with
known vulnerability databases for alerting.
It is specific to each repository and does not show org-wide or cross-repo summaries.
Reference: GitHub Docs – Understanding the Dependency Graph
– [Configure and Use Secret Scanning]
Which patterns are secret scanning validity checks available to?
C
Explanation:
Validity checks — where GitHub verifies if a secret is still active — are available for partner patterns
only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for
GitHub to validate token activity status.
Custom patterns and high entropy patterns do not support automated validity checks.
Reference: GitHub Docs – Secret Validation for Partner Patterns
– [Configure and Use Dependency Management]
If notification and alert recipients are not customized, which users receive notifications about new
Dependabot alerts in an affected repository?
A
Explanation:
By default, users with Write, Maintain, or Admin permissions will receive notifications for new
Dependabot alerts. However, Write permission is the minimum level needed to be automatically
notified. Users with only Read access do not receive alerts unless added explicitly.
Reference: GitHub Docs – Dependabot Alerts Notification Scope
– [Configure and Use Secret Scanning]
Where in the repository can you give additional users access to secret scanning alerts?
B
Explanation:
To grant specific users access to view and manage secret scanning alerts, you do this via the Settings
tab of the repository. From there, under the "Code security and analysis" section, you can add
individuals or teams with roles such as security manager.
The Security tab only displays alerts; access control is handled in Settings.
Reference: GitHub Docs – Granting Access to Secret Scanning Alerts
– [Configure and Use Dependency Management]
In the pull request, how can developers avoid adding new dependencies with known vulnerabilities?
C
Explanation:
To detect and block vulnerable dependencies before merge, developers should use the Dependency
Review GitHub Action in their pull request workflows. It scans all proposed dependency changes and
flags any packages with known vulnerabilities.
This is a preventative measure during development, unlike Dependabot, which reacts after the fact.
Reference: GitHub Docs – Dependency Review Action
– [Use Code Scanning with CodeQL]
The autobuild step in the CodeQL workflow has failed. What should you do?
C
Explanation:
If autobuild fails (which attempts to automatically detect how to build your project), you should
disable it in your workflow and replace it with explicit build commands, using steps like run: make or
run: ./gradlew build.
This ensures CodeQL can still extract and analyze the code correctly.
Reference: GitHub Docs – CodeQL Build Configurations for Compiled Languages
– [Configure and Use Secret Scanning]
A secret scanning alert should be closed as "used in tests" when a secret is:
C
Explanation:
If a secret is intentionally used in a test environment and poses no real-world security risk, you may
close the alert with the reason "used in tests". This helps reduce noise and clarify that the alert was
reviewed and accepted as non-critical.
Just being in a test file isn't enough unless its purpose is purely for testing.
Reference: GitHub Docs – Managing Secret Scanning Alerts
– [Configure and Use Dependency Management]
Which security feature shows a vulnerable dependency in a pull request?
B
Explanation:
Dependency review runs as part of a pull request and shows which dependencies are being added,
removed, or changed — and highlights vulnerabilities associated with any added packages.
It works in real-time and is specifically designed for use during pull request workflows.
The dependency graph is an overview, Dependabot alerts notify post-merge, and the Security tab
shows the aggregated alert list.
Reference: GitHub Docs – About Dependency Review
– [Use Code Scanning with CodeQL]
Which syntax in a query suite tells CodeQL to look for one or more specified .ql files?
A
Explanation:
In a query suite (a .qls file), the **query** key is used to specify the paths to one or more .ql files
that should be included in the suite.
Example:
- query: path/to/query.ql
qls is the file format.
qlpack is used for packaging queries, not in suite syntax.
Reference: GitHub Docs – CodeQL Query Suite Syntax
– [Use Code Scanning with CodeQL]
Which of the following steps should you follow to integrate CodeQL into a third-party continuous
integration system? (Each answer presents part of the solution. Choose three.)
B, C, D
Explanation:
When integrating CodeQL outside of GitHub Actions (e.g., in Jenkins, CircleCI):
Install the CLI: Needed to run CodeQL commands.
Analyze code: Perform the CodeQL analysis on your project with the CLI.
Upload scan results: Export the results in SARIF format and use GitHub’s API to upload them to your
repo’s security tab.
You don’t need to write custom queries unless extending functionality. “Processing alerts” happens
after GitHub receives the results.
Reference: GitHub Docs – Using CodeQL with 3rd Party CI Systems
– [Configure and Use Dependency Management]
What are Dependabot security updates?
A
Explanation:
Dependabot security updates are automated pull requests triggered when GitHub detects a
vulnerability in a dependency listed in your manifest or lockfile. These PRs upgrade the dependency
to the minimum safe version that fixes the vulnerability.
This is separate from regular updates (which keep versions current even if not vulnerable).
Reference: GitHub Docs – About Dependabot Security Updates
– [Configure and Use Dependency Management]
Which of the following options would close a Dependabot alert?
A
Explanation:
A Dependabot alert is only marked as resolved when the related vulnerability is no longer present in
your code — specifically after you merge a pull request that updates the vulnerable dependency.
Simply viewing alerts or graphs does not affect their status. Ignoring the alert by leaving the repo
unchanged keeps the vulnerability active and unresolved.
Reference: GitHub Docs – Managing Dependabot Security Updates
– [Use Code Scanning with CodeQL]
Which CodeQL query suite provides queries of lower severity than the default query suite?
C
Explanation:
The security-extended query suite includes additional CodeQL queries that detect lower severity
issues than those in the default security-and-quality suite.
It’s often used when projects want broader visibility into code hygiene and potential weak spots
beyond critical vulnerabilities.
The other options listed are paths to language packs, not query suites themselves.
Reference: GitHub Docs – CodeQL Query Suite Types
– [Describe GHAS Security Features and Functionality]
Which alerts do you see in the repository's Security tab? (Each answer presents part of the solution.
Choose three.)
B, C, E
Explanation:
In a repository's Security tab, you can view:
Secret scanning alerts: Exposed credentials or tokens
Dependabot alerts: Vulnerable dependencies from the advisory database
Code scanning alerts: Vulnerabilities in code detected via static analysis (e.g., CodeQL)
You won’t see general "security status alerts" (not a formal category) or permission-related alerts
here.
Reference: GitHub Docs – Understanding the Security Tab