Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Home
GitHub
GitHub Certification
GitHub-Advanced-Security
GitHub Advanced Security GHAS Exam Questions and Answers

Pass the GitHub Certification GitHub-Advanced-Security Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam GitHub-Advanced-Security Premium Access

View all detail and faqs for the GitHub-Advanced-Security exam

Go to Exam

535 Students Passed

92% Average Score

90% Same Questions

Viewing page 1 out of 3 pages

Viewing questions 1-10 out of questions

Questions # 1:

As a contributor, you discovered a vulnerability in a repository. Where should you look for the instructions on how to report the vulnerability?

Options:

support.md

readme.md

contributing.md

security.md

Answer

Explanation

The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.

This file is considered a GitHub best practice and, when present, activates a “Report a vulnerability” button in the repository’sSecuritytab.

[: GitHub Docs – Adding a security policy to your repository, ==========]

Questions # 2:

Which of the following tasks can be performed by a security team as a proactive measure to help address secret scanning alerts? (Each answer presents a complete solution. Choose two.)

Options:

Dismiss alerts that are older than 90 days.

Configure a webhook to monitor for secret scanning alert events.

Enable system for cross-domain identity management (SCIM) provisioning for the enterprise.

Document alternatives to storing secrets in the source code.

Answer

B, D

Explanation

To proactively address secret scanning:

Webhookscan be configured to listen for secret scanning events. This allows automation, logging, or alerting in real-time when secrets are detected.

Documenting secure development practices(like using environment variables or secret managers) helps reduce the likelihood of developers committing secrets in the first place.

Dismissal based on age is not a best practice without triage. SCIM deals with user provisioning, not scanning alerts.

[: GitHub Docs – Managing and Responding to Secret Scanning Alerts, ==========]

Questions # 3:

What should you do after receiving an alert about a dependency added in a pull request?

Options:

Disable Dependabot alerts for all repositories owned by your organization

Fork the branch and deploy the new fork

Update the vulnerable dependencies before the branch is merged

Deploy the code to your default branch

Answer

Explanation

If an alert is raised on apull request dependency, best practice is toupdate the dependencyto a secure versionbeforemerging the PR. This prevents the vulnerable version from entering the main codebase.

Merging or deploying the PR without fixing the issue exposes your production environment to known risks.

[: GitHub Docs – Reviewing Dependabot Alerts in Pull Requests, ==========]

Questions # 4:

The autobuild step in the CodeQL workflow has failed. What should you do?

Options:

Remove specific build steps.

Compile the source code.

Remove the autobuild step from your code scanning workflow and add specific build steps.

Use CodeQL, which implicitly detects the supported languages in your code base.

Answer

Explanation

Ifautobuildfails (which attempts to automatically detect how to build your project), you shoulddisable itin your workflow andreplace it with explicit build commands, using steps like run: make or run: ./gradlew build.

This ensures CodeQL can still extract and analyze the code correctly.

[: GitHub Docs – CodeQL Build Configurations for Compiled Languages, ==========]

Questions # 5:

Why should you dismiss a code scanning alert?

Options:

If you fix the code that triggered the alert

To prevent developers from introducing new problems

If it includes an error in code that is used only for testing

If there is a production error in your code

Answer

Explanation

You shoulddismissa code scanning alert if the flagged code isnot a true security concern, such as:

Code in test files

Code paths that are unreachable or safe by design

False positives from the scanner

Fixing the code would automaticallyresolvethe alert — not dismiss it. Dismissing is for valid exceptions or noise reduction.

[: GitHub Docs – Dismissing Code Scanning Alerts, ==========]

Questions # 6:

How would you build your code within the CodeQL analysis workflow? (Each answer presents a complete solution. Choose two.)

Options:

Upload compiled binaries.

Use CodeQL's init action.

Ignore paths.

Implement custom build steps.

Use jobs.analyze.runs-on.

Use CodeQL's autobuild action.

Answer

D, F

Explanation

Comprehensive and Detailed Explanation:

When setting up CodeQL analysis for compiled languages, there are two primary methods to buildyour code:

GitHub Docs

Autobuild: CodeQL attempts to automatically build your codebase using the most likely build method. This is suitable for standard build processes.

GitHub Docs

Custom Build Steps: For complex or non-standard build processes, you can implement custom build steps by specifying explicit build commands in your workflow. This provides greater control over the build process.

GitHub Docs

The init action initializes the CodeQL analysis but does not build the code. The jobs.analyze.runs-on specifies the operating system for the runner but is not directly related to building the code. Uploading compiled binaries is not a method supported by CodeQL for analysis.

[References: GitHub Docs – CodeQL code scanning for compiled languages, , , ==========, ]

Questions # 7:

Which of the following secret scanning features can verify whether a secret is still active?

Options:

Push protection

Validity checks

Branch protection

Custom patterns

Answer

Explanation

Validity checks, also calledsecret validation, allow GitHub to check if a detected secret isstill active. If verified as live, the alert is marked as"valid", allowing security teams to prioritize the most critical leaks.

Push protectionblockssecrets but does not check their validity. Custom patterns are user-defined and do not include live checks.

[: GitHub Docs – Secret Scanning Validity, ==========]

Questions # 8:

What kind of repository permissions do you need to request a Common Vulnerabilities and Exposures (CVE) identification number for a security advisory?

Options:

Maintain

Admin

Triage

Write

Answer

Explanation

Requesting a CVE ID for a security advisory in a GitHub repository requiresAdminpermissions. This level of access is necessary because it involves managing sensitive security information and coordinating with external entities to assign a CVE, which is a formal process that can impact the public perception and security posture of the project.

[: GitHub Docs – About repository security advisories, , ]

Questions # 9:

What do you need to do before you can define a custom pattern for a repository?

Options:

Provide a regular expression for the format of your secret pattern.

Add a secret scanning custom pattern.

Enable secret scanning on the repository.

Provide match requirements for the secret format.

Stack Overflow

Answer

Explanation

Comprehensive and Detailed Explanation:

Before defining a custom pattern for secret scanning in a repository, you must enable secretscanning for that repository. Secret scanning must be active to utilize custom patterns, which allow you to define specific formats (using regular expressions) for secrets unique to your organization.

Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of sensitive information tailored to your needs.

[References: GitHub Docs – Managing alerts from secret scanning, , , ==========, ]

Questions # 10:

What YAML syntax do you use to exclude certain files from secret scanning?

Options:

decrypt_secret.sh

paths-ignore:

branches-ignore:

secret scanning.yml

Answer

Explanation

To exclude specific files or directories from being scanned by secret scanning in GitHub Actions, you can use thepaths-ignore:key within your YAML workflow file.

This tells GitHub toignore specified pathswhen scanning for secrets, which can be useful for excluding test data or non-sensitive mock content.

Other options listed are invalid:

branches-ignore: excludes branches, not files.

decrypt_secret.sh is not a YAML key.

secret scanning.yml is not a recognized filename for configuration.

[: GitHub Docs – Ignoring Files in GitHub Actions for Secret Scanning, , ]

Viewing page 1 out of 3 pages

Viewing questions 1-10 out of questions