Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Home
Microsoft
GitHub Administrator
GH-500
GitHub Advanced Security Exam Questions and Answers

Pass the Microsoft GitHub Administrator GH-500 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam GH-500 Premium Access

View all detail and faqs for the GH-500 exam

Go to Exam

475 Students Passed

97% Average Score

94% Same Questions

Viewing page 1 out of 3 pages

Viewing questions 1-10 out of questions

Questions # 1:

Why should you dismiss a code scanning alert?

Options:

If you fix the code that triggered the alert

To prevent developers from introducing new problems

If it includes an error in code that is used only for testing

If there is a production error in your code

Answer

Explanation

You should dismiss a code scanning alert if the flagged code is not a true security concern, such as:

Code in test files

Code paths that are unreachable or safe by design

False positives from the scanner

Fixing the code would automatically resolve the alert — not dismiss it. Dismissing is for valid exceptions or noise reduction.

[: GitHub Docs – Dismissing Code Scanning Alerts, ==========]

Questions # 2:

What step is required to run a SARIF-compatible (Static Analysis Results Interchange Format) tool on GitHub Actions?

Options:

Update the workflow to include a final step that uploads the results.

By default, the CodeQL runner automatically uploads results to GitHub on completion.

The CodeQL action uploads the SARIF file automatically when it completes analysis.

Use the CLI to upload results to GitHub.

Answer

Explanation

When using a SARIF-compatible tool within GitHub Actions, it's necessary to explicitly add a step in your workflow to upload the analysis results. This is typically done using the upload-sarif action, which takes the SARIF file generated by your tool and uploads it to GitHub for processing and display in the Security tab. Without this step, the results won't be available in GitHub's code scanning interface.

[: GitHub Docs – Uploading a SARIF file to GitHub, , ]

Questions # 3:

Assuming that notification and alert recipients are not customized, what does GitHub do when it identifies a vulnerable dependency in a repository where Dependabot alerts are enabled? (Each answer presents part of the solution. Choose two.)

Options:

It generates a Dependabot alert and displays it on the Security tab for the repository.

It notifies the repository administrators about the new alert.

It generates Dependabot alerts by default for all private repositories.

It consults with a security service and conducts a thorough vulnerability review.

Answer

A, B

Explanation

Comprehensive and Detailed Explanation:

When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:

Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.

Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.

GitHub Docs

These actions ensure that responsible parties are informed promptly to address the vulnerability.

[References: GitHub Docs – About Dependabot alerts; Configuring notifications for Dependabot alerts, , , ==========, ]

Questions # 4:

What kind of repository permissions do you need to request a Common Vulnerabilities and Exposures (CVE) identification number for a security advisory?

Options:

Maintain

Admin

Triage

Write

Answer

Explanation

Requesting a CVE ID for a security advisory in a GitHub repository requires Admin permissions. This level of access is necessary because it involves managing sensitive security information and coordinating with external entities to assign a CVE, which is a formal process that can impact the public perception and security posture of the project.

[: GitHub Docs – About repository security advisories, , ]

Questions # 5:

Which key is required in the update settings of the Dependabot configuration file?

Options:

rebase-strategy

commit-message

assignees

package-ecosystem

Answer

Explanation

In a dependabot.yml configuration file, package-ecosystem is a required key. It defines the package manager being used in that update configuration (e.g., npm, pip, maven, etc.).

Without this key, Dependabot cannot determine how to analyze or update dependencies. Other keys like rebase-strategy or commit-message are optional and used for customizing behavior.

[: GitHub Docs – Dependabot Configuration Options, ==========]

Questions # 6:

What is a security policy?

Options:

An automatic detection of security vulnerabilities and coding errors in new or modified code

A security alert issued to a community in response to a vulnerability

A file in a GitHub repository that provides instructions to users about how to report a security vulnerability

An alert about dependencies that are known to contain security vulnerabilities

Answer

Explanation

A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory. This file informs contributors and security researchers about how to responsibly report vulnerabilities. It improves your project’s transparency and ensures timely communication and mitigation of any reported issues.

Adding this file also enables a “Report a vulnerability” button in the repository’s Security tab.

[: GitHub Docs – Adding a security policy to your repository, ==========]

Questions # 7:

Secret scanning will scan:

Options:

A continuous integration system.

Any Git repository.

The GitHub repository.

External services.

Answer

Explanation

Secret scanning is a feature provided by GitHub that scans the contents of your GitHub repositories for known types of secrets, such as API keys and tokens. It operates within the GitHub environment and does not scan external systems, services, or repositories outside of GitHub. Its primary function is to prevent the accidental exposure of sensitive information within your GitHub-hosted code.

[: GitHub Docs – About secret scanning, , ]

Questions # 8:

When using CodeQL, how does extraction for compiled languages work?

Options:

By generating one language at a time

By resolving dependencies to give an accurate representation of the codebase

By monitoring the normal build process

By running directly on the source code

Answer

Explanation

For compiled languages, CodeQL performs extraction by monitoring the normal build process. This means it watches your usual build commands (like make, javac, or dotnet build) and extracts the relevant data from the actual build steps being executed. CodeQL uses this information to construct a semantic database of the application.

This approach ensures that CodeQL captures a precise, real-world representation of the code and its behavior as it is compiled, including platform-specific configurations or conditional logic used during build.

[: GitHub Docs – CodeQL for compiled languages, ==========]

Questions # 9:

When using CodeQL, what extension stores query suite definitions?

Options:

.yml

.ql

.qll

.qls

Answer

Explanation

Query suite definitions in CodeQL are stored using the .qls file extension. A query suite defines a collection of queries to be run during an analysis and allows for grouping them based on categories like language, security relevance, or custom filters.

In contrast:

.ql files are individual queries.

.qll files are libraries used by .ql queries.

.yml is used for workflows, not query suites.

[: GitHub Docs – CodeQL Query Suite Files, ==========]

Questions # 10:

How many alerts are created when two instances of the same secret value are in the same repository?

Options:

Answer

Explanation

When multiple instances of the same secret value appear in a repository, only one alert is generated. Secret scanning works by identifying exposed credentials and token patterns, and it groups identical matches into a single alert to reduce noise and avoid duplication.

This makes triaging easier and helps teams focus on remediating the actual exposed credential rather than reviewing multiple redundant alerts.

[: GitHub Docs – About secret scanning alerts, ==========]

Viewing page 1 out of 3 pages

Viewing questions 1-10 out of questions