GitHub-Advanced-Security GitHub Advanced Security GHAS Exam Questions and Answers

Comprehensive and Detailed Explanation:

A CodeQL database contains a representation of your codebase, including the build of the code and extracted data. This database is used to run CodeQL queries to analyze your code for potential vulnerabilities and errors.​

GitHub Docs

Dependency review runs as part of a pull request and shows which dependencies are being added, removed, or changed — and highlights vulnerabilities associated with any added packages.

It works in real-time and is specifically designed for use during pull request workflows.

The dependency graph is an overview, Dependabot alerts notify post-merge, and the Security tab shows the aggregated alert list.

A Dependabot alert is only marked as resolved when the related vulnerability is no longer present in your code — specifically after you merge a pull request that updates the vulnerable dependency.

Simply viewing alerts or graphs does not affect their status. Ignoring the alert by leaving the repo unchanged keeps the vulnerability active and unresolved.

By default, secret scanning is enabled automatically for all public repositories . For private or internal repositories, secret scanning must be enabled manually unless configured at the organization or enterprise level.

This default behavior helps protect open-source projects without requiring additional configuration.

Comprehensive and Detailed Explanation:

Before defining a custom pattern for secret scanning in a repository, you must enable secret scanning for that repository. Secret scanning must be active to utilize custom patterns, which allow you to define specific formats (using regular expressions) for secrets unique to your organization.​

Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of sensitive information tailored to your needs.​

To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must have Admin access on the repository. This is because modifying these settings falls under repository configuration privileges.

Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.

The Security tab in a GitHub repository provides a central location for viewing security-related information, especially when GitHub Advanced Security is enabled. The following can be accessed:

Number of alerts related to:

Code scanning

Secret scanning

Dependency (Dependabot) alerts

Summary and visibility into open, closed, and dismissed security issues.

It does not show 2FA options, access control settings, or configuration panels for GHAS itself. Those belong to account or organization-level settings.

To grant specific users access to view and manage secret scanning alerts , you do this via the Settings tab of the repository. From there, under the "Code security and analysis" section, you can add individuals or teams with roles such as security manager .

The Security tab only displays alerts; access control is handled in Settings.

Comprehensive and Detailed Explanation:

By default, users with write access to a repository have the ability to merge pull requests, including those created by Dependabot for security updates. This access level allows contributors to manage and integrate changes, ensuring that vulnerabilities are addressed promptly.​

Users with only read access cannot merge pull requests, and enterprise administrators do not automatically have merge rights unless they have write or higher permissions on the specific repository.​

When using a SARIF-compatible tool within GitHub Actions, it's necessary to explicitly add a step in your workflow to upload the analysis results. This is typically done using the upload-sarif action, which takes the SARIF file generated by your tool and uploads it to GitHub for processing and display in the Security tab. Without this step, the results won't be available in GitHub's code scanning interface.​

Requesting a CVE ID for a security advisory in a GitHub repository requires Admin permissions. This level of access is necessary because it involves managing sensitive security information and coordinating with external entities to assign a CVE, which is a formal process that can impact the public perception and security posture of the project.​

The dependency graph in a repository is built by parsing manifest and lock files (like package.json, pom.xml, requirements.txt). It helps GitHub detect dependencies and cross-reference them with known vulnerability databases for alerting.

It is specific to each repository and does not show org-wide or cross-repo summaries.

Secret scanning is a feature provided by GitHub that scans the contents of your GitHub repositories for known types of secrets, such as API keys and tokens. It operates within the GitHub environment and does not scan external systems, services, or repositories outside of GitHub. Its primary function is to prevent the accidental exposure of sensitive information within your GitHub-hosted code.​

When defining a custom pattern for secret scanning, two key fields are required:

Name of the pattern : A unique label to identify the pattern

Secret format : A regular expression that defines what the secret looks like (e.g., token format)

You can optionally specify additional match requirements (like required context keywords), but they’re not mandatory. Listing repositories is also not part of the required fields during pattern creation.

Comprehensive and Detailed Explanation:

In the advanced setup for CodeQL code scanning, GitHub generates a workflow file named codeql-analysis.yml. This file is located in the .github/workflows directory of your repository. It defines the configuration for the CodeQL analysis, including the languages to analyze, the events that trigger the analysis, and the steps to perform during the workflow.​

Validity checks — where GitHub verifies if a secret is still active — are available for partner patterns only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.

Custom patterns and high entropy patterns do not support automated validity checks.

Comprehensive and Detailed Explanation:

When configuring Dependabot via the dependabot.yml file, the following fields are mandatory for each update configuration:

directory: Specifies the location of the package manifest within the repository. This tells Dependabot where to look for dependency files.​

package-ecosystem: Indicates the type of package manager (e.g., npm, pip, maven) used in the specified directory.​

schedule.interval: Defines how frequently Dependabot checks for updates (e.g., daily, weekly). This ensures regular scanning for outdated or vulnerable dependencies.​

The milestone field is optional and used for associating pull requests with milestones. The allow field is also optional and used to specify which dependencies to update.​

GitLab

By default , no repositories receive Dependabot alerts unless configuration is explicitly enabled. GitHub does not enable Dependabot alerts automatically for any repositories unless:

The feature is turned on manually

It's configured at the organization or enterprise level via security policies

This includes public, private, and enterprise-owned repositories — manual activation is required .

The GitHub Code Scanning API includes endpoints that allow you to:

List alerts for a repository (filtered by branch, state, or tool) — useful for monitoring security over time.

Get a single alert by its ID to inspect its metadata, status, and locations in the code.

However, GitHub does not support modifying the severity of alerts via API — severity is defined by the scanning tool (e.g., CodeQL). Likewise, alerts cannot be deleted via the API; they are resolved by fixing the code or dismissing them manually.