GitHub GitHub-Advanced-Security GitHub Advanced Security GHAS Exam Exam Practice Test

All results from CodeQL analysis appear under therepository’s code scanning alertstab. This section is part of theSecuritytab and provides a list of all current, fixed, and dismissed alerts found by CodeQL.

A CodeQL database is used internally during scanning but does not display results. Query packs contain rules, not results. Security advisories are for published vulnerabilities, not per-repo findings.

In a dependabot.yml configuration file,package-ecosystemis arequired key. It defines the package manager being used in that update configuration (e.g., npm, pip, maven, etc.).

Without this key, Dependabot cannot determine how to analyze or update dependencies. Other keys like rebase-strategy or commit-message are optional and used for customizing behavior.

The best proactive control ispush protection. It scans for secretsduring a git pushand blocks the commitbeforeit enters the repository.

Other options (like CODEOWNERS or security managers) help with oversight but do not prevent secret leaks.

Making a repo public would increase the risk, not reduce it.

TheSecurity tabin a GitHub repository provides a central location for viewing security-related information, especially when GitHub Advanced Security is enabled. The following can be accessed:

Number ofalertsrelated to:

Code scanning

Secret scanning

Dependency (Dependabot) alerts

Summary and visibility into open, closed, and dismissed security issues.

It doesnotshow 2FA options, access control settings, or configuration panels for GHAS itself. Those belong to account or organization-level settings.

A Dependabot alert is marked asresolvedonly after the relatedpull request is mergedinto the repository. This indicates that the vulnerable dependency has been officially replaced with a secure version in the active codebase.

Simply generating a PR or passing checks does not change the alert status; merging is the key step.

The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.

This file is considered a GitHub best practice and, when present, activates a “Report a vulnerability” button in the repository’sSecuritytab.

Dependency reviewruns as part of a pull request and showswhich dependencies are being added, removed, or changed— andhighlights vulnerabilitiesassociated with any added packages.

It works in real-time and is specifically designed for use during pull request workflows.

Thedependency graphis an overview,Dependabot alertsnotify post-merge, and theSecurity tabshows the aggregated alert list.

GitHub automatically closes a code scanning alert when the vulnerable code is fixedin the same branch where the alert was generated, usually via acommit inside a pull request. Simply clicking or triaging an alert does not resolve it. The alert is re-evaluated after each push to the branch, and if the issue no longer exists, it is marked as resolved.

Comprehensive and Detailed Explanation:

When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:​

Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.​

Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.​

GitHub Docs

These actions ensure that responsible parties are informed promptly to address the vulnerability.​

Thedependency graphin a repository is built byparsing manifest and lock files(like package.json, pom.xml, requirements.txt). It helps GitHub detect dependencies and cross-reference them with known vulnerability databases for alerting.

It is specific to each repository and does not show org-wide or cross-repo summaries.

Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your repository. This graph includes both direct and transitive dependencies. It then compares this graph against the GitHub Advisory Database, which includes curated, security-reviewed advisories.

This method provides a comprehensive and automated way to discover all known vulnerabilities across your dependency tree.

Requesting a CVE ID for a security advisory in a GitHub repository requiresAdminpermissions. This level of access is necessary because it involves managing sensitive security information and coordinating with external entities to assign a CVE, which is a formal process that can impact the public perception and security posture of the project.​

After generating an alert for a vulnerable dependency, Dependabot automatically attempts to create a pull request to upgrade that dependency to theminimum required secure version—if a fix is available and compatible with your project.

This automated PR helps teams fix vulnerabilities quickly with minimal manual intervention. You can also configure update behaviors using dependabot.yml, but in the default state, PR creation is automatic.

In aquery suite(a .qls file), the **query** key is used to specify the paths to one or more .ql files that should be included in the suite.

Example:

- query: path/to/query.ql

qls is the file format.

qlpack is used for packaging queries, not in suite syntax.

Comprehensive and Detailed Explanation:

When setting up CodeQL analysis for compiled languages, there are two primary methods to buildyour code:​

GitHub Docs

Autobuild: CodeQL attempts to automatically build your codebase using the most likely build method. This is suitable for standard build processes.​

GitHub Docs

Custom Build Steps: For complex or non-standard build processes, you can implement custom build steps by specifying explicit build commands in your workflow. This provides greater control over the build process.​

GitHub Docs

The init action initializes the CodeQL analysis but does not build the code. The jobs.analyze.runs-on specifies the operating system for the runner but is not directly related to building the code. Uploading compiled binaries is not a method supported by CodeQL for analysis.​

Youmust enable secret scanningbefore defining custom patterns. Secret scanning provides the foundational capability for detecting exposed credentials, and custom patterns build upon that by allowing organizations to specify their own regex-based patterns for secrets unique to their environment.

Without enabling secret scanning, GitHub will not process or apply custom patterns.

In a workflow: GitHub Actions workflows are the most common place for CodeQL code scanning. The codeql-analysis.yml defines how the analysis runs and when it triggers.

In an external CI system: GitHub allows you to run CodeQL analysis outside of GitHub Actions. Once complete, the results can be uploaded using the upload-sarif action to make alerts visible in the repository.

You cannot run or trigger analysis from third-party repositories directly, and theFiles changed tabin pull requests only shows diff — not analysis results.

A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory. This file informs contributors and security researchers about how to responsibly report vulnerabilities. It improves your project’s transparency and ensures timely communication and mitigation of any reported issues.

Adding this file also enables a “Report a vulnerability” button in the repository’s Security tab.

Thesecurity-extendedquery suite includes additional CodeQL queries that detectlower severity issuesthan those in the default security-and-quality suite.

It’s often used when projects want broader visibility into code hygiene and potential weak spots beyond critical vulnerabilities.

The other options listed arepaths to language packs, not query suites themselves.

To grant specific users access toview and manage secret scanning alerts, you do this via theSettingstab of the repository. From there, under the"Code security and analysis"section, you can add individuals or teams with roles such assecurity manager.

The Security tab only displays alerts; access control is handled in Settings.

To ensure you're notified whenever a vulnerability is detected via Dependabot, you mustenablealerts for Dependabotin your personal notification settings. This applies to both new and existing repositories. It ensures you get timely alerts about security vulnerabilities.

The dependency graph must be enabled for scanning, but does not send alerts itself.

Comprehensive and Detailed Explanation:

Dependabot alerts are generated based on data from various sources:​

National Vulnerability Database (NVD): A comprehensive repository of known vulnerabilities, which GitHub integrates into its advisory database.​

GitHub Docs

Security Advisories Reported on GitHub: GitHub allows maintainers and security researchers to report and discuss vulnerabilities, which are then included in the advisory database.​

The dependency graph and manifest/lock files are tools used by GitHub to determine which dependencies are present in a repository but are not sources of vulnerability disclosures themselves.​