Stay ahead by continuously learning and advancing your career. Learn More

GH-500: GitHub Advanced Security Practice Exam

description

Bookmark Enrolled Intermediate

GH-500: GitHub Advanced Security Certification

About the Exam

The GH-500 certification is designed to validate your expertise in implementing and managing GitHub Advanced Security (GHAS) features within GitHub Enterprise. It’s ideal for professionals who want to demonstrate their ability to secure software development workflows by identifying and resolving vulnerabilities before code hits production.

Who should take this Exam?

This certification is best suited for GitHub administrators, security engineers, DevOps or platform engineers, and developers who are responsible for maintaining the security of software projects within GitHub environments. If you're working in a mid-sized to large organization using GitHub and are responsible for integrating or managing security tools, this exam is a great fit.

Skills Required

  • Candidates should have hands-on experience using GitHub, especially within GitHub Enterprise environments.
  • Familiarity with DevSecOps practices, basic coding, GitHub Actions, and security operations is essential.
  • You should also be comfortable working with tools like CodeQL, Dependabot, and GitHub’s secret scanning features.

Knowledge Gained

By preparing for and earning this certification, you'll develop and demonstrate the ability to:

  • Implement GitHub Advanced Security features like secret scanning, code scanning, and Dependabot
  • Manage security policies at the organization and repository level
  • Use CodeQL to perform custom code analysis
  • Prioritize and remediate security alerts
  • Govern access and policies across large GitHub environments

Course Outline

The GH-500: GitHub Advanced Security Practice Exam covers the following topics - 

Module 1: Understanding the GHAS security features and functionality (15%)

1.1 Explain Contrast GHAS features and their role in the security ecosystem

  • Learn to differentiate the security features that come automatically for open source projects, and what features are available when GHAS is paired with GHEC or GHES
  • Learn the features and benefits of Security Overview
  • Learn the differences between secret scanning and code scanning
  • Learn how secret scanning, code scanning, and Dependabot create a more secure software development life cycle
  • Learn to contrast a security scenario with isolated security review and an advanced scenario, with security integrated into each step of the software development life cycle

1.2 Explain and use specific GHAS features

  • Learn how vulnerable dependencies are identified (by looking at the manifest files and comparing them with databases of known vulnerabilities)
  • Learn to choose how to act on alerts from GHAS
  • Learn the implications of ignoring an alert
  • Learn the role of a developer when they discover a security alert
  • Learn the differences in access management to view alerts for different security features
  • Learn to identify where to use Dependabot alerts in the software development lifecycle

Module 2: Understanding how to Configure and use secret scanning (15%)
2.1 Explain to configure and use Secret Scanning

  • Learn about secret scanning
  • Learn about push protection
  • Learn about validity checks
  • Learn about contrast secret scanning availability for public and private repositories
  • Learn to enable secret scanning for private repositories
  • Learn to pick an appropriate response to a secret scanning alert
  • Learn to determine if an alert is generated for a given secret, pattern, or service provider
  • Learn to determine if a given user role will see secret scanning alerts and how they will be notified

2.2 Explain customized default secret scanning behavior

  • Learn to configure the recipients of a secret scanning alert (also includes how to provide access to members and teams other than admins)
  • Learn to exclude certain files from being scanned for secrets
  • Learn to enable custom secret scanning for a repository

Module 3: Understanding how to configure and use Dependabot and Dependency Review (35%)
3.1 Exlplain tools for managing vulnerabilities in dependencies

  • Learn the dependency graph
  • Learn how the dependency graph is generated
  • Learn what a Software Bill of Materials (SBOM) is, and the SBOM format used by GitHub
  • Learn a dependency vulnerability
  • Learn Dependabot alerts
  • Learn about Dependabot security updates
  • Learn Dependency Review
  • Describe how alerts are generated for vulnerable dependencies (driven from the dependency graph, sourced from the GitHub Advisory Database)
  • Describe the difference between Dependabot and Dependency Review

3.2 Explain how to enable and configure tools for managing vulnerable dependencies

  • Learn to identify the default settings for Dependabot alerts in public and private repositories
  • Learn to identify the permissions and roles required to enable Dependabot alerts
  • Learn to identify the permissions and roles required to view Dependabot alerts
  • Learn to enable Dependabot alerts for private repositories
  • Learn to enable Dependabot alerts for organizations
  • Learn to create a valid Dependabot configuration file to group security updates
  • Learn to create a Dependabot Rule to auto-dismiss low severity alerts until a patch is available
  • Learn to create a Dependency Review GitHub Actions workflow
  • Learn to configure license checks and custom severity thresholds in a Dependency Review workflow
  • Learn to configure notifications for vulnerable dependencies

3.3 Explain how to identify and remediate vulnerable dependencies

  • Learn to identify a vulnerable dependency from a Dependabot alert
  • Learn to identify vulnerable dependencies from a pull request
  • Learn to enable Dependabot security updates
  • Learn about remedying a vulnerability from a Dependabot alert in the Security tab (could include updating or removing the dependency)
  • Learn about remedying a vulnerability from a Dependabot alert in the context of a pull request (could include updating or removing the dependency)
  • Learn to take action on any Dependabot alerts by testing and merging pull requests

Module 4: Understanding about configuring and using Code Scanning with CodeQL (25%)
4.1 Explain using code scanning with third-party tools

  • Learn to enable code scanning for use with a third-party analysis
  • Learn to contrast the steps for using CodeQL versus third party analysis when enabling code scanning
  • Learn to contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party CI tool
  • Learn to upload 3rd party SARIF results via the SARIF endpoint

4.2 Explain to describe and enable code scanning

  • Learn to describe how code scanning fits in the software development life cycle
  • Learn to contrast the frequency of code scanning workflows (scheduled versus triggered by events)
  • Learn to choose a triggering event for a given development pattern (for example, in a pull request and for specific files)
  • Learn to edit the default template for Actions workflow to fit an active, open source, production repository
  • Learn to describe how to view code scanning results from CodeQL analysis
  • Learn to troubleshoot a failing code scanning workflow using CodeQL, including creating or changing a custom configuration in the CodeQL workflow
  • Learn to follow the data flow through code using the show paths experience
  • Learn the reason for a code scanning alert given documentation linked from the alert
  • Learn to determine if and why a code scanning alert needs to be dismissed
  • Learn to describe potential shortfalls in CodeQL via model of compilation and language support
  • Learn the purpose of defining a SARIF category

Module 5: Understanding GitHub Advanced Security best practices, results, and how to take corrective measures (10%)
5.1 Explain GitHub Advanced Security results & best practices

  • Learn to use a Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) to describe a GitHub Advanced Security alert and list potential remediation
  • Learn to describe the decision-making process for closing and dismissing security alerts (documenting the dismissal, making a decision based on data)
  • Learn to describe the default CodeQL query suites
  • Learn to describe how CodeQL analyzes code and produces results, including differences between compiled and interpreted language
  • Learn to determine the roles and responsibilities of development and security teams on a software development workflow
  • Learn to describe how the severity threshold for code scanning pull request status checks can be changed
  • Learn to explain how filters and sorting can be used to prioritize secret scanning remediation (validity:active)
  • Learn to explain how CodeQL & Dependency Review workflows can be enforced with Repository Rulesets
  • Learn to describe how code scanning can be configured to identify and remediate vulnerabilities earlier (scanning upon pull request)
  • Learn to describe how secret scanning can be configured to identify and remediate vulnerabilities earlier (enabling push protection)
  • Learn to describe how dependency analysis can be configured to identify and remediate vulnerabilities earlier (enable dependency review to scan upon pull request)

Reviews

Be the first to write a review for this product.

Write a review

Note: HTML is not translated!
Bad           Good

Tags: GH-500: GitHub Advanced Security Practice Exam, GH-500: GitHub Advanced Security Exam Questions, GH-500: GitHub Advanced Security Free Test, GH-500: GitHub Advanced Security Tutorial, GH-500: GitHub Advanced Security Online course, GH-500: GitHub Advanced Security Study Guide,