GitHub-Advanced-Security GitHub Advanced Security GHAS Exam Questions and Answers

Requesting a CVE ID for a security advisory in a GitHub repository requiresAdminpermissions. This level of access is necessary because it involves managing sensitive security information and coordinating with external entities to assign a CVE, which is a formal process that can impact the public perception and security posture of the project.​

The best proactive control ispush protection. It scans for secretsduring a git pushand blocks the commitbeforeit enters the repository.

Other options (like CODEOWNERS or security managers) help with oversight but do not prevent secret leaks.

Making a repo public would increase the risk, not reduce it.

Toexclude.txt and .md files from triggering workflows on pull requests to the main branch:

on: defines the event (e.g., pull_request)

pull_request: is the trigger

paths-ignore: is the key used to ignore file patterns

Example YAML:

yaml

CopyEdit

on:

pull_request:

branches:

- main

paths-ignore:

- '*.md'

- '*.txt'

Using paths: would include only specific files instead — not exclude. paths-ignore: is correct here.

If a secret isintentionally used in a test environmentandposes no real-world security risk, you may close the alert with the reason"used in tests". This helps reduce noise and clarify that the alert was reviewed and accepted as non-critical.

Just being in a test file isn't enough unless itspurpose is purely for testing.

Secrets committed and then deleted are still accessible in therepository’s Git history. To locate them, navigate to theCommitstab. GitHub's secret scanning can detect secrets in both current and historical commits, which is why remediation should also includerevoking the secret, not just removing it from the latest code.

Code scanningis a static analysis feature that examines your source code to identifysecurityvulnerabilitiesandcoding errors. It runs either on every push, pull request, or a scheduled time depending on the workflow configuration.

It doesnotautomatically contact maintainers, scan full Git history, or block pushes unless explicitly configured to do so.

The GitHub Code Scanning API includes endpoints that allow you to:

List alertsfor a repository (filtered by branch, state, or tool) — useful for monitoring security over time.

Get a single alertby its ID to inspect its metadata, status, and locations in the code.

However, GitHub doesnotsupport modifying the severity of alerts via API — severity is defined by the scanning tool (e.g., CodeQL). Likewise, alertscannot be deletedvia the API; they are resolved by fixing the code or dismissing them manually.

Comprehensive and Detailed Explanation:

For code scanning to be triggered on a specific branch, the branch must contain the appropriate workflow file, typically located in the .github/workflows directory. This YAML file defines the code scanning configuration and specifies the events that trigger the scan (e.g., push, pull_request).​

Without the workflow file in the branch, GitHub Actions will not execute the code scanning process for that branch. The repository's visibility (private or public), the status of secret scanning, or the activity level of developers do not directly influence the triggering of code scanning.​

When integrating CodeQL outside of GitHub Actions (e.g., in Jenkins, CircleCI):

Install the CLI: Needed to run CodeQL commands.

Analyze code: Perform the CodeQL analysis on your project with the CLI.

Upload scan results: Export the results in SARIF format and use GitHub’s API to upload them to your repo’s security tab.

You don’t need to write custom queries unless extending functionality. “Processing alerts” happens after GitHub receives the results.

Comprehensive and Detailed Explanation:

When configuring Dependabot via the dependabot.yml file, the following fields are mandatory for each update configuration:

directory: Specifies the location of the package manifest within the repository. This tellsDependabot where to look for dependency files.​

package-ecosystem: Indicates the type of package manager (e.g., npm, pip, maven) used in the specified directory.​

schedule.interval: Defines how frequently Dependabot checks for updates (e.g., daily, weekly). This ensures regular scanning for outdated or vulnerable dependencies.​

The milestone field is optional and used for associating pull requests with milestones. The allow field is also optional and used to specify which dependencies to update.​

GitLab

In a dependabot.yml configuration file,package-ecosystemis arequired key. It defines the package manager being used in that update configuration (e.g., npm, pip, maven, etc.).

Without this key, Dependabot cannot determine how to analyze or update dependencies. Other keys like rebase-strategy or commit-message are optional and used for customizing behavior.

Dependabot alerts are generated as soon as GitHub detects a known vulnerability in one of your dependencies. GitHub does this by analyzing your repository’s dependency graph and matching it against vulnerabilities listed in the GitHub Advisory Database. Once a match is found, the system raises an alert automatically without waiting for a PR or manual action.

This allows organizations to proactively mitigate vulnerabilities as early as possible, based on real-time detection.

The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.

This file is considered a GitHub best practice and, when present, activates a “Report a vulnerability” button in the repository’sSecuritytab.

In aquery suite(a .qls file), the **query** key is used to specify the paths to one or more .ql files that should be included in the suite.

Example:

- query: path/to/query.ql

qls is the file format.

qlpack is used for packaging queries, not in suite syntax.

To ensure you're notified whenever a vulnerability is detected via Dependabot, you mustenablealerts for Dependabotin your personal notification settings. This applies to both new and existing repositories. It ensures you get timely alerts about security vulnerabilities.

The dependency graph must be enabled for scanning, but does not send alerts itself.

Comprehensive and Detailed Explanation:

To receive Dependabot alert notifications for a repository, you can utilize the following Watch settings:

Custom setting: Allows you to tailor your notifications, enabling you to subscribe specifically to security alerts, including those from Dependabot.​

All Activity setting: Subscribes you to all notifications for the repository, encompassing issues, pull requests, and security alerts like those from Dependabot.​

The Participating and @mentions setting limits notifications to conversations you're directly involved in or mentioned, which may not include security alerts. The Ignore setting unsubscribes you from all notifications, including critical security alerts.​

GitHub Docs

+1

GitHub Docs

+1

Comprehensive and Detailed Explanation:

Before defining a custom pattern for secret scanning in a repository, you must enable secretscanning for that repository. Secret scanning must be active to utilize custom patterns, which allow you to define specific formats (using regular expressions) for secrets unique to your organization.​

Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of sensitive information tailored to your needs.​

Ifautobuildfails (which attempts to automatically detect how to build your project), you shoulddisable itin your workflow andreplace it with explicit build commands, using steps like run: make or run: ./gradlew build.

This ensures CodeQL can still extract and analyze the code correctly.

Validity checks, also calledsecret validation, allow GitHub to check if a detected secret isstill active. If verified as live, the alert is marked as"valid", allowing security teams to prioritize the most critical leaks.

Push protectionblockssecrets but does not check their validity. Custom patterns are user-defined and do not include live checks.