Master GitHub-Advanced-Security Exam with Reliable Practice Questions
Upgrade to Premium-- [Configure and Use Code Scanning]
What is required to trigger code scanning on a specified branch?
Correct : D
Comprehensive and Detailed Explanation:
For code scanning to be triggered on a specific branch, the branch must contain the appropriate workflow file, typically located in the .github/workflows directory. This YAML file defines the code scanning configuration and specifies the events that trigger the scan (e.g., push, pull_request).
Without the workflow file in the branch, GitHub Actions will not execute the code scanning process for that branch. The repository's visibility (private or public), the status of secret scanning, or the activity level of developers do not directly influence the triggering of code scanning.
Start a Discussions
-- [Configure and Use Secret Scanning]
Assuming security and analysis features are not configured at the repository, organization, or enterprise level, secret scanning is enabled on:
Correct : A
By default, secret scanning is enabled automatically for all public repositories. For private or internal repositories, secret scanning must be enabled manually unless configured at the organization or enterprise level.
This default behavior helps protect open-source projects without requiring additional configuration.
Start a Discussions
-- [Configure and Use Dependency Management]
Assuming that notification settings and Dependabot alert recipients have not been customized, which user account setting should you use to get an alert when a vulnerability is detected in one of your repositories?
Correct : C
To ensure you're notified whenever a vulnerability is detected via Dependabot, you must enable alerts for Dependabot in your personal notification settings. This applies to both new and existing repositories. It ensures you get timely alerts about security vulnerabilities.
The dependency graph must be enabled for scanning, but does not send alerts itself.
Start a Discussions
-- [Configure and Use Secret Scanning]
What YAML syntax do you use to exclude certain files from secret scanning?
Correct : B
To exclude specific files or directories from being scanned by secret scanning in GitHub Actions, you can use the paths-ignore: key within your YAML workflow file.
This tells GitHub to ignore specified paths when scanning for secrets, which can be useful for excluding test data or non-sensitive mock content.
Other options listed are invalid:
branches-ignore: excludes branches, not files.
decrypt_secret.sh is not a YAML key.
secret scanning.yml is not a recognized filename for configuration.
Start a Discussions
-- [Describe GHAS Security Features and Functionality]
Which alerts do you see in the repository's Security tab? (Each answer presents part of the solution. Choose three.)
Correct : B, C, E
In a repository's Security tab, you can view:
Secret scanning alerts: Exposed credentials or tokens
Dependabot alerts: Vulnerable dependencies from the advisory database
Code scanning alerts: Vulnerabilities in code detected via static analysis (e.g., CodeQL)
You won't see general 'security status alerts' (not a formal category) or permission-related alerts here.
Start a Discussions