– [Configure and Use Code Scanning]
After investigating a code scanning alert related to injection, you determine that the input is properly
sanitized using custom logic. What should be your next step?
D
Explanation:
When you identify that a code scanning alert is a false positive—such as when your code uses a
custom sanitization method not recognized by the analysis—you should dismiss the alert with the
reason "false positive." This action helps improve the accuracy of future analyses and maintains the
relevance of your security alerts.
As per GitHub's documentation:
"If you dismiss a CodeQL alert as a false positive result, for example because the code uses a
sanitization library that isn't supported, consider contributing to the CodeQL repository and
improving the analysis."
By dismissing the alert appropriately, you ensure that your codebase's security alerts remain
actionable and relevant.
– [Configure and Use Dependency Management]
When does Dependabot alert you of a vulnerability in your software development process?
B
Explanation:
Dependabot alerts are generated as soon as GitHub detects a known vulnerability in one of your
dependencies. GitHub does this by analyzing your repository’s dependency graph and matching it
against vulnerabilities listed in the GitHub Advisory Database. Once a match is found, the system
raises an alert automatically without waiting for a PR or manual action.
This allows organizations to proactively mitigate vulnerabilities as early as possible, based on real-
time detection.
Reference: GitHub Docs – About Dependabot alerts; Managing alerts in GitHub Dependabot
– [Configure and Use Dependency Management]
Which of the following is the most complete method for Dependabot to find vulnerabilities in third-
party dependencies?
C
Explanation:
Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your
repository. This graph includes both direct and transitive dependencies. It then compares this graph
against the GitHub Advisory Database, which includes curated, security-reviewed advisories.
This method provides a comprehensive and automated way to discover all known vulnerabilities
across your dependency tree.
Reference: GitHub Docs – About the dependency graph; About Dependabot alerts
– [Describe the GHAS Security Features and Functionality]
What is a security policy?
C
Explanation:
A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory.
This file informs contributors and security researchers about how to responsibly report
vulnerabilities. It improves your project’s transparency and ensures timely communication and
mitigation of any reported issues.
Adding this file also enables a “Report a vulnerability” button in the repository’s Security tab.
Reference: GitHub Docs – Adding a security policy to your repository
– [Configure GitHub Advanced Security Tools in GitHub Enterprise]
As a repository owner, you want to receive specific notifications, including security alerts, for an
individual repository. Which repository notification setting should you use?
D
Explanation:
Using the Custom setting allows you to subscribe to specific event types, such as Dependabot alerts
or vulnerability notifications, without being overwhelmed by all repository activity. This is essential
for repository maintainers who need fine-grained control over what kinds of events trigger
notifications.
This setting is configurable per repository and allows users to stay aware of critical issues while
minimizing notification noise.
Reference: GitHub Docs – Configuring notifications; Managing security alerts
– [Configure GitHub Advanced Security Tools in GitHub Enterprise]
Which of the following Watch settings could you use to get Dependabot alert notifications? (Each
answer presents part of the solution. Choose two.)
A, C
Explanation:
Comprehensive and Detailed Explanation:
To receive Dependabot alert notifications for a repository, you can utilize the following Watch
settings:
Custom setting: Allows you to tailor your notifications, enabling you to subscribe specifically to
security alerts, including those from Dependabot.
All Activity setting: Subscribes you to all notifications for the repository, encompassing issues, pull
requests, and security alerts like those from Dependabot.
The Participating and @mentions setting limits notifications to conversations you're directly involved
in or mentioned, which may not include security alerts. The Ignore setting unsubscribes you from all
notifications, including critical security alerts.
GitHub Docs
GitHub Docs
Reference: GitHub Docs – Configuring notifications; Managing security alerts
– [Configure and Use Dependency Management]
Which Dependabot configuration fields are required? (Each answer presents part of the solution.
Choose three.)
A, B, D
Explanation:
Comprehensive and Detailed Explanation:
When configuring Dependabot via the dependabot.yml file, the following fields are mandatory for
each update configuration:
directory: Specifies the location of the package manifest within the repository. This tells Dependabot
where to look for dependency files.
package-ecosystem: Indicates the type of package manager (e.g., npm, pip, maven) used in the
specified directory.
schedule.interval: Defines how frequently Dependabot checks for updates (e.g., daily, weekly). This
ensures regular scanning for outdated or vulnerable dependencies.
The milestone field is optional and used for associating pull requests with milestones. The allow field
is also optional and used to specify which dependencies to update.
GitLab
Reference: GitHub Docs – Configuration options for dependency updates
– [Configure and Use Code Scanning]
What is required to trigger code scanning on a specified branch?
D
Explanation:
Comprehensive and Detailed Explanation:
For code scanning to be triggered on a specific branch, the branch must contain the appropriate
workflow file, typically located in the .github/workflows directory. This YAML file defines the code
scanning configuration and specifies the events that trigger the scan (e.g., push, pull_request).
Without the workflow file in the branch, GitHub Actions will not execute the code scanning process
for that branch. The repository's visibility (private or public), the status of secret scanning, or the
activity level of developers do not directly influence the triggering of code scanning.
Reference: GitHub Docs – About workflows; About code scanning alerts
– [Describe GitHub Advanced Security Best Practices]
As a contributor, you discovered a vulnerability in a repository. Where should you look for the
instructions on how to report the vulnerability?
D
Explanation:
The correct place to look is the SECURITY.md file. This file provides contributors and security
researchers with instructions on how to responsibly report vulnerabilities. It may include contact
methods, preferred communication channels (e.g., security team email), and disclosure guidelines.
This file is considered a GitHub best practice and, when present, activates a “Report a vulnerability”
button in the repository’s Security tab.
Reference: GitHub Docs – Adding a security policy to your repository
– [Configure and Use Dependency Management]
Assuming there is no custom Dependabot behavior configured, where possible, what does
Dependabot do after sending an alert about a vulnerable dependency in a repository?
A
Explanation:
After generating an alert for a vulnerable dependency, Dependabot automatically attempts to create
a pull request to upgrade that dependency to the minimum required secure version—if a fix is
available and compatible with your project.
This automated PR helps teams fix vulnerabilities quickly with minimal manual intervention. You can
also configure update behaviors using dependabot.yml, but in the default state, PR creation is
automatic.
Reference: GitHub Docs – About Dependabot alerts; About Dependabot security updates
– [Configure and Use Secret Scanning]
What is the first step you should take to fix an alert in secret scanning?
C
Explanation:
The first step when you receive a secret scanning alert is to revoke the secret if it is still valid. This
ensures the secret can no longer be used maliciously. Only after revoking it should you proceed to
remove it from the code history and apply other mitigation steps.
Simply deleting the secret from the code does not remove the risk if it hasn’t been revoked —
especially since it may already be exposed in commit history.
Reference: GitHub Docs – About secret scanning alerts; Remediating a secret scanning alert
– [Configure and Use Dependency Management]
A dependency has a known vulnerability. What does the warning message include?
D
Explanation:
When a vulnerability is detected, GitHub shows a warning that includes a brief description of the
vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue,
severity level, and potential impact. The message also links to additional advisory data from the
GitHub Advisory Database.
This helps developers understand the context and urgency of the vulnerability before applying the
fix.
Reference: GitHub Docs – About Dependabot alerts; Reviewing and managing alerts
– [Configure and Use Dependency Management]
Assuming that notification and alert recipients are not customized, what does GitHub do when it
identifies a vulnerable dependency in a repository where Dependabot alerts are enabled? (Each
answer presents part of the solution. Choose two.)
A, B
Explanation:
Comprehensive and Detailed Explanation:
When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it
performs the following actions:
Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing
details about the vulnerability and affected dependency.
Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin
permissions about new Dependabot alerts.
GitHub Docs
These actions ensure that responsible parties are informed promptly to address the vulnerability.
Reference: GitHub Docs – About Dependabot alerts; Configuring notifications for Dependabot alerts
– [Configure and Use Secret Scanning]
What do you need to do before you can define a custom pattern for a repository?
C
Explanation:
Comprehensive and Detailed Explanation:
Before defining a custom pattern for secret scanning in a repository, you must enable secret scanning
for that repository. Secret scanning must be active to utilize custom patterns, which allow you to
define specific formats (using regular expressions) for secrets unique to your organization.
Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of
sensitive information tailored to your needs.
Reference: GitHub Docs – Managing alerts from secret scanning
– [Configure and Use Dependency Management]
Assuming that no custom Dependabot behavior is configured, who has the ability to merge a pull
request created via Dependabot security updates?
B
Explanation:
Comprehensive and Detailed Explanation:
By default, users with write access to a repository have the ability to merge pull requests, including
those created by Dependabot for security updates. This access level allows contributors to manage
and integrate changes, ensuring that vulnerabilities are addressed promptly.
Users with only read access cannot merge pull requests, and enterprise administrators do not
automatically have merge rights unless they have write or higher permissions on the specific
repository.
Reference: GitHub Docs – About Dependabot security updates; Configuring Dependabot security
updates