GitHub Advanced Security Practice Exam 2025: Latest Questions

A repository uses GitHub Advanced Security and you want every pull request to be checked for security issues before it can be merged. Which GitHub feature is the best way to enforce this requirement?

Your organization wants to detect leaked credentials in repositories and also prevent new secrets from being pushed. Which GitHub Advanced Security capability directly blocks a push when a secret is detected?

A repository has Dependabot alerts enabled. Developers want pull requests automatically created to upgrade dependencies when security fixes are available. Which feature should you enable?

Your organization wants consistent security settings across all new repositories (for example, enabling code scanning and secret scanning by default). What is the most appropriate place to manage these defaults at scale?

A CodeQL workflow is configured to run on pull_request events. A team reports that code scanning results are not showing on PRs coming from forks. What is the most likely cause?

You want to reduce false positives in code scanning by tailoring detections to your codebase. Which approach is most appropriate?

A secret was accidentally committed to a repository and later removed in a follow-up commit. Secret scanning continues to show an alert for the secret. What is the best next step to reduce risk?

Your organization wants to prevent introducing dependencies with known critical vulnerabilities into any repository. Which combination best supports this goal during development?

A repository uses CodeQL. A developer reports that a high-confidence alert is marked as 'fixed' in the UI, but they did not change the affected code. Which explanation is most plausible?

You manage a large GitHub organization and need to ensure code scanning cannot be disabled in critical repositories, even by repository admins, while still allowing security teams to adjust query configuration. Which approach best meets the requirement?

You want GitHub to automatically detect secrets committed to any branch in a repository and notify the security team without requiring custom patterns. Which feature should you enable?

A repository uses GitHub Actions to run CodeQL analysis. The workflow succeeds, but no code scanning alerts appear in the Security tab. What is the most likely cause?

You need to ensure contributors cannot merge a pull request if it introduces a known critical vulnerability in dependencies. Which approach best meets this requirement?

Your organization wants consistent security settings across hundreds of repositories, including code scanning, secret scanning, and Dependabot alerts. What is the recommended way to govern and roll out these settings at scale?

Secret scanning alerts are firing repeatedly for the same secret string in test fixtures and example files that are not used in production. You want to reduce noise while still detecting real secrets. What is the best action?

A team wants CodeQL analysis to run only on changes to the server code, not when documentation files change, to reduce CI time. Which workflow adjustment best achieves this?

Your organization requires that any secret scanning alert must be triaged within 7 days. You also need an auditable way to track compliance across repositories. Which approach is most appropriate?

A repository contains a generated lockfile that pins a vulnerable transitive dependency. Dependabot opens a pull request, but it cannot update the vulnerable package without also updating several other dependencies. What is the best interpretation of this behavior?

You maintain a shared GitHub Actions workflow that runs CodeQL for many repositories. A new repository adopts the workflow, but code scanning results never appear even though the workflow logs show analysis completed. The reusable workflow is stored in a central repository. What is the most likely missing requirement? (Assume permissions are tightly locked down.)

An organization enables push protection for secret scanning. A developer attempts to push a commit containing a detected secret and is blocked. The developer claims it is a false positive and needs an immediate override for a hotfix. What is the most secure and compliant action?

Your organization wants to prevent secrets from being committed to any repository, but only for specific patterns such as internal API keys that are not covered by GitHub’s default secret scanning patterns. Which approach best meets the requirement?

A repository uses GitHub Advanced Security, but developers report that Dependabot alerts are not being generated for a JavaScript project. The repository contains a package-lock.json file. Which is the most likely missing prerequisite?

You need to standardize security scanning across 200 repositories. The security team wants every repository to run the same CodeQL code scanning workflow, and they want changes to the workflow controlled centrally. Which solution is the best fit?

A team enabled CodeQL code scanning, but the workflow fails with errors indicating it cannot upload results due to insufficient permissions. The workflow uses the default GITHUB_TOKEN and runs on pull_request events. What is the most appropriate fix?

Your organization wants to prevent contributors from introducing a known vulnerable dependency version. They want PRs to be blocked unless the dependency update is addressed, and they want the rule to apply consistently across repositories. Which approach best satisfies this requirement?