50 GitHub Advanced Security Practice Questions: Question Bank 2025

A repository has GitHub Advanced Security enabled. You want code scanning results to be visible as annotations directly in pull request diffs so reviewers can see issues before merging. What should you configure?

Your organization enables secret scanning push protection. A developer tries to push a commit containing a real cloud access key and the push is blocked. What is the recommended first action to remediate the situation securely?

A team wants pull requests to automatically propose version bumps when known vulnerable dependencies are detected. Which GitHub feature best fits this requirement?

You want to prevent merging pull requests unless all required status checks pass, including a CodeQL analysis workflow. Where should you enforce this policy?

A monorepo contains JavaScript, Python, and Go services. You want CodeQL to analyze only the code that changed in a pull request to reduce runtime while still providing PR feedback. What approach should you use?

A repository uses GitHub-hosted runners. You are concerned that CodeQL analysis could be influenced by untrusted pull requests from forks. What is the best practice to limit risk while still scanning code changes?

Your organization wants to ensure secret scanning alerts are automatically routed to a central security team and also create tickets in an external system for tracking. What is the most appropriate integration approach?

A repository has many false-positive secret scanning alerts caused by test tokens that look like real credentials. You still want protection for real secrets without weakening controls for everyone. What should you do?

An organization wants to enforce that every repository must have GitHub Advanced Security features enabled (code scanning, secret scanning, and dependency review) and prevent repository admins from turning them off. What is the best governance approach?

You run CodeQL analysis, but no results appear in the repository’s Code scanning alerts even though the workflow shows success. Which issue is the most likely cause?

You want to reduce false positives in CodeQL code scanning for a repository without disabling code scanning. Which approach is the most appropriate?

A repository is enabled for secret scanning. A developer accidentally commits a valid API key and pushes it to GitHub. What is the recommended immediate remediation sequence?

Your organization wants Dependabot pull requests to be automatically created for security updates across all repositories, but only after a successful CI run. Which approach best meets this requirement?

A team wants to run CodeQL analysis only on changes introduced in pull requests and avoid running on every push to feature branches. What should they configure?

Your organization wants to prevent contributors from pushing commits that contain secrets to protected branches. Which GitHub Advanced Security feature directly enforces this at push time?

A repository uses GitHub Actions and must upload code scanning results generated by a third-party analyzer. What is required for GitHub to display those results as code scanning alerts?

You need to ensure all repositories in an organization follow minimum security standards, including enabling code scanning and Dependabot alerts. What is the most scalable approach?

A Dependabot alert exists for a vulnerable library, but the repository uses a vendored copy of the library and not the package manager reference. Dependabot continues to report the vulnerability. What is the best next step?

Your security team wants to require that any dismissal of code scanning alerts includes a justification and is limited to a small group of reviewers. What configuration best satisfies this requirement?

A CodeQL workflow runs successfully, but no alerts appear even though you intentionally introduced a known vulnerable pattern. You suspect CodeQL is not analyzing the correct code. Which troubleshooting step is most likely to reveal the issue?

A repository uses GitHub secret scanning. Developers complain about frequent false positives from example tokens committed in documentation files under /docs. You still want real secrets in docs to be detected. What is the best approach?

You want Dependabot to open pull requests only for security updates and not for routine version bumps. What should you configure?

Your team wants to prevent merging code that introduces new CodeQL alerts on the default branch. Which GitHub feature should you use?

A repo has code scanning enabled with CodeQL. Pull request scans run, but no alerts ever appear, even when you intentionally introduce a vulnerable pattern. The workflow completes successfully. Which is the most likely cause?

Your organization wants to ensure all repositories inherit the same baseline GitHub Advanced Security settings (code scanning, secret scanning, and dependency review) and cannot be weakened by individual repo admins. What is the best solution?

A security team wants to automatically validate third-party action usage in workflows and block workflows that reference unapproved actions. Which approach best meets this requirement in GitHub?

Your repository uses dependency review in pull requests. A developer asks what it is primarily designed to do. What is the best description?

A team enables secret scanning push protection. Developers report that pushes are blocked even when committing a non-secret string that matches a token format used by a cloud provider. The string is required for unit tests. What is the best way to unblock while maintaining strong protection?

You run CodeQL analysis on a monorepo containing JavaScript and Python. Scans are slow and frequently time out. You want to reduce runtime while maintaining meaningful security signal. Which change is most effective?

Your organization wants to treat high-severity Dependabot alerts as a merge blocker, but only when the vulnerable package is actually reachable (used in runtime code paths) rather than merely present as an unused transitive dependency. Which approach best addresses this requirement using GitHub Advanced Security capabilities?

You want GitHub to block merges when code scanning finds new alerts introduced by a pull request, but you don't want existing alerts on the default branch to prevent merges. Which approach should you use?

A repository uses Dependabot security updates. Developers complain about too many PRs for minor updates, but security fixes must still be applied quickly. What is the best configuration change?

Your organization wants to prevent developers from pushing credentials (like cloud keys) to any repository. Which GitHub Advanced Security feature is designed to block the push at the time it occurs?

A security team wants a single place to view security risks (code scanning, secret scanning, and dependency alerts) across all repositories in an organization. Where should they look?

Your CodeQL workflow runs on pull requests and on a nightly schedule. Developers report that a PR sometimes shows 'no code scanning results' even though the workflow ran successfully. Which is the most likely cause?

A monorepo has multiple independent applications. You want Dependabot version updates to open PRs only for the Node.js app under /apps/web while leaving other parts of the repo unchanged. What should you do?

You need to ensure that security alerts (code scanning and Dependabot) are automatically assigned to the owning team and show up in their workflow. Which GitHub feature best supports this at scale?

A repository includes generated source files and vendor directories. Code scanning results contain many findings in these paths that developers don't want to triage. What is the best practice to reduce this noise?

Your organization wants to enforce secret scanning push protection across all repositories and prevent repository admins from turning it off. Which governance approach best achieves this?

A team uploads SARIF results from a third-party static analysis tool into GitHub code scanning. They notice alerts appear but are not grouped well and duplicates show up across runs. What should they do to improve alert tracking over time?

Your repository uses GitHub Advanced Security. You want code scanning to run automatically on every pull request that targets the default branch, using GitHub-hosted runners. Which configuration best meets this requirement?

A developer accidentally attempts to push a cloud access key to a protected repository. You want GitHub to block the push at the time of the push rather than only raising an alert afterward. What should you enable?

You want contributors to see dependency-related risks (added/removed packages and known vulnerabilities) directly in a pull request before merge. Which feature should you use?

A security team wants to standardize code scanning rules across dozens of repositories and manage them in a single repository. They want each application repo to "inherit" the same CodeQL configuration. What is the recommended approach?

After enabling CodeQL analysis, you notice alerts are not appearing for a repository that contains both JavaScript and Python. The workflow runs successfully, but it only analyzes JavaScript. Which change is most likely needed?

Your organization wants to prevent merges when new CodeQL alerts are introduced in a pull request, but they don't want existing legacy alerts to block. Which approach best accomplishes this?

A repository uses Dependabot version updates. Security wants to reduce risk from malicious dependency confusion by ensuring Dependabot prefers internal packages over public ones when names collide, where supported. What should you configure?

You need to roll out GitHub Advanced Security settings (code scanning, secret scanning, dependency review) consistently across all repositories in an organization and prevent repository admins from weakening them. What is the best governance mechanism?

Your organization wants to detect secrets that are unique to your company (for example, proprietary token formats) and receive alerts when they appear in code. Push protection is not required initially, but detection should be high-signal with minimal false positives. What should you implement?

A regulated enterprise requires that all code scanning results be produced from a hardened, centrally managed build environment with restricted network egress, not from GitHub-hosted runners. They also need the results uploaded to GitHub code scanning. What is the best architecture?