GitHub Advanced Security Advanced Practice Exam: Hard Questions 2025

Your organization runs GitHub Advanced Security across 200 repositories. After enabling CodeQL code scanning, you notice that alerts for a critical injection pattern appear only in pull requests but not on the default branch, even though the vulnerable code is merged. The workflow uses a matrix build and uploads SARIF from multiple jobs. What is the most likely root cause and best fix?

A monorepo contains 12 microservices in different languages. You want CodeQL analysis to run only for the microservices changed in a pull request to reduce CI time, but you must still maintain accurate alert history and avoid losing results for untouched parts of the repo. Which approach best satisfies these constraints?

Your team uses a custom build system and a self-hosted runner for a large C++ repository. CodeQL analysis completes but produces few results, and the logs show that the autobuild step skipped compilation. You need high-fidelity analysis without changing the build system. What should you do?

A repository enables secret scanning with push protection. Developers report that pushes are being blocked for strings that are not secrets (false positives), and they are bypassing protection using the allowed override flow too often. You need to reduce disruptions while keeping strong protection for real credentials. Which solution is best?

Your company uses ephemeral cloud credentials issued via OIDC in GitHub Actions and prohibits long-lived secrets. Secret scanning repeatedly flags the OIDC subject/audience claims and other non-sensitive JWT-like strings in test fixtures, creating noise. You cannot disable secret scanning or remove the fixtures. What is the most appropriate mitigation?

A security incident reveals that an exposed API key was pushed to a private repository, detected by secret scanning, and then rotated. However, the key was also present in an earlier commit on a long-lived feature branch that was later merged. You need to minimize recurrence and ensure that the organization reacts consistently in the future. What is the best end-to-end approach?

You use Dependabot for dependency updates and GitHub Advanced Security dependency review in pull requests. A critical vulnerability is disclosed in a transitive dependency. Developers merge a Dependabot PR that updates a direct dependency, but dependency review still shows the vulnerable transitive version being pulled in. What is the most likely explanation and best next step?

Your organization consumes a mix of public and internal packages. You want Dependabot to open PRs for security updates, but you must prevent it from leaking private registry metadata into public logs and you must ensure it can authenticate to multiple package ecosystems per repo. Which configuration approach best meets these requirements?

A repository receives a pull request from a fork. You require dependency review to block merges when a PR introduces a dependency with a known critical vulnerability. However, the check does not run on forked PRs due to permission restrictions. You still need a secure, least-privilege design. What should you implement?

A regulated enterprise wants consistent GitHub Advanced Security controls across all repositories: CodeQL must run on default branch and PRs, secret scanning with push protection must be enabled, and dependency review must be required for merges. Teams currently manage settings per repo and drift is common. What is the best governance design to enforce these controls while allowing limited team customization?