GitHub Advanced Security Intermediate Practice Exam: Medium Difficulty 2025

Your organization uses GitHub Enterprise and wants to ensure CodeQL code scanning runs on every pull request. Developers complain that scans sometimes don’t run when they change only documentation or non-code files, but security wants consistent coverage for any change that could affect build or runtime behavior. Which approach best meets the requirement while keeping runs relevant and consistent?

A repository uses GitHub Actions to build a container image. Code scanning findings include alerts in generated code and vendor directories that the team does not maintain, causing developers to ignore alerts. You want to reduce noise while preserving meaningful security signal. What is the best approach?

Security engineers want to ensure that any new CodeQL alert introduced by a pull request must be resolved before merge, but existing backlog alerts on the default branch should not block day-to-day work. Which configuration best achieves this goal?

A team uses GitHub Advanced Security and wants to enable code scanning for a monorepo containing JavaScript and Python. They want a single workflow that analyzes both languages and uploads results correctly. What is the most appropriate solution?

A developer accidentally commits a cloud provider access key to a private repository. Secret scanning detects the leak, and the security team wants to minimize impact and prevent recurrence. Which action plan is most appropriate?

Your organization uses secret scanning push protection. Developers report frequent blocks due to test tokens that are intentionally committed for local development and are not valid production credentials. Security still wants protection for real secrets without allowing broad bypasses. What should you do?

A repository relies on several open-source libraries. Security wants automated vulnerability awareness and rapid remediation proposals, but also wants to avoid disruptive updates for breaking changes. Which setup best meets the requirement?

A team uses GitHub Actions and wants to reduce supply-chain risk from dependencies and third-party actions. They already use Dependabot. Which additional measure provides the most direct control to prevent unreviewed or untrusted components from being introduced?

Your organization wants consistent security posture across hundreds of repositories: code scanning enabled, secret scanning with push protection enabled, and Dependabot alerts enabled. They also want to prevent repository admins from silently disabling these controls. What should you implement?

A regulated team needs to demonstrate that critical security findings are tracked and remediated within defined SLAs. They want a workflow that ties GitHub security alerts to remediation tasks and provides visibility for auditors. What is the best approach?