Share via


Study guide for GH-500: GitHub Advanced Security

Exam Design

Audience Profile

This exam is designed for system administrators, software developers, application administrators, and IT professionals with intermediate-level experience in GitHub Enterprise Administration.

Skills Measured

NOTE: The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.

NOTE: Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.

Domain 1: Describe the GHAS security features and functionality (15%)

Contrast GHAS features and their role in the security ecosystem

  • Differentiate the security features that come automatically for open source projects, and what features are available when GHAS is paired with GHEC or GHES

  • Describe the features and benefits of Security Overview

  • Describe the differences between secret scanning and code scanning

  • Describe how secret scanning, code scanning, and Dependabot create a more secure software development life cycle

  • Contrast a security scenario with isolated security review and an advanced scenario, with security integrated into each step of the software development life cycle

Explain and use specific GHAS features

  • Describe how vulnerable dependencies are identified (by looking at the manifest files and comparing with databases of known vulnerabilities)

  • Choose how to act on alerts from GHAS

  • Explain the implications of ignoring an alert

  • Explain the role of a developer when they discover a security alert

  • Describe the differences in access management to view alerts for different security features

  • Identify where to use Dependabot alerts in the software development lifecycle

Domain 2: Configure and use secret scanning (15%)

Configure and use Secret Scanning

  • Describe secret scanning

  • Describe push protection

  • Describe validity checks

  • Contrast secret scanning availability for public and private repositories

  • Enable secret scanning for private repositories

  • Pick an appropriate response to a secret scanning alert

  • Determine if an alert is generated for a given secret, pattern, or service provider

  • Determine if a given user role will see secret scanning alerts and how they will be notified

Customize default secret scanning behavior

  • Configure the recipients of a secret scanning alert (also includes how to provide access to members and teams other than admins)

  • Exclude certain files from being scanned for secrets

  • Enable custom secret scanning for a repository

Domain 3: Configure and use Dependabot and Dependency Review (35%)

Describe tools for managing vulnerabilities in dependencies

  • Define the dependency graph

  • Describe how the dependency graph is generated

  • Describe what a Software Bill of Materials (SBOM) is, and the SBOM format used by GitHub

  • Define a dependency vulnerability

  • Describe Dependabot alerts

  • Describe Dependabot security updates

  • Describe Dependency Review

  • Describe how alerts are generated for vulnerable dependencies (driven from the dependency graph, sourced from the GitHub Advisory Database)

  • Describe the difference between Dependabot and Dependency Review

Enable and configure tools for managing vulnerable dependencies

  • Identify the default settings for Dependabot alerts in public and private repositories

  • Identify the permissions and roles required to enable Dependabot alerts

  • Identify the permissions and roles required to view Dependabot alerts

  • Enable Dependabot alerts for private repositories

  • Enable Dependabot alerts for organizations

  • Create a valid Dependabot configuration file to group security updates

  • Create a Dependabot Rule to auto-dismiss low severity alerts until a patch is available

  • Create a Dependency Review GitHub Actions workflow

  • Configure license checks and custom severity thresholds in a Dependency Review workflow

  • Configure notifications for vulnerable dependencies

Identify and remediate vulnerable dependencies

  • Identify a vulnerable dependency from a Dependabot alert

  • Identify vulnerable dependencies from a pull request

  • Enable Dependabot security updates

  • Remedy a vulnerability from a Dependabot alert in the Security tab (could include updating or removing the dependency)

  • Remedy a vulnerability from a Dependabot alert in the context of a pull request (could include updating or removing the dependency)

  • Take action on any Dependabot alerts by testing and merging pull requests

Domain 4: Configure and use Code Scanning with CodeQL (25%)

Use code scanning with third-party tools

  • Enable code scanning for use with a third-party analysis

  • Contrast the steps for using CodeQL versus third party analysis when enabling code scanning

  • Contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party CI tool

  • Upload 3rd party SARIF results via the SARIF endpoint

Describe and enable code scanning

  • Describe how code scanning fits in the software development life cycle

  • Contrast the frequency of code scanning workflows (scheduled versus triggered by events)

  • Choose a triggering event for a given development pattern (for example, in a pull request and for specific files)

  • Edit the default template for Actions workflow to fit an active, open source, production repository

  • Describe how to view code scanning results from CodeQL analysis

  • Troubleshoot a failing code scanning workflow using CodeQL, including creating or changing a custom configuration in the CodeQL workflow

  • Follow the data flow through code using the show paths experience

  • Explain the reason for a code scanning alert given documentation linked from the alert

  • Determine if and why a code scanning alert needs to be dismissed

  • Describe potential shortfalls in CodeQL via model of compilation and language support

  • Explain the purpose of defining a SARIF category

Domain 5: Describe GitHub Advanced Security best practices, results, and how to take corrective measures (10%)

GitHub Advanced Security results & best practices

  • Use a Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) to describe a GitHub Advanced Security alert and list potential remediation

  • Describe the decision-making process for closing and dismissing security alerts (documenting the dismissal, making a decision based on data)

  • Describe the default CodeQL query suites

  • Describe how CodeQL analyzes code and produces results, including differences between compiled and interpreted language

  • Determine the roles and responsibilities of development and security teams on a software development workflow

  • Describe how the severity threshold for code scanning pull request status checks can be changed

  • Explain how filters and sorting can be used to prioritize secret scanning remediation (validity:active)

  • Explain how CodeQL & Dependency Review workflows can be enforced with Repository Rulesets

  • Describe how code scanning can be configured to identify and remediate vulnerabilities earlier (scanning upon pull request)

  • Describe how secret scanning can be configured to identify and remediate vulnerabilities earlier (enabling push protection)

  • Describe how dependency analysis can be configured to identify and remediate vulnerabilities earlier (enable dependency review to scan upon pull request)