Latest [Feb 19, 2026] 100% Passing Guarantee - Brilliant GitHub-Advanced-Security Exam Questions PDF
GitHub-Advanced-Security Certification – Valid Exam Dumps Questions Study Guide! (Updated 77 Questions)
GitHub GitHub-Advanced-Security Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
NEW QUESTION # 20
If notification and alert recipients are not customized, which users receive notifications about new Dependabot alerts in an affected repository?
- A. Users with Write permissions to the repository
- B. Users with Read permissions to the repository
- C. Users with Maintain privileges to the repository
- D. Users with Admin privileges to the repository
Answer: A
Explanation:
By default,users with Write, Maintain, or Admin permissionswill receive notifications for new Dependabot alerts. However,Write permissionis theminimum levelneeded to be automatically notified.
Users with only Read access do not receive alerts unless added explicitly.
NEW QUESTION # 21
Who can fix a code scanning alert on a private repository?
- A. Users who have the Triage role within the repository
- B. Users who have Write access to the repository
- C. Users who have the security manager role within the repository
- D. Users who have Read permissions within the repository
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
In private repositories, users with write access can fix code scanning alerts. They can do this by committing changes that address the issues identified by the code scanning tools. This level of access ensures that only trusted contributors can modify the code to resolve potential security vulnerabilities.
GitHub Docs
Users with read or triage roles do not have the necessary permissions to make code changes, and the security manager role is primarily focused on managing security settings rather than directly modifying code.
NEW QUESTION # 22
In the pull request, how can developers avoid adding new dependencies with known vulnerabilities?
- A. Enable Dependabot alerts.
- B. Add a workflow with the dependency review action.
- C. Add Dependabot rules.
- D. Enable Dependabot security updates.
Answer: B
Explanation:
To detect and blockvulnerable dependencies before merge, developers should use theDependency Review GitHub Actionin their pull request workflows. It scans all proposed dependency changes and flags any packages with known vulnerabilities.
This is apreventative measureduring development, unlike Dependabot, which reactsafter the fact.
NEW QUESTION # 23
A dependency has a known vulnerability. What does the warning message include?
- A. A brief description of the vulnerability
- B. The security impact of these changes
- C. How many projects use these components
- D. An easily understandable visualization of dependency change
Answer: A
Explanation:
When a vulnerability is detected, GitHub shows a warning that includes abrief description of the vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue, severity level, and potential impact. The message also links to additional advisory data from the GitHub Advisory Database.
This helps developers understand the context and urgency of the vulnerability before applying the fix.
NEW QUESTION # 24
In a private repository, what minimum requirements does GitHub need to generate a dependencygraph? (Each answer presents part of the solution. Choose two.)
- A. Dependency graph enabled at the organization level for all new private repositories
- B. Write access to the dependency manifest and lock files for an enterprise
- C. Read-only access to the dependency manifest and lock files for a repository
- D. Read-only access to all the repository's files
Answer: A,C
Explanation:
Comprehensive and Detailed Explanation:
To generate a dependency graph for a private repository, GitHub requires:
Dependency graph enabled: The repository must have the dependency graph feature enabled. This can be configured at the organization level to apply to all new private repositories.
Access to manifest and lock files: GitHub needs read-only access to the repository's dependency manifest and lock files (e.g., package.json, requirements.txt) to identify and map dependencies.
NEW QUESTION # 25
Which of the following options would close a Dependabot alert?
- A. Viewing the dependency graph
- B. Viewing the Dependabot alert on the Dependabot alerts tab of your repository
- C. Leaving the repository in its current state
- D. Creating a pull request to resolve the vulnerability that will be approved and merged
Answer: D
Explanation:
ADependabot alertis only marked asresolvedwhen the related vulnerability is no longer present in your code
- specifically after youmerge a pull requestthat updates the vulnerable dependency.
Simply viewing alerts or graphs doesnotaffect their status. Ignoring the alert by leaving the repo unchanged keeps the vulnerability active and unresolved.
NEW QUESTION # 26
Which of the following benefits do code scanning, secret scanning, and dependency review provide?
- A. Automatically raise pull requests, which reduces your exposure to older versions of dependencies
- B. View alerts about dependencies that are known to contain security vulnerabilities
- C. Search for potential security vulnerabilities, detect secrets, and show the full impact of changes to dependencies
- D. Confidentially report security vulnerabilities and privately discuss and fix security vulnerabilities in your repository's code
Answer: C
Explanation:
These three features provide a complete layer of defense:
* Code scanningidentifies security flaws in your source code
* Secret scanningdetects exposed credentials
* Dependency reviewshows the impact of package changes during a pull request Together, they give developers actionable insight into risk and coverage throughout the SDLC.
NEW QUESTION # 27
Which patterns are secret scanning validity checks available to?
- A. Push protection patterns
- B. Custom patterns
- C. Partner patterns
- D. High entropy strings
Answer: C
Explanation:
Validity checks- where GitHub verifies if a secret is still active - are available forpartner patternsonly.
These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.
Custom patterns and high entropy patterns donotsupport automated validity checks.
NEW QUESTION # 28
What is a prerequisite to define a custom pattern for a repository?
- A. Change the repository visibility to Internal
- B. Specify additional match criteria
- C. Enable secret scanning
- D. Close other secret scanning alerts
Answer: C
Explanation:
Youmust enable secret scanningbefore defining custom patterns. Secret scanning provides the foundational capability for detecting exposed credentials, and custom patterns build upon that by allowing organizations to specify their own regex-based patterns for secrets unique to their environment.
Without enabling secret scanning, GitHub will not process or apply custom patterns.
NEW QUESTION # 29
Which syntax in a query suite tells CodeQL to look for one or more specified .ql files?
- A. qlpack
- B. query
- C. qls
Answer: B
Explanation:
In aquery suite(a .qls file), the **query** key is used to specify the paths to one or more .ql files that should be included in the suite.
Example:
- query: path/to/query.ql
* qls is the file format.
* qlpack is used for packaging queries, not in suite syntax.
NEW QUESTION # 30
What do you need to do before you can define a custom pattern for a repository?
- A. Add a secret scanning custom pattern.
- B. Provide a regular expression for the format of your secret pattern.
- C. Enable secret scanning on the repository.
- D. Provide match requirements for the secret format.Stack Overflow
Answer: C
Explanation:
Comprehensive and Detailed Explanation:
Before defining a custom pattern for secret scanning in a repository, you must enable secretscanning for that repository. Secret scanning must be active to utilize custom patterns, which allow you to define specific formats (using regular expressions) for secrets unique to your organization.
Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of sensitive information tailored to your needs.
NEW QUESTION # 31
Where can you use CodeQL analysis for code scanning? (Each answer presents part of the solution. Choose two.)
- A. In a workflow
- B. In an external continuous integration (CI) system
- C. In the Files changed tab of the pull request
- D. In a third-party Git repository
Answer: A,B
Explanation:
* In a workflow: GitHub Actions workflows are the most common place for CodeQL code scanning.
The codeql-analysis.yml defines how the analysis runs and when it triggers.
* In an external CI system: GitHub allows you to run CodeQL analysis outside of GitHub Actions.
Once complete, the results can be uploaded using the upload-sarif action to make alerts visible in the repository.
You cannot run or trigger analysis from third-party repositories directly, and theFiles changed tabin pull requests only shows diff - not analysis results.
NEW QUESTION # 32
Which of the following tasks can be performed by a security team as a proactive measure to help address secret scanning alerts? (Each answer presents a complete solution. Choose two.)
- A. Configure a webhook to monitor for secret scanning alert events.
- B. Enable system for cross-domain identity management (SCIM) provisioning for the enterprise.
- C. Dismiss alerts that are older than 90 days.
- D. Document alternatives to storing secrets in the source code.
Answer: A,D
Explanation:
To proactively address secret scanning:
* Webhookscan be configured to listen for secret scanning events. This allows automation, logging, or alerting in real-time when secrets are detected.
* Documenting secure development practices(like using environment variables or secret managers) helps reduce the likelihood of developers committing secrets in the first place.
Dismissal based on age is not a best practice without triage. SCIM deals with user provisioning, not scanning alerts.
NEW QUESTION # 33
Assuming security and analysis features are not configured at the repository, organization, or enterprise level, secret scanning is enabled on:
- A. Private repositories
- B. Public repositories
- C. User-owned private repositories
- D. All new repositories within your organization
Answer: B
Explanation:
By default,secret scanning is enabled automatically for all public repositories. For private or internal repositories, secret scanning must be enabled manually unless configured at the organization or enterprise level.
This default behavior helps protect open-source projects without requiring additional configuration.
NEW QUESTION # 34
Assuming there is no custom Dependabot behavior configured, where possible, what does Dependabot do after sending an alert about a vulnerable dependency in a repository?
- A. Creates a pull request to upgrade the vulnerable dependency to the minimum possible secure version
- B. Scans any push to all branches and generates an alert for each vulnerable repository
- C. Scans repositories for vulnerable dependencies on a schedule and adds those files to a manifest
- D. Constructs a graph of all the repository's dependencies and public dependents for the default branch
Answer: A
Explanation:
After generating an alert for a vulnerable dependency, Dependabot automatically attempts to create a pull request to upgrade that dependency to theminimum required secure version-if a fix is available and compatible with your project.
This automated PR helps teams fix vulnerabilities quickly with minimal manual intervention. You can also configure update behaviors using dependabot.yml, but in the default state, PR creation is automatic.
NEW QUESTION # 35
A repository's dependency graph includes:
- A. Annotated code scanning alerts from your repository's dependencies.
- B. A summary of the dependencies used in your organization's repositories.
- C. Dependencies from all your repositories.
- D. Dependencies parsed from a repository's manifest and lock files.
Answer: D
Explanation:
Thedependency graphin a repository is built byparsing manifest and lock files(like package.json, pom.xml, requirements.txt). It helps GitHub detect dependencies and cross-reference them with known vulnerability databases for alerting.
It is specific to each repository and does not show org-wide or cross-repo summaries.
NEW QUESTION # 36
What kind of repository permissions do you need to request a Common Vulnerabilities and Exposures (CVE) identification number for a security advisory?
- A. Admin
- B. Maintain
- C. Triage
- D. Write
Answer: A
Explanation:
Requesting a CVE ID for a security advisory in a GitHub repository requiresAdminpermissions. This level of access is necessary because it involves managing sensitive security information and coordinating with external entities to assign a CVE, which is a formal process that can impact the public perception and security posture of the project.
NEW QUESTION # 37
Which of the following information can be found in a repository's Security tab?
- A. Number of alerts per GHAS feature
- B. Two-factor authentication (2FA) options
- C. GHAS settings
- D. Access management
Answer: A
Explanation:
TheSecurity tabin a GitHub repository provides a central location for viewing security-related information, especially when GitHub Advanced Security is enabled. The following can be accessed:
* Number ofalertsrelated to:
* Code scanning
* Secret scanning
* Dependency (Dependabot) alerts
* Summary and visibility into open, closed, and dismissed security issues.
It doesnotshow 2FA options, access control settings, or configuration panels for GHAS itself. Those belong to account or organization-level settings.
NEW QUESTION # 38
Where can you view code scanning results from CodeQL analysis?
- A. The repository's code scanning alerts
- B. A CodeQL query pack
- C. At Security advisories
- D. A CodeQL database
Answer: A
Explanation:
All results from CodeQL analysis appear under therepository's code scanning alertstab. This section is part of theSecuritytab and provides a list of all current, fixed, and dismissed alerts found by CodeQL.
A CodeQL database is used internally during scanning but does not display results. Query packs contain rules, not results. Security advisories are for published vulnerabilities, not per-repo findings.
NEW QUESTION # 39
Which of the following formats are used to describe a Dependabot alert? (Each answer presents a complete solution. Choose two.)
- A. Common Weakness Enumeration (CWE)
- B. Vulnerability Exploitability exchange (VEX)
- C. Common Vulnerabilities and Exposures (CVE)
- D. Exploit Prediction Scoring System (EPSS)
Answer: A,C
Explanation:
Dependabot alerts utilize standardized identifiers to describe vulnerabilities:
* CVE (Common Vulnerabilities and Exposures):A widely recognized identifier for publicly known cybersecurity vulnerabilities.
* CWE (Common Weakness Enumeration):A category system for software weaknesses and vulnerabilities.
These identifiers help developers understand the nature of the vulnerabilities and facilitate the search for more information or remediation strategies.
NEW QUESTION # 40
What is required to trigger code scanning on a specified branch?
- A. The workflow file must exist in that branch.
- B. Developers must actively maintain the repository.
- C. Secret scanning must be enabled on the repository.
- D. The repository must be private.
Answer: A
Explanation:
Comprehensive and Detailed Explanation:
For code scanning to be triggered on a specific branch, the branch must contain the appropriate workflow file, typically located in the .github/workflows directory. This YAML file defines the code scanning configuration and specifies the events that trigger the scan (e.g., push, pull_request).
Without the workflow file in the branch, GitHub Actions will not execute the code scanning process for that branch. The repository's visibility (private or public), the status of secret scanning, or the activity level of developers do not directly influence the triggering of code scanning.
NEW QUESTION # 41
As a contributor, you discovered a vulnerability in a repository. Where should you look for the instructions on how to report the vulnerability?
- A. support.md
- B. readme.md
- C. security.md
- D. contributing.md
Answer: C
Explanation:
The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.
This file is considered a GitHub best practice and, when present, activates a "Report a vulnerability" button in the repository'sSecuritytab.
NEW QUESTION # 42
Which details do you have to provide to create a custom pattern for secret scanning? (Each answer presents part of the solution. Choose two.)
- A. A list of repositories to scan
- B. The secret format
- C. The name of the pattern
- D. Additional match requirements for the secret format
Answer: B,C
Explanation:
When defining a custom pattern for secret scanning, two key fields are required:
* Name of the pattern: A unique label to identify the pattern
* Secret format: A regular expression that defines what the secret looks like (e.g., token format) You can optionally specifyadditional match requirements(like required context keywords), but they're not mandatory. Listing repositories is also not part of the required fields during pattern creation.
NEW QUESTION # 43
......
GitHub-Advanced-Security are Available for Instant Access: https://testinsides.vcedumps.com/GitHub-Advanced-Security-examcollection.html
