GitHub Advanced Security Questions

GitHub Advanced Security

  1. What is CodeQL?
  2. What does `shifting left` mean in the context of Security?
  3. What are Repository Security Advisories?
  4. Which tool helps you keep the repository dependencies up to date?
  5. Which of the following is a curated list of security vulnerabilities found in open source projects?
  6. Which of these GitHub security features are available for FREE for both public and private personal repositories? (Choose four.)
  7. Which of these best describes secret scanning?
  8. Which parts of the repository are scanned by secret scanning? (Choose two.)
  9. What's the purpose of the Secret scanning partner program?
  10. Public repositories owned by personal users as well as public repositories owned by organizations can use secret scanning for free.
  11. How can you prevent commits containing cloud provider credentials from being pushed to GitHub?
  12. Which of these is true about the GitHub secret scanning partner program? (Choose three.)
  13. How can you exclude certain directories or files from secret scanning?
  14. You have included some fake secrets in your test code and they have been picked up by GitHub's secret scanning. What can you do to tell GitHub that these are fake secrets used in tests and can be ignored by secret scanning? (Choose two.)
  15. You have accidentally committed your GitHub personal access token to a public repository. What actions should you take to prevent your account from being compromised?
  16. What is the behavior when a new secret pattern is added or updated in the GitHub secret scanning partner program?
  17. Who will be notified when a NEW secret is pushed and detected in a repository? (Choose four.)
  18. When GitHub runs a scan of all historical code in enterprise repositories what is the notification behavior? (Select two.)
  19. Does GitHub use the same set of secret scanning patterns for both user alerts and push protection alerts?
  20. What are the three different sets of secret scanning patterns that GitHub maintains? (Select three.)
  21. Multiple public repositories that you are contributing to do not have secret scanning push protection option enabled. What can you do to protect yourself from accidentally pushing secrets to these repositories?
  22. Your company has internal secrets that should not be pushed to GitHub repositories. The pattern of these secrets is not known by GitHub and therefore is not detected by secret scanning. What can companies do to protect their developers from accidentally pushing these secrets to repositories in their GitHub Organization?
  23. What information do Dependabot alerts provide?
  24. What is the GitHub dependency graph?
  25. Is GitHub dependency graph available for free to all repositories?
  26. How does GitHub Dependency graph know what dependencies your project is using? (Choose two.)
  27. When will the GitHub Dependency graph for your repository be updated? (Choose two.)
  28. In what format can you export the GitHub Dependency graph of your repository?
  29. Can your repository use Dependency Graph without using Dependabot Alerts?
  30. Which feature is a pre-requisite for using Dependabot Alerts on a repository?
  31. Which of these statements about Dependabot Alerts are true? (Choose three.)
  32. What are the primary benefits of the Security Overview feature in GitHub?
  33. What is CodeQL?
  34. What do Dependabot alerts indicate in GitHub?
  35. What is the purpose of code scanning in GitHub?
  36. Is secret scanning available for both public and private repositories on GitHub?
  37. What does the default CodeQL analysis setup in GitHub do?
  38. What is the main purpose of using the CodeQL CLI?
  39. Which of the following languages is NOT supported by CodeQL for code scanning?
  40. How does CodeQL analyze code in GitHub?
  41. How can CodeQL be used in an external CI system together with GitHub repositories?
  42. Which of these statements isn't true about secret scanning on GitHub?
  43. Which top-level keys are required in the `dependabot.yml` file?
  44. Which GitHub Action can be used to upload a third-party SARIF file?
  45. Which tool can be used in a third-party CI system to upload code analysis results to GitHub?
  46. What is required for a CI server to upload SARIF results to GitHub?
  47. What happens when a second SARIF results file is uploaded to GitHub for a single commit?
  48. How can users exclude specific directories from secret scanning alerts on GitHub?
  49. Which key should be used in a `secret_scanning.yml` file to exclude directories from secret scanning alerts in GitHub?
  50. What is the maximum number of custom patterns that can be defined for secret scanning on GitHub?
  51. Fill in the blank: `GitHub __________ is a feature that you can use to analyze code in a GitHub repository to find security vulnerabilities and coding errors.`
  52. Which GitHub Advanced Security feature allows you to find, triage, and prioritize fixes for new and existing problems in your code?
  53. How can you enable code scanning for a repository?
  54. How can you configure your GitHub repository to run CodeQL analysis on a schedule? (Choose two.)
  55. An organization has recently started using CodeQL analysis for all pull requests on their repositories as well as running the analysis on an hourly schedule. Since then they are experiencing larger than usual GitHub Actions bills. What is the most likely cause of this?
  56. If you don't want to use GitHub Actions, you can run code scanning in an external CI system, then upload the results to GitHub.
  57. When using a third party CI system to run code scanning, what GitHub tool do you need to analyze the codebase?
  58. When using GitHub Actions as your CI system and a third party tool to run code scanning, how can you upload the SARIF results to GitHub?
  59. Can you use CodeQL analysis with third party CI systems?
  60. Which of these is true about code scanning? (Choose two.)
  61. When using CodeQL analysis in your GitHub Actions workflow, how often is the scan triggered?
  62. What is the effect of adding the `paths-ignore` keyword to your code scanning GitHub Actions workflow?
  63. CodeQL scanning supports:
  64. What are CodeQL queries used for?
  65. What is QL?
  66. What is a CodeQL query suite?
  67. What are the different types of CodeQL packs? (Choose three.)
  68. What is a CodeQL query pack?
  69. What are the steps of CodeQL analysis workflow?
  70. What is extraction in the context of CodeQL code analysis?
  71. Which of these statements are true regarding running CodeQL analysis on codebases with multiple programming languages? (Choose two.)
  72. What are the differences when running CodeQL database creation for compiled and interpreted languages? (Choose two.)
  73. Where can you see when the last CodeQL analysis was run when using the default code scanning setup?
  74. Which of the following statements about enabling CodeQL scanning default setup are true? (Choose two.)
  75. How can you customize your advanced CodeQL scanning setup with additional CodeQL query suites? (Choose two.)
  76. When running CodeQL analysis in GitHub Actions, what Actions should you use? (Choose three.)
  77. What is the simplest method to execute CodeQL analysis concurrently for each language in a multi-language repository using GitHub Actions?
  78. How can you use a custom CodeQL configuration file in a GitHub Actions workflow?
  79. Where can you specify the CodeQL queries to run in a GitHub Actions workflow? (Choose two.)
  80. What is the purpose of the `external-repository-token` parameter in `github/codeql-action/init` GitHub Action?
  81. What CodeQL CLI command is used to create a CodeQL database?
  82. What is the purpose of the `codeql database analyze` command in CodeQL CLI?
  83. As part of your Jenkins CI pipeline you've successfully created and then analyzed a CodeQL database, therefore producing a SARIF file. How can you upload the SARIF file to GitHub? (Choose two.)
  84. What details can you find on a code scanning alert page? (Choose three.)
  85. Which of these statements regarding viewing the results of a CodeQL analysis are true? (Choose two.)
  86. When a CodeQL analysis GitHub Actions workflow detects a new vulnerability on a pull request, where can you find the information about that vulnerability?
  87. When viewing a code scanning alert what is the `Show paths` option used for?
  88. What does it mean to dismiss a code scanning alert?
  89. Which of these is NOT a valid approach one can take to reduce the time it takes for CodeQL analysis workflow to complete?
  90. What is the purpose of defining a SARIF category?
  91. How can you enable GitHub Advanced Security features on GitHub Enterprise Server? (Choose two.)
  92. How can you enable GitHub Advanced Security features for all repositories in an organization in GitHub Enterprise Cloud?
  93. As a repository maintainer where should you put instructions on how to report a security vulnerability in your codebase?
  94. What is a GitHub security policy?
  95. How can you set a default security policy for all repositories in `my-org` GitHub Organization?
  96. Which API endpoint can be used to retrieve a list of all dependabot alerts for an enterprise?
  97. Which API endpoint can be used to retrieve a list of all secret scanning alerts for an organization?
  98. Which API endpoint can be used to retrieve a list of all code scanning alerts for a repository?
  99. Which of these statements best defines a vulnerable dependency?
  100. What are Dependabot security updates?
  101. Dependabot Alerts are enabled by default on:
  102. Who can enable Dependabot alerts on a repository?
  103. What's the lowest access level needed to see Dependabot alerts in a repository within an organization?
  104. To enable Dependabot Alerts on all repositories in an organization you should:
  105. Which of these is a valid `dependabot.yml` configuration file?
  106. Which of these is not a GitHub supported channel for receiving Dependabot alerts?
  107. What are Dependabot auto-triage rules?
  108. How can you automate dismissing low severity Dependabot alerts?
  109. To enable Dependabot security updates on all repositories in an organization you should:
  110. The tool that checks if a pull request introduces any dependencies with security vulnerabilities is called:
  111. You need GitHub Actions enabled for
  112. What does `CVSS` stand for?
  113. What does `CVE` stand for?
  114. What does `CWE` stand for?