Application-security certification covering GitHub Secret Protection, supply chain security, Code Security with CodeQL, security operations, and enterprise administration, with a worked explanation on every practice question.
Free sample questions
No account needed. Every question has a worked explanation, just like the full bank.
lock_openFree sampleDescribe GitHub Security suites, features, and ecosystemmedium
A platform team is mapping out which GitHub Advanced Security capabilities belong to which licensable product so they can budget seats correctly. They need to place CodeQL-based code scanning and the alerts it raises under the correct product line. Which product does code scanning with CodeQL belong to?
- ACode Security, because code scanning with CodeQL performs static analysis to find vulnerabilities in the codebase.check_circle Correct
- BSecret Protection, because CodeQL inspects source files for sensitive strings before they are committed.
- CSupply Chain Security, because CodeQL evaluates the security of third-party dependencies pulled into the build.
- DSecurity Overview, because code scanning alerts are surfaced there for the whole organisation.
Place code scanning with CodeQL under the Code Security product within GitHub Advanced Security. GitHub Advanced Security is divided into product lines by the type of risk each addresses. Code scanning with CodeQL is static analysis of first-party source for vulnerabilities, which is the defining function of Code Security, distinct from credential detection (Secret Protection) and dependency risk (Supply Chain Security).
Why A is correct: Code scanning with CodeQL is the static application security testing capability, and GitHub packages it under the Code Security product. It analyses code paths for vulnerabilities such as injection flaws, which is exactly the Code Security remit.
Why B is wrong: This is tempting because both features analyse source code, but Secret Protection covers secret scanning and push protection for credentials, not static analysis of code logic. CodeQL does not look for committed credentials, so it is not part of Secret Protection.
Why C is wrong: Supply Chain Security covers the dependency graph, Dependabot, and Dependency Review, which assess third-party components. CodeQL analyses first-party source code rather than declared dependencies, so this product placement is wrong.
Why D is wrong: Security Overview is a reporting and navigation surface that aggregates alerts from multiple features; it is not a licensable product that owns code scanning. Seeing CodeQL alerts in Security Overview does not make code scanning part of it.
lock_openFree sampleDescribe GitHub Security suites, features, and ecosystemmedium
A security lead for an organisation wants a single place to see the count of open code scanning, secret scanning, and Dependabot alerts across every repository, broken down by repository and severity, without opening each repository in turn. Which part of the GitHub security suite is designed for this cross-repository view?
- AThe Security tab of one representative repository, which rolls up alerts from all sibling repositories in the organisation.
- BSecurity Overview at the organisation level, which aggregates alerts from all enabled features across repositories.check_circle Correct
- CThe Dependabot alerts page, which lists every alert type the organisation has enabled, grouped by repository.
- DThe organisation audit log, which records every alert as it is created and can be filtered by severity.
Use organisation-level Security Overview to view and filter alerts from all security features across repositories. Security Overview exists precisely to give security teams a consolidated, filterable picture of risk spanning many repositories and several alert types, which a single repository Security tab, a feature-specific alert page, or the audit log cannot provide because each is scoped narrowly.
Why A is wrong: A repository Security tab is scoped to that single repository only and does not aggregate sibling repositories. It is tempting because that tab does list all alert types, but only for the one repository it belongs to.
Why B is correct: Security Overview is the dashboard that consolidates code scanning, secret scanning, and Dependabot alerts across repositories, with filtering by repository and severity. It is the purpose-built cross-repository reporting surface in the suite.
Why C is wrong: The Dependabot alerts page shows only dependency vulnerability alerts; it does not include code scanning or secret scanning results. It is plausible because it spans repositories, but it covers a single feature, not all three.
Why D is wrong: The audit log records events such as setting changes and access actions, not a live, severity-ranked inventory of open security alerts. It is tempting as an org-wide view but is an event stream, not an alert dashboard.
lock_openFree sampleDescribe GitHub Security suites, features, and ecosystemmedium
During a procurement review, a team must distinguish what each GitHub Advanced Security product is responsible for. They specifically need the product whose job is to keep credentials such as API keys and tokens out of the codebase, both by detecting them and by blocking them at the point of a push. Which product fits that description?
- ASupply Chain Security, through Dependency Review blocking pull requests that introduce risky packages.
- BCode Security, through code scanning rules that flag hard-coded credentials as a vulnerability class.
- CSecret Protection, through secret scanning to detect exposed credentials and push protection to block them before they are committed.check_circle Correct
- DSecurity Overview, through its consolidated alert feed that quarantines any pushed secret automatically.
Identify Secret Protection as the product providing secret scanning detection and push protection prevention for credentials. Secret Protection groups the two credential-focused controls: secret scanning detects exposed tokens already present, and push protection prevents new secrets from entering the repository at push time. Neither dependency tooling, static code analysis, nor the reporting dashboard owns this credential-specific detection-plus-prevention pairing.
Why A is wrong: Dependency Review does block risky changes at pull request time, which makes this tempting, but it acts on vulnerable or malicious dependencies, not on committed credentials. Supply Chain Security does not detect secrets in source.
Why B is wrong: Code scanning can sometimes flag insecure patterns, so this seems plausible, but the dedicated detection and push-time blocking of credentials is the role of secret scanning and push protection, which sit in Secret Protection, not Code Security.
Why C is correct: Secret Protection is the product that bundles secret scanning, which detects credentials in the repository, with push protection, which blocks a push that contains a recognised secret. This matches both the detection and prevention requirements exactly.
Why D is wrong: Security Overview only reports and helps navigate alerts; it does not detect or block secrets and has no quarantine action. It is tempting because secret scanning alerts appear there, but reporting is not the same as the detection and prevention controls.
Examworthy is not affiliated with or endorsed by GitHub. All questions are original, blueprint-aligned practice material. We never reproduce live exam items. GH-500 and related marks belong to their respective owners.
