Objectives in this domain

Choose between CodeQL and third-party analysis tools, and use SARIF file ingestion, management, and interoperability.
Section 4.1medium
Enable code scanning using GitHub Actions or external CI, configure workflow templates, matrix builds, and scan frequency.
Section 4.2hard
Review code scanning results including dataflow analysis, manage alert lifecycles, autofix, dismissals, severity, and category classifications.
Section 4.3medium
Apply advanced configuration and customization, and troubleshoot scan failures and performance issues.
Section 4.4hard

Sample question from this domain

Free sampleConfigure and use Code Securitymedium

A team already runs a third-party static analysis tool in their continuous integration pipeline and wants its findings to appear as code scanning alerts in the repository Security tab, displayed inline on the relevant lines of changed files in pull requests. The tool can export its results in a standard format. Which approach makes those third-party findings appear as native code scanning alerts?

AOpen the third-party tool's JSON report as a workflow artifact so GitHub parses it into the code scanning alerts list automatically.
BAdd the third-party tool to the default CodeQL configuration so CodeQL re-runs the tool and converts its output to alerts.
CPost the tool's results to the repository using the check runs API, which surfaces them on the Security tab as code scanning alerts.
DHave the tool produce a SARIF file and upload it to code scanning using the upload-sarif action or the SARIF upload API. Correct

Recognise that third-party tool findings become native code scanning alerts only by uploading SARIF via the upload-sarif action or SARIF API. Code scanning is engine-agnostic at the data layer: it stores and manages alerts described in the SARIF format regardless of which tool produced them. Delivering a tool's results as SARIF through the upload-sarif action or the SARIF upload API is what creates managed alerts that appear in the Security tab and as pull request annotations, which is not achievable with artifacts, the CodeQL configuration, or generic check runs.

Why A is wrong: Uploading a report as a workflow artifact merely stores a file for download; GitHub does not parse arbitrary artifacts into alerts. Code scanning only ingests results delivered specifically as SARIF through the upload mechanism, so an artifact alone produces no alerts.

Why B is wrong: Default setup runs CodeQL queries only and cannot invoke or wrap an unrelated third-party scanner. CodeQL does not convert another tool's output, so this conflates the CodeQL engine with the generic SARIF ingestion path.

Why C is wrong: The check runs API can annotate a commit or pull request with check output, but those annotations are not code scanning alerts and do not populate the Security tab's code scanning list. Only SARIF ingestion creates managed code scanning alerts.

Why D is correct: Code scanning ingests results in the SARIF format, so exporting the tool's findings as SARIF and uploading them with the upload-sarif action or the code scanning SARIF API turns them into native alerts that appear in the Security tab and inline in pull requests. This is the supported interoperability path for third-party tools.

Other domains in this exam

Describe GitHub Security suites, features, and ecosystem18% of the exam
Configure and use Secret Protection18% of the exam
Configure and use supply chain security18% of the exam
Security operations: best practices, prioritization, and remediation18% of the exam
GitHub Security suites administration14% of the exam

See also the GH-500 cert hub, the study guide, and the cheat sheet.