A platform team is mapping out which GitHub Advanced Security capabilities belong to which licensable product so they can budget seats correctly. They need to place CodeQL-based code scanning and the alerts it raises under the correct product line. Which product does code scanning with CodeQL belong to?
- ACode Security, because code scanning with CodeQL performs static analysis to find vulnerabilities in the codebase. Correct
- BSecret Protection, because CodeQL inspects source files for sensitive strings before they are committed.
- CSupply Chain Security, because CodeQL evaluates the security of third-party dependencies pulled into the build.
- DSecurity Overview, because code scanning alerts are surfaced there for the whole organisation.
Why A is correct: Code scanning with CodeQL is the static application security testing capability, and GitHub packages it under the Code Security product. It analyses code paths for vulnerabilities such as injection flaws, which is exactly the Code Security remit.
Why B is wrong: This is tempting because both features analyse source code, but Secret Protection covers secret scanning and push protection for credentials, not static analysis of code logic. CodeQL does not look for committed credentials, so it is not part of Secret Protection.
Why C is wrong: Supply Chain Security covers the dependency graph, Dependabot, and Dependency Review, which assess third-party components. CodeQL analyses first-party source code rather than declared dependencies, so this product placement is wrong.
Why D is wrong: Security Overview is a reporting and navigation surface that aggregates alerts from multiple features; it is not a licensable product that owns code scanning. Seeing CodeQL alerts in Security Overview does not make code scanning part of it.