Objectives in this domain

Enable GitHub Security suites at the enterprise, organization, and repository levels, and understand feature differences across GitHub Enterprise Cloud and GitHub Enterprise Server.
Section 6.1medium
Define default security configurations and inheritance behaviour to enable Code Security, Secret Protection, and Supply Chain Security across repositories.
Section 6.2hard
Define enterprise and organization security policies and rulesets, configure enforcement boundaries, bypass permissions, exceptions, and security roles.
Section 6.3hard
Enable and configure default or approved custom CodeQL workflows, and use APIs and automation for large-scale security configuration and governance.
Section 6.4hard

Sample question from this domain

Free sampleGitHub Security suites administrationmedium

An enterprise owner on GitHub Enterprise Cloud wants one named baseline that enables secret scanning with push protection and code scanning, and wants it offered to every organisation in the enterprise so each organisation owner can apply it without rebuilding it. The owner does not want to log in to each organisation to recreate the same settings. Which mechanism lets the owner author the baseline once at the enterprise tier and make it available to the organisations beneath it?

ACreate the security configuration inside each organisation, then export and import the JSON between organisations so the settings stay identical across the enterprise.
BDefine a repository ruleset at the enterprise tier that turns on secret scanning and code scanning whenever a branch matching the ruleset receives a push.
CAssign the security manager role at the enterprise tier so the holders inherit a standard set of enabled features across all member organisations automatically.
DCreate an enterprise-level security configuration, which the enterprise owner authors once and which then becomes available for organisation owners to apply to their repositories. Correct

Recognise that an enterprise-level security configuration is authored once and made available for organisations to apply. Security configurations can be defined at the enterprise tier so the enterprise owner authors the baseline of features such as secret scanning with push protection and code scanning a single time. That configuration then becomes available to the organisations in the enterprise, where organisation owners apply it to repositories without recreating the settings.

Why A is wrong: There is no export-import flow for security configurations, and this still requires touching every organisation, which is exactly what the owner wants to avoid. It is tempting because copying config-as-code feels scalable, but it is not how the feature distributes baselines.

Why B is wrong: Rulesets govern branch and tag protections such as required checks and restricted pushes; they do not enable security features. The plausibility is that rulesets exist at enterprise scope, but they enforce branch rules rather than provision the scanning suite.

Why C is wrong: The security manager role grants permission to view and manage security settings and alerts; it does not bundle or push a feature baseline. Granting access is not the same as authoring and distributing a configuration, so this confuses a role with a configuration.

Why D is correct: Enterprise-level security configurations let an enterprise owner define a reusable baseline at the top tier that flows down to the organisations, where organisation owners can apply it. This matches authoring once and offering it downward without recreating settings per organisation.

Other domains in this exam

Describe GitHub Security suites, features, and ecosystem18% of the exam
Configure and use Secret Protection18% of the exam
Configure and use supply chain security18% of the exam
Configure and use Code Security14% of the exam
Security operations: best practices, prioritization, and remediation18% of the exam

See also the GH-500 cert hub, the study guide, and the cheat sheet.