Guaranteed Success in GitHub Administrator GH-500 Exam Dumps
Microsoft GH-500 Daily Practice Exam New 2026 Updated 125 Questions
NEW QUESTION # 40
What role is required to change a repository's code scanning severity threshold that fails a pull request status check?
- A. Triage
- B. Write
- C. Admin
- D. Maintain
Answer: C
Explanation:
To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must have Admin access on the repository. This is because modifying these settings falls under repository configuration privileges.
Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.
NEW QUESTION # 41
What scenario demonstrates the use of Dependabot security updates?
- A. A pull request is opened that fixes a vulnerable dependency.
- B. A pull request is opened that updates a dependency to the most recent version.
- C. An alert is created for a secret that's been exposed in the codebase.
- D. An alert is created for a vulnerable dependency.
Answer: B
Explanation:
Dependabot security updates are automated pull requests generated by the GitHub tool to update project dependencies with known security vulnerabilities, such as those listed in the GitHub Advisory Database. This feature helps developers automatically patch security risks in their codebase by creating pull requests that update dependencies to the minimum secure version without breaking the dependency graph.
How Dependabot Security Updates Work
1. Vulnerability Detection: Dependabot scans your repository's dependencies and checks them against the GitHub Advisory Database.
2. Alerts: If a vulnerable dependency is detected, Dependabot sends an alert to the user.
3. Automated Pull Request: For repositories where security updates are enabled, Dependabot automatically creates a pull request to fix the vulnerability.
4. Update to Secure Version: The pull request updates the vulnerable dependency to the minimum version that contains a patch for the known security issue.
5. Resolution: The pull request provides details, including release notes and commits, and is linked to the security alert for easy review and merging.
NEW QUESTION # 42
After investigating a code scanning alert related to injection, you determine that the input is properly sanitized using custom logic. What should be your next step?
- A. Ignore the alert.
- B. Dismiss the alert with the reason "false positive."
- C. Open an issue in the CodeQL repository.
- D. Draft a pull request to update the open-source query.
Answer: B
Explanation:
When you identify that a code scanning alert is a false positive-such as when your code uses a custom sanitization method not recognized by the analysis-you should dismiss the alert with the reason "false positive." This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.
As per GitHub's documentation:
"If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis." By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.
NEW QUESTION # 43
What is the first step you should take to fix an alert in secret scanning?
- A. Archive the repository.
- B. Update your dependencies.
- C. Remove the secret in a commit to the main branch.
- D. Revoke the alert if the secret is still valid.
Answer: D
Explanation:
The first step when you receive a secret scanning alert is to revoke the secret if it is still valid. This ensures the secret can no longer be used maliciously. Only after revoking it should you proceed to remove it from the code history and apply other mitigation steps.
Simply deleting the secret from the code does not remove the risk if it hasn't been revoked - especially since it may already be exposed in commit history.
NEW QUESTION # 44
Which alerts do you see in the repository's Security tab? Each answer presents part of the solution. (Choose three.)
- A. code scanning alerts
- B. security status alerts
- C. secret scanning alerts
- D. repository permissions
- E. Dependabot alerts
Answer: A,C,E
Explanation:
You can find security alerts from Dependabot, Secret scanning, and Code scanning under your repository's Security tab.
NEW QUESTION # 45
What happens when you enable secret scanning on a private repository?
- A. Repository administrators can view Dependabot alerts.
- B. Your team is subscribed to security alerts.
- C. GitHub performs a read-only analysis on the repository.
- D. Dependency review, secret scanning, and code scanning are enabled.
Answer: C
Explanation:
When secret scanning is enabled on a private repository, GitHub performs a read-only analysis of the repository's contents. This includes the entire Git history and files to identify strings that match known secret patterns or custom-defined patterns.
GitHub does not alter the repository, and enabling secret scanning does not automatically enable code scanning or dependency review - each must be configured separately.
NEW QUESTION # 46
Which CodeQL query suite provides queries of lower severity than the default query suite?
- A. github/codeql-go/ql/src@main
- B. security-extended
- C. github/codeql/cpp/ql/src@main
Answer: B
Explanation:
The security-extended query suite includes additional CodeQL queries that detect lower severity issues than those in the default security-and-quality suite.
It's often used when projects want broader visibility into code hygiene and potential weak spots beyond critical vulnerabilities.
The other options listed are paths to language packs, not query suites themselves.
NEW QUESTION # 47
Where can you find the vulnerable dependencies that GitHub detected in your repository?
- A. in Dependabot alerts
- B. in secret scanning alerts
- C. in code scanning alerts
- D. in security advisories
Answer: A
Explanation:
Identifying vulnerabilities in your project's dependencies with Dependabot alerts Dependabot generates Dependabot alerts when known vulnerabilities are detected in dependencies that your project uses.
Dependabot alerts tab
If GitHub discovers insecure dependencies in your project, you can view details on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the alert.
NEW QUESTION # 48
What do you need to do before you can define a custom pattern for a repository?
- A. Provide a regular expression for the format of your secret pattern
- B. Provide match requirements for the secret format.
- C. Add a secret scanning custom pattern.
- D. Enable secret scanning on the repository.
Answer: D
Explanation:
Before defining a custom pattern, you must ensure that you enable secret scanning for the repositories that you want to scan in your organization. You can use security configurations to enable secret scanning on all repositories in your organization.
NEW QUESTION # 49
Which of the following steps should you follow to integrate CodeQL into a third-party continuous integration system? Each answer presents part of the solution. (Choose three.)
- A. analyze code
- B. install the CLI
- C. process alerts
- D. upload scan results
- E. write queries
Answer: A,B,D
Explanation:
Using code scanning with your existing CI system
You can analyze your code with the CodeQL CLI or another tool in a third-party continuous integration system and upload the results to GitHub. The resulting code scanning alerts are shown alongside any alerts generated within GitHub.
[A] Setting up your analysis tool
You will first need to download your analysis tool of choice and set it up with your CI system.
If you are using the CodeQL CLI, you need to make the full contents of the CodeQL CLI bundle available to every CI server that you want to run CodeQL code scanning analysis on.
[B ] Analyzing code
To analyze code with the CodeQL CLI or another analysis tool, you will want to check out the code you want to analyze and set up the codebase environment, making sure that any dependencies are available. You may also want to find the build command for the codebase, typically available in your CI system's configuration file.
You can then complete the steps to analyze your codebase and produce results, which will differ based on the static analysis tool you are using.
[E] Uploading your results to GitHub
Once you have analyzed your code, produced SARIF results, and ensured you can authenticate with GitHub, you can upload the results to GitHub.
NEW QUESTION # 50
If default code security settings have not been changed at the repository, organization, or enterprise level, which repositories receive Dependabot alerts?
- A. Repositories owned by an organization
- B. Private repositories
- C. Repositories owned by an enterprise account
- D. None
Answer: D
Explanation:
By default, no repositories receive Dependabot alerts unless configuration is explicitly enabled. GitHub does not enable Dependabot alerts automatically for any repositories unless:
The feature is turned on manually
It's configured at the organization or enterprise level via security policies This includes public, private, and enterprise-owned repositories - manual activation is required.
NEW QUESTION # 51
Which of the following pre-defined roles is required to manage code scanning alerts in a repository?
- A. Triage
- B. Read
- C. Maintain
- D. View
Answer: B
Explanation:
Access requirements for security features
In this section, you can find the access required for security features, such as GitHub Advanced Security features.
Note: Repository roles for organizations
You can give organization members, outside collaborators, and teams of people different levels of access to repositories owned by an organization by assigning them to roles. Choose the role that best fits each person or team's function in your project without giving people more access to the project than they need.
From least access to most access, the roles for an organization repository are:
Read: Recommended for non-code contributors who want to view or discuss your project Triage: Recommended for contributors who need to proactively manage issues, discussions, and pull requests without write access Write: Recommended for contributors who actively push to your project Maintain: Recommended for project managers who need to manage the repository without access to sensitive or destructive actions Admin: Recommended for people who need full access to the project, including sensitive and destructive actions like managing security or deleting a repository
NEW QUESTION # 52
Which of the following is the most proactive and practical way to prevent new secret scanning alerts?
- A. Enable push protection.
- B. Configure a secret scanning Actions workflow.
- C. Use feature branches
- D. Scan for non-provider patterns
Answer: A
Explanation:
To prevent new secret scanning alerts, enable push protection to block secrets from being committed in the first place, and manage push protection patterns to disable blocking for specific, low-risk secret types or false positives.
Enable Push Protection
Prevent new commits: Push protection proactively scans code for secrets before they are pushed to a repository. If a secret is detected, the push is blocked, providing immediate feedback to developers and preventing secrets from entering the codebase.
Configure patterns: You can configure which secret patterns are blocked at the organization or enterprise level. By disabling patterns that frequently generate false positives, you can reduce the number of new alerts.
NEW QUESTION # 53
How many alerts are created when two instances of the same secret value are in the same repository?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: D
Explanation:
When multiple instances of the same secret value appear in a repository, only one alert is generated. Secret scanning works by identifying exposed credentials and token patterns, and it groups identical matches into a single alert to reduce noise and avoid duplication.
This makes triaging easier and helps teams focus on remediating the actual exposed credential rather than reviewing multiple redundant alerts.
NEW QUESTION # 54
Which of the following secret scanning features can verify whether a secret is still active?
- A. push protection
- B. validity checks
- C. custom patterns
- D. branch protection
Answer: B
Explanation:
Performing validity checks
Validity checks help you prioritize alerts by telling you which secrets are active or inactive.
NEW QUESTION # 55
What do you need to do before you can define a custom pattern for a repository?
- A. Provide match requirements for the secret format.
- B. Add a secret scanning custom pattern.
- C. Enable secret scanning on the repository.
- D. Provide a regular expression for the format of your secret pattern.
Answer: C
Explanation:
Stack Overflow
Explanation:
Comprehensive and Detailed Explanation:
Before defining a custom pattern for secret scanning in a repository, you must enable secret scanning for that repository. Secret scanning must be active to utilize custom patterns, which allow you to define specific formats (using regular expressions) for secrets unique to your organization.
Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of sensitive information tailored to your needs.
NEW QUESTION # 56
Which of the following options would close a Dependabot alert?
- A. Viewing the Dependabot alert on the Dependabot alerts tab of your repository
- B. Viewing the dependency graph
- C. Leaving the repository in its current state
- D. Creating a pull request to resolve the vulnerability that will be approved and merged
Answer: D
Explanation:
A Dependabot alert is only marked as resolved when the related vulnerability is no longer present in your code - specifically after you merge a pull request that updates the vulnerable dependency.
Simply viewing alerts or graphs does not affect their status. Ignoring the alert by leaving the repo unchanged keeps the vulnerability active and unresolved.
NEW QUESTION # 57
What is the first step you should take to fix an alert in secret scanning?
- A. Archive the repository.
- B. Update your dependencies.
- C. Remove the secret in a commit to the main branch.
- D. Revoke the alert if the secret is still valid.
Answer: D
Explanation:
Resolving alerts from secret scanning
After reviewing the details of a secret scanning alert, you should fix and then close the alert.
Fixing alerts
Once a secret has been committed to a repository, you should consider the secret compromised.
GitHub recommends the following actions for compromised secrets:
Verify that the secret committed to GitHub is valid.
Review and update any services that use the old token. For GitHub personal access tokens, delete the compromised token and create a new token.
Depending on the secret provider, check your security logs for any unauthorized activity.
NEW QUESTION # 58
Who can fix a code scanning alert on a private repository?
- A. users who have the security manager role within the repository
- B. users who have Read permissions within the repository
- C. users who have Write access to the repository
- D. users who have the Triage role within the repository
Answer: C
Explanation:
Resolving code scanning alerts
From the security view, you can view, fix, or dismiss alerts for potential vulnerabilities or errors in your project's code.
Who can use this feature?
Users with write access
Note: Fixing an alert manually
Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has code scanning scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger code scanning analysis of the changes and test that your fix doesn't introduce any new problems.
NEW QUESTION # 59
Assuming that no custom Dependabot behavior is configured, who has the ability to merge a pull request created via Dependabot security updates?
- A. A user who has read access to the repository
- B. A user who has write access to the repository
- C. An enterprise administrator
- D. A repository member of an enterprise organization
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
By default, users with write access to a repository have the ability to merge pull requests, including those created by Dependabot for security updates. This access level allows contributors to manage and integrate changes, ensuring that vulnerabilities are addressed promptly.
Users with only read access cannot merge pull requests, and enterprise administrators do not automatically have merge rights unless they have write or higher permissions on the specific repository.
NEW QUESTION # 60
Who can fix a code scanning alert on a private repository?
- A. Users who have Write access to the repository
- B. Users who have Read permissions within the repository
- C. Users who have the security manager role within the repository
- D. Users who have the Triage role within the repository
Answer: A
Explanation:
Comprehensive and Detailed Explanation:
In private repositories, users with write access can fix code scanning alerts. They can do this by committing changes that address the issues identified by the code scanning tools. This level of access ensures that only trusted contributors can modify the code to resolve potential security vulnerabilities.
GitHub Docs
Users with read or triage roles do not have the necessary permissions to make code changes, and the security manager role is primarily focused on managing security settings rather than directly modifying code.
Reference:
GitHub Docs
NEW QUESTION # 61
A secret scanning alert should be closed as "used in tests" when a secret is:
- A. in the readme.md file.
- B. in a test file.
- C. solely used for tests.
- D. not a secret in the production environment.
Answer: C
Explanation:
If a secret is intentionally used in a test environment and poses no real-world security risk, you may close the alert with the reason"used in tests". This helps reduce noise and clarify that the alert was reviewed and accepted as non-critical.
Just being in a test file isn't enough unless itspurpose is purely for testing.
If a secret is intentionally used in a test environment and poses no real-world security risk, you may close the alert with the reason"used in tests". This helps reduce noise and clarify that the alert was reviewed and accepted as non-critical.
Just being in a test file isn't enough unless itspurpose is purely for testing.
NEW QUESTION # 62
Which patterns are secret scanning validity checks available to?
- A. Partner patterns
- B. Push protection patterns
- C. High entropy strings
- D. Custom patterns
Answer: A
Explanation:
Validity checks - where GitHub verifies if a secret is still active - are available for partner patterns only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.
Custom patterns and high entropy patterns do not support automated validity checks.
NEW QUESTION # 63
You are a maintainer of a repository and Dependabot notifies you of a vulnerability. Where could the vulnerability have been disclosed? Each answer presents part of the solution. (Choose two.)
- A. in the National Vulnerability Database
- B. in the dependency graph
- C. in manifest and lock files
- D. in security advisories reported on GitHub
Answer: C,D
Explanation:
C: GitHub may send Dependabot alerts to repositories affected by a vulnerability disclosed by a recently published GitHub security advisory.
D: The Dependabot security updates feature is available for repositories where you have enabled the dependency graph and Dependabot alerts. You will see a Dependabot alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file.
NEW QUESTION # 64
How would you build your code within the CodeQL analysis workflow? Each answer presents a complete solution. (Choose two.)
- A. Implement custom build steps.
- B. Use jobs.analyze.runs-on.
- C. Ignore paths.
- D. Upload compiled binaries.
- E. Use CodeQL's init action.
- F. Use CodeQL's autobuild action.
Answer: E,F
Explanation:
[B] Build Modes
The CodeQL Action supports different build modes for analyzing the source code. The available build modes are:
none: The database will be created without building the source code. Available for all interpreted languages and some compiled languages.
*-> autobuild: The database will be created by attempting to automatically build the source code.
Available for all compiled languages.
manual: The database will be created by building the source code using a manually specified build command. To use this build mode, specify manual build steps in your workflow between the init and analyze steps. Available for all compiled languages.
[D] Actions
This repository contains several actions that enable you to analyze code in your repository using CodeQL and upload the analysis to GitHub Code Scanning. Actions in this repository also allow you to upload to GitHub analyses generated by any SARIF-producing SAST tool.
Actions for CodeQL analyses:
*-> init: Sets up CodeQL for analysis.
analyze: Finalizes the CodeQL database, runs the analysis, and uploads the results to Code Scanning.
NEW QUESTION # 65
......
Microsoft GH-500 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Test Engine to Practice GH-500 Test Questions: https://passleader.testkingpdf.com/GH-500-testking-pdf-torrent.html

