GitHub GitHub Advanced Security 시험

Question No : 1

When using the advanced CodeQL code scanning setup, what is the name of the workflow file?

• A.codeql-config.yml
• B.codeql-scan.yml
• C.codeql-workflow.yml
• D.codeql-analysis.yml

답을 확인하기

정답:
Explanation:
In the advanced setup for CodeQL code scanning, GitHub generates a workflow file named codeql-analysis.yml. This file is located in the .github/workflows directory of your repository. It defines the configuration for the CodeQL analysis, including the languages to analyze, the events that trigger the analysis, and the steps to perform during the workflow.
Reference: GitHub Docs C Customizing your advanced setup for code scanning

Question No : 2

Which of the following statements most accurately describes push protection for secret scanning custom patterns?

• A.Push protection must be enabled for all, or none, of a repository's custom patterns.
• B.Push protection is an opt-in experience for each custom pattern.
• C.Push protection is not available for custom patterns.
• D.Push protection is enabled by default for new custom patterns.

답을 확인하기

정답:
Explanation:
Push protection for secret scanning custom patterns is an opt-in feature. This means that for each custom pattern defined in a repository, maintainers can choose to enable or disable push protection individually. This provides flexibility, allowing teams to enforce push protection on sensitive patterns while leaving it disabled for others.
Reference: GitHub Docs C Working with push protection from the command line

Question No : 3

You are a maintainer of a repository and Dependabot notifies you of a vulnerability.
Where could the vulnerability have been disclosed? (Each answer presents part of the solution. Choose two.)

• A.In the National Vulnerability Database
• B.In the dependency graph
• C.In security advisories reported on GitHub
• D.In manifest and lock files

답을 확인하기

정답:
Explanation:
Dependabot alerts are generated based on data from various sources:
National Vulnerability Database (NVD): A comprehensive repository of known vulnerabilities, which GitHub integrates into its advisory database.
GitHub Docs
Security Advisories Reported on GitHub: GitHub allows maintainers and security researchers to report and discuss vulnerabilities, which are then included in the advisory database.
The dependency graph and manifest/lock files are tools used by GitHub to determine which dependencies are present in a repository but are not sources of vulnerability disclosures themselves.
Reference: GitHub Docs C About Dependabot alerts

Question No : 4

Which of the following workflow events would trigger a dependency review? (Each answer presents a complete solution. Choose two.)

• A.pull_request
• B.workflow_dispatch
• C.trigger
• D.commit

답을 확인하기

정답:
Explanation:
Dependency review is triggered by specific events in GitHub workflows:
pull_request: When a pull request is opened, synchronized, or reopened, GitHub can analyze the changes in dependencies and provide a dependency review.
workflow_dispatch: This manual trigger allows users to initiate workflows, including those that perform dependency reviews.
The trigger and commit options are not recognized GitHub Actions events and would not initiate a dependency review.
Reference: GitHub Docs C Events that trigger workflows

Question No : 5

How would you build your code within the CodeQL analysis workflow? (Each answer presents a complete solution. Choose two.)

• A.Upload compiled binaries.
• B.Use CodeQL's init action.
• C.Ignore paths.
• D.Implement custom build steps.
• E.Use jobs.analyze.runs-on.
• F.Use CodeQL's autobuild action.

답을 확인하기

정답:
Explanation:
When setting up CodeQL analysis for compiled languages, there are two primary methods to build your code:
GitHub Docs
Autobuild: CodeQL attempts to automatically build your codebase using the most likely build method. This is suitable for standard build processes.
GitHub Docs
Custom Build Steps: For complex or non-standard build processes, you can implement custom build steps by specifying explicit build commands in your workflow. This provides greater control over the build process.
GitHub Docs
The init action initializes the CodeQL analysis but does not build the code. The jobs.analyze.runs-on specifies the operating system for the runner but is not directly related to building the code. Uploading compiled binaries is not a method supported by CodeQL for analysis.
Reference: GitHub Docs C CodeQL code scanning for compiled languages

Question No : 6

You have enabled security updates for a repository. When does GitHub mark a Dependabot alert as resolved for that repository?

• A.When Dependabot creates a pull request to update dependencies
• B.When you dismiss the Dependabot alert
• C.When the pull request checks are successful
• D.When you merge a pull request that contains a security update

답을 확인하기

정답:
Explanation:
A Dependabot alert is marked as resolved only after the related pull request is merged into the repository. This indicates that the vulnerable dependency has been officially replaced with a secure version in the active codebase.
Simply generating a PR or passing checks does not change the alert status; merging is the key step.
Reference: GitHub Docs C About Dependabot security updates; Managing Dependabot alerts

Question No : 7

What happens when you enable secret scanning on a private repository?

• A.Repository administrators can view Dependabot alerts.
• B.Your team is subscribed to security alerts.
• C.GitHub performs a read-only analysis on the repository.
• D.Dependency review, secret scanning, and code scanning are enabled.

답을 확인하기

정답:
Explanation:
When secret scanning is enabled on a private repository, GitHub performs a read-only analysis of the repository's contents. This includes the entire Git history and files to identify strings that match known secret patterns or custom-defined patterns.
GitHub does not alter the repository, and enabling secret scanning does not automatically enable code scanning or dependency review ― each must be configured separately.
Reference: GitHub Docs C Managing secret scanning for repositories

Question No : 8

How many alerts are created when two instances of the same secret value are in the same repository?

• A.1
• B.2
• C.3
• D.4

답을 확인하기

정답:
Explanation:
When multiple instances of the same secret value appear in a repository, only one alert is generated. Secret scanning works by identifying exposed credentials and token patterns, and it groups identical matches into a single alert to reduce noise and avoid duplication.
This makes triaging easier and helps teams focus on remediating the actual exposed credential rather than reviewing multiple redundant alerts.
Reference: GitHub Docs C About secret scanning alerts

Question No : 9

Which of the following information can be found in a repository's Security tab?

• A.Number of alerts per GHAS feature
• B.Two-factor authentication (2FA) options
• C.Access management
• D.GHAS settings

답을 확인하기

정답:
Explanation:
The Security tab in a GitHub repository provides a central location for viewing security-related information, especially when GitHub Advanced Security is enabled.
The following can be accessed:
Number of alerts related to:
Code scanning
Secret scanning
Dependency (Dependabot) alerts
Summary and visibility into open, closed, and dismissed security issues.
It does not show 2FA options, access control settings, or configuration panels for GHAS itself. Those belong to account or organization-level settings.
Reference: GitHub Docs C Managing security and analysis settings for your repository

Question No : 10

Who can fix a code scanning alert on a private repository?

• A.Users who have the Triage role within the repository
• B.Users who have Read permissions within the repository
• C.Users who have Write access to the repository
• D.Users who have the security manager role within the repository

답을 확인하기

정답:
Explanation:
In private repositories, users with write access can fix code scanning alerts. They can do this by committing changes that address the issues identified by the code scanning tools. This level of access ensures that only trusted contributors can modify the code to resolve potential security vulnerabilities.
GitHub Docs
Users with read or triage roles do not have the necessary permissions to make code changes, and the security manager role is primarily focused on managing security settings rather than directly modifying code.
Reference: GitHub Docs C Resolving code scanning alerts
GitHub Docs

Question No : 11

Assuming that no custom Dependabot behavior is configured, who has the ability to merge a pull request created via Dependabot security updates?

• A.An enterprise administrator
• B.A user who has write access to the repository
• C.A user who has read access to the repository
• D.A repository member of an enterprise organization

답을 확인하기

정답:
Explanation:
By default, users with write access to a repository have the ability to merge pull requests, including those created by Dependabot for security updates. This access level allows contributors to manage and integrate changes, ensuring that vulnerabilities are addressed promptly.
Users with only read access cannot merge pull requests, and enterprise administrators do not automatically have merge rights unless they have write or higher permissions on the specific repository.
Reference: GitHub Docs C About Dependabot security updates; Configuring Dependabot security updates

Question No : 12

What do you need to do before you can define a custom pattern for a repository?

• A.Provide a regular expression for the format of your secret pattern.
• B.Add a secret scanning custom pattern.
• C.Enable secret scanning on the repository.
• D.Provide match requirements for the secret format. Stack Overflow

답을 확인하기

정답:
Explanation:
Before defining a custom pattern for secret scanning in a repository, you must enable secret scanning for that repository. Secret scanning must be active to utilize custom patterns, which allow you to define specific formats (using regular expressions) for secrets unique to your organization.
Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of sensitive information tailored to your needs.
Reference: GitHub Docs C Managing alerts from secret scanning

Question No : 13

Assuming that notification and alert recipients are not customized, what does GitHub do when it identifies a vulnerable dependency in a repository where Dependabot alerts are enabled? (Each answer presents part of the solution. Choose two.)

• A.It generates a Dependabot alert and displays it on the Security tab for the repository.
• B.It notifies the repository administrators about the new alert.
• C.It generates Dependabot alerts by default for all private repositories.
• D.It consults with a security service and conducts a thorough vulnerability review.

답을 확인하기

정답:
Explanation:
When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:
Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.
Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.
GitHub Docs
These actions ensure that responsible parties are informed promptly to address the vulnerability.
Reference: GitHub Docs C About Dependabot alerts; Configuring notifications for Dependabot alerts

Question No : 14

A dependency has a known vulnerability.
What does the warning message include?

• A.The security impact of these changes
• B.An easily understandable visualization of dependency change
• C.How many projects use these components
• D.A brief description of the vulnerability

답을 확인하기

정답:
Explanation:
When a vulnerability is detected, GitHub shows a warning that includes a brief description of the vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue, severity level, and potential impact. The message also links to additional advisory data from the GitHub Advisory Database.
This helps developers understand the context and urgency of the vulnerability before applying the fix.
Reference: GitHub Docs C About Dependabot alerts; Reviewing and managing alerts

Question No : 15

What is the first step you should take to fix an alert in secret scanning?

• A.Archive the repository.
• B.Update your dependencies.
• C.Revoke the alert if the secret is still valid.
• D.Remove the secret in a commit to the main branch.

답을 확인하기

정답:
Explanation:
The first step when you receive a secret scanning alert is to revoke the secret if it is still valid. This ensures the secret can no longer be used maliciously. Only after revoking it should you proceed to remove it from the code history and apply other mitigation steps.
Simply deleting the secret from the code does not remove the risk if it hasn’t been revoked ― especially since it may already be exposed in commit history.
Reference: GitHub Docs C About secret scanning alerts; Remediating a secret scanning alert