GH-500 Exam Dumps - Microsoft GitHub Administrator Questions and Answers

Requesting a CVE ID for a security advisory in a GitHub repository requires Admin permissions. This level of access is necessary because it involves managing sensitive security information and coordinating with external entities to assign a CVE, which is a formal process that can impact the public perception and security posture of the project.​

The security-extended query suite includes additional CodeQL queries that detect lower severity issues than those in the default security-and-quality suite.

It’s often used when projects want broader visibility into code hygiene and potential weak spots beyond critical vulnerabilities.

The other options listed are paths to language packs, not query suites themselves.

When you identify that a code scanning alert is a false positive—such as when your code uses a custom sanitization method not recognized by the analysis—you should dismiss the alert with the reason "false positive." This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.​

As per GitHub's documentation:​

"If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis."​

By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.

To detect and block vulnerable dependencies before merge, developers should use the Dependency Review GitHub Action in their pull request workflows. It scans all proposed dependency changes and flags any packages with known vulnerabilities.

This is a preventative measure during development, unlike Dependabot, which reacts after the fact.

If a secret is intentionally used in a test environment and poses no real-world security risk, you may close the alert with the reason "used in tests". This helps reduce noise and clarify that the alert was reviewed and accepted as non-critical.

Just being in a test file isn't enough unless its purpose is purely for testing.

By default, users with Write, Maintain, or Admin permissions will receive notifications for new Dependabot alerts. However, Write permission is the minimum level needed to be automatically notified. Users with only Read access do not receive alerts unless added explicitly.

In a query suite (a .qls file), the **query** key is used to specify the paths to one or more .ql files that should be included in the suite.

Example:

- query: path/to/query.ql

qls is the file format.

qlpack is used for packaging queries, not in suite syntax.

The dependency graph in a repository is built by parsing manifest and lock files (like package.json, pom.xml, requirements.txt). It helps GitHub detect dependencies and cross-reference them with known vulnerability databases for alerting.

It is specific to each repository and does not show org-wide or cross-repo summaries.

Secrets committed and then deleted are still accessible in the repository’s Git history. To locate them, navigate to the Commits tab. GitHub's secret scanning can detect secrets in both current and historical commits, which is why remediation should also include revoking the secret, not just removing it from the latest code.

When secret scanning is enabled on a private repository, GitHub performs a read-only analysis of the repository's contents. This includes the entire Git history and files to identify strings that match known secret patterns or custom-defined patterns.

GitHub does not alter the repository, and enabling secret scanning does not automatically enable code scanning or dependency review — each must be configured separately.