Page: 1
/
15
Total 75 questions
Curious about Actual GitHub Certifications (GitHub-Advanced-Security) Exam Questions?
Here are sample GitHub Advanced Security GHAS (GitHub-Advanced-Security) Exam questions from real exam. You can get more GitHub Certifications (GitHub-Advanced-Security) Exam premium practice questions at TestInsights.
Question 1
-- [Configure and Use Dependency Management]
You are a maintainer of a repository and Dependabot notifies you of a vulnerability. Where could the vulnerability have been disclosed? (Each answer presents part of the solution. Choose two.)
Correct : A, C
Comprehensive and Detailed Explanation:
Dependabot alerts are generated based on data from various sources:
National Vulnerability Database (NVD): A comprehensive repository of known vulnerabilities, which GitHub integrates into its advisory database.
GitHub Docs
Security Advisories Reported on GitHub: GitHub allows maintainers and security researchers to report and discuss vulnerabilities, which are then included in the advisory database.
The dependency graph and manifest/lock files are tools used by GitHub to determine which dependencies are present in a repository but are not sources of vulnerability disclosures themselves.
Start a Discussions
Submit Your Answer:
Question 2
-- [Configure and Use Dependency Management]
Which of the following formats are used to describe a Dependabot alert? (Each answer presents a complete solution. Choose two.)
Correct : A, C
Dependabot alerts utilize standardized identifiers to describe vulnerabilities:
CVE (Common Vulnerabilities and Exposures): A widely recognized identifier for publicly known cybersecurity vulnerabilities.
CWE (Common Weakness Enumeration): A category system for software weaknesses and vulnerabilities.
These identifiers help developers understand the nature of the vulnerabilities and facilitate the search for more information or remediation strategies.
Start a Discussions
Submit Your Answer:
Question 3
-- [Assessing Code Scanning Alerts]
You are managing code scanning alerts for your repository. You receive an alert highlighting a problem with data flow. What do you click for additional context on the alert?
Correct : A
When dealing with a data flow issue in a code scanning alert, clicking on 'Show paths' provides a detailed view of the data's journey through the code. This includes the source of the data, the path it takes, and where it ends up (the sink). This information is crucial for understanding how untrusted data might reach sensitive parts of your application and helps in identifying where to implement proper validation or sanitization.
Start a Discussions
Submit Your Answer:
Question 4
-- [Configure and Use Dependency Management]
In a private repository, what minimum requirements does GitHub need to generate a dependency graph? (Each answer presents part of the solution. Choose two.)
Correct : B, D
Comprehensive and Detailed Explanation:
To generate a dependency graph for a private repository, GitHub requires:
Dependency graph enabled: The repository must have the dependency graph feature enabled. This can be configured at the organization level to apply to all new private repositories.
Access to manifest and lock files: GitHub needs read-only access to the repository's dependency manifest and lock files (e.g., package.json, requirements.txt) to identify and map dependencies.
Start a Discussions
Submit Your Answer:
Question 5
-- [Use Code Scanning with CodeQL]
Where can you view code scanning results from CodeQL analysis?
Correct : A
All results from CodeQL analysis appear under the repository's code scanning alerts tab. This section is part of the Security tab and provides a list of all current, fixed, and dismissed alerts found by CodeQL.
A CodeQL database is used internally during scanning but does not display results. Query packs contain rules, not results. Security advisories are for published vulnerabilities, not per-repo findings.
Start a Discussions
Submit Your Answer:
All Official Question Types