GitHub Advanced Security Practice Test
### What is CodeQL?
> https://codeql.github.com/
1. [x] A code analysis tool
1. [ ] A programming language
1. [ ] A text editor
1. [ ] A version control system
### What does `shifting left` mean in the context of Security?
> https://github.com/readme/guides/github-advanced-security-telus
1. [x] Adopting security practices early in the development cycle
1. [ ] Writing code in a language that is commonly used
1. [ ] Incorporating security practices right before hitting production
1. [ ] Writing code without worrying about security
### What are Repository Security Advisories?
> https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories
1. [x] A private space where repository maintainers can discuss vulnerabilities and security issues within the codebase.
1. [ ] GitHub security experts that help GitHub Enterprise users with their security issues.
1. [ ] A list of security issues that are publicly available for anyone to see and stay away from.
1. [ ] It's a place to gather and publicly discuss security issues in the open source community.
### Which tool helps you keep the repository dependencies up to date?
> https://docs.github.com/en/code-security/dependabot
1. [x] Dependabot
1. [ ] Security Advisories
1. [ ] CodeQL
1. [ ] GitHub Actions
### Which of the following is a curated list of security vulnerabilities found in open source projects?
> https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database
1. [x] GitHub Advisory Database
1. [ ] CodeQL
1. [ ] Dependabot
1. [ ] GitHub Security Journal
### Which of these GitHub security features are available for FREE for both public and private personal repositories? (Choose four.)
> https://docs.github.com/en/code-security/getting-started/github-security-features
- [x] Security Policy
- [x] Security advisories
- [x] Dependabot alerts and security updates
- [x] Dependabot version updates
- [ ] Dependabot code scanning
> Dependabot is not a tool for code scanning, it is a tool for dependency management
- [ ] Dependabot secret scanning
> Dependabot is not a tool for secret scanning, it is a tool for dependency management
- [ ] Secret scanning
> Secret scanning is available for public repositories and for organizations with a GitHub Advanced Security license. It's not available for personal private repositories.
- [ ] Code scanning
> Code scanning is available for public repositories and for organizations with a GitHub Advanced Security license. It's not available for personal private repositories.
### Which of these best describes secret scanning?
> https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
1. [x] Secret scanning scans your repository for secrets such as private keys or tokens.
1. [ ] Secret scanning scans your repository for potential code vulnerabilities that could expose secrets such as private keys or tokens.
1. [ ] Secret scanning is a tool for secure secret storage and management.
1. [ ] Secret scanning is a git hook that will scan your commits for secrets such as private keys or tokens before they are pushed to GitHub.
### Which parts of the repository are scanned by secret scanning? (Choose two.)
> https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning#about-secret-scanning
- [x] Entire git history on all branches in the repository
- [x] Titles, descriptions and comments in open and closed historical issues
- [ ] GitHub Repository secrets
> https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository
- [ ] GitHub Environment secrets
> https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-environment
- [ ] Entire git history on all protected branches in the repository
### What's the purpose of the Secret scanning partner program?
> https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partner-program
1. [x] Service Providers can partner with GitHub so that the format of their secrets can be recognized by GitHub secret scanning.
1. [ ] GitHub Partner program allows enterprises and organizations with GitHub Advanced Security license to use GitHub secret scanning to scan their repositories.
1. [ ] GitHub partners with external security companies to provide secret scanning for GitHub repositories.
1. [ ] It's a program where registered security professionals can in good faith report to GitHub any secrets they find in GitHub repositories and get paid rewards for it.
### Public repositories owned by personal users as well as public repositories owned by organizations can use secret scanning for free.
> https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning#about-secret-scanning
1. [x] True
1. [ ] False
### How can you prevent commits containing cloud provider credentials from being pushed to GitHub?
> https://docs.github.com/en/code-security/secret-scanning/push-protection-for-repositories-and-organizations
1. [x] Enable a secret scanning push protection rule for your repository or organization.
1. [ ] Include a `.gitignore` file in your repository that will ignore files containing secrets.
1. [ ] Create a GitHub Action that will scan your commits for secrets before they are pushed to GitHub.
1. [ ] Enable a branch protection rule for your repository.
### Which of these is true about the GitHub secret scanning partner program? (Choose three.)
> https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partner-program
- [x] It is a program where service providers can provide GitHub with the regex patterns of secrets that they issue so GitHub secret scanning can recognize them.
- [x] When GitHub identifies a secret from a partnered service provider, it notifies the service provider about the leaked secret.
- [x] The partner can take actions upon receiving notification from GitHub about a leaked secret, such as revoking the secret and informing the owner of the compromised secret.
- [ ] It grants the partner access to the secret GitHub scanning API so that the service provider can scan GitHub repositories for secrets that match their format.
> GitHub is always responsible for running the secret scanning, not the partner.
- [ ] GitHub has the ability to automatically revoke leaked secrets and notify the service provider that they have been invalidated by GitHub.
> GitHub does not participate in the revocation of leaked secrets; the service provider has the option to do so.
### How can you exclude certain directories or files from secret scanning?
> https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users
1. [x] By creating a `secret_scanning.yml` file and including paths that should not be scanned
1. [ ] It's not possible to exclude specific files and/or directories from being scanned. Once you enable secret scanning for a repository, all files and directories will be scanned.
1. [ ] Include these files in the `.gitignore` file
1. [ ] By creating a `dependabot.yml` file and including paths which should not be scanned
### You have included some fake secrets in your test code and they have been picked up by GitHub's secret scanning. What can you do to tell GitHub that these are fake secrets used in tests and can be ignored by secret scanning? (Choose two.)
> <br/> [Managing secret scanning alerts](https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning#managing-secret-scanning-alerts)
> <br/> [Excluding directories from secret scanning alerts](https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users)
- [x] By creating a `secret_scanning.yml` file within which you declare paths where fake secrets are located, so scans will omit them
- [x] Close the Secret Scanning Alert with `Used in tests` close reason
- [ ] In your test files, add a comment `#gh_ignore: fake secret` on the line where the fake secret is located.
- [ ] By creating a `.github/codeql.yml` file within which you declare paths where fake secrets are located, so scans will omit them
### You have accidentally committed your GitHub personal access token to a public repository. What actions should you take to prevent your account from being compromised?
> https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning#securing-compromised-secrets
1. [x] Consider the token compromised and delete it immediately
1. [ ] Change the token's permissions to read-only
1. [ ] Overwrite the git history to mask the token
1. [ ] Check if this token is used in any of your applications, if so - delete it.
### What is the behavior when a new secret pattern is added or updated in the GitHub secret scanning partner program?
> https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning#accessing-secret-scanning-alerts
1. [x] GitHub will run a scan of all historical code content in public repositories with secret scanning enabled
1. [ ] GitHub will only scan for the new pattern in newly pushed commits in repositories with secret scanning enabled. If a secret of that pattern was already present in the repository, it will not be detected.
1. [ ] The GitHub partner has to deal with the historically leaked secrets and GitHub will only scan any new commits for the new pattern
1. [ ] GitHub will create an issue in all repositories with secret scanning enabled so the maintainers can check the repository for any secrets matching the new pattern
### Who will be notified when a NEW secret is pushed and detected in a repository? (Choose five.)
> https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts#incremental-scans
- [x] Repository Administrators
- [x] Security Managers
- [x] Users with custom roles with read/write access
- [x] Organization owners and enterprise owners, but only if they are administrators of repositories where secrets were leaked
- [x] Commit authors
- [ ] Everyone with write access to the repository
- [ ] All Organization owners and enterprise owners
### When GitHub runs a scan of all historical code in enterprise repositories what is the notification behavior? (Select two.)
> https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts#historical-scans
- [x] GitHub notifies the enterprise owners and security managers, even if no secrets are found.
- [x] GitHub notifies Repository administrators, security managers, and users with custom roles with read/write access whenever a secret is detected in a repository.
- [ ] GitHub notifies the enterprise owners and security managers, only if it detects exposed secrets.
- [ ] GitHub notifies the commit authors of the commits that contain exposed secrets.
### Does GitHub use the same set of secret scanning patterns for both user alerts and push protection alerts?
> https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-patterns
1. [x] No, these are different sets of secret patterns
1. [ ] Yes, its the same set of secret patterns
> There are three different sets of secret scanning patterns. They overlap but are not the same.
### What are the three different sets of secret scanning patterns that GitHub maintains? (Select three.)
> https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-patterns
- [x] Partner patterns
- [x] User alert patterns
- [x] Push protection patterns
- [ ] Enterprise alert patterns
- [ ] Open source alert patterns
- [ ] Cloud provider patterns
### Multiple public repositories that you are contributing to do not have secret scanning push protection option enabled. What can you do to protect yourself from accidentally pushing secrets to these repositories?
> https://docs.github.com/en/code-security/secret-scanning/push-protection-for-users#about-push-protection-for-users
1. [x] Enable `Push protection for yourself`, in your personal GitHub account settings
1. [ ] Download the GitHub push protection web plugin
1. [ ] It's not possible, push protection has to be enabled on any of repository, organization or enterprise level
1. [ ] Add the files containing secrets to `.gitignore` file in all of the repositories
### Your company has internal secrets that should not be pushed to GitHub repositories. The pattern of these secrets is not known by GitHub and therefore is not detected by secret scanning. What can companies do to protect their developers from accidentally pushing these secrets to repositories in their GitHub Organization?
> https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization
1. [x] Define regex patterns for these secrets and enable custom patterns for secret scanning for the organization.
1. [ ] The company should join the GitHub partner program so the pattern of the companies secrets is recognized.
> GitHub partner program is meant for service providers which distribute secrets outside of their organization (e.g cloud providers). It's not meant for internal secrets of a single organization.
1. [ ] Define custom GitHub Actions workflows for repositories in the organization that will scan for these secrets.
1. [ ] In all repositories include `secret_scanning.yml` file which will define these custom secrets that should be scanned for.
> `secret_scanning.yml` file that can be used to disable secret scanning for specific files or directories.
### What information do Dependabot alerts provide?
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
1. [x] Dependabot alerts tell you that your repository uses a package that is insecure.
1. [ ] Dependabot alerts tell you that your repository is being used by other public repositories.
1. [ ] Dependabot alerts tell you that your repository uses an untested version of a package.
1. [ ] Dependabot alerts tell you that your repository uses an outdated version of a package
> Dependabot does that with version updates, but not with alerts.
### What is the GitHub dependency graph?
> https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph
1. [x] It is a representation of a repository's dependencies and dependents.
1. [ ] There is no such thing as the GitHub dependency graph.
1. [ ] It is a tool that automatically proposes version updates to dependencies in a repository.
1. [ ] It is a GitHub maintained list of known vulnerabilities in open source software packages.
### Is GitHub dependency graph available for free to all repositories?
> https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependency-graph-availability
1. [x] Yes, it's available for free for all repositories.
1. [ ] No, it's available for free for public repositories only. Private repositories can use it if they have the GitHub Advanced Security license.
### How does GitHub Dependency graph know what dependencies your project is using? (Choose two.)
> https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems
- [x] GitHub derives dependencies automatically from manifests and lock files committed to the repository
- [x] Dependencies can be manually added using the Dependency submission API
- [ ] GitHub scans the repository code for import statements of external packages
- [ ] It's required to add a GitHub Actions workflow that uses the official `actions/dependency-graph` GitHub Action to add dependencies to the graph whenever a new commit is pushed to the repository
### When will the GitHub Dependency graph for your repository be updated? (Choose two.)
> https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-the-dependency-graph
- [x] When anyone pushes a change to the repository of one of your dependencies.
- [x] When you push a commit to the repository's default branch, only if that changes or adds a supported manifest/lockfile.
- [ ] When you push any commit to the repository's default branch.
- [ ] When your repository publishes a new release.
- [ ] When your repository publishes a new git tag.
- [ ] When the GitHub Actions workflow that uses the `actions/dependency-graph` GitHub Action is triggered.
### In what format can you export the GitHub Dependency graph of your repository?
> https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository
1. [x] SPDX
1. [ ] YAML
1. [ ] JSON
1. [ ] XML
1. [ ] CSV
### Can your repository use Dependency Graph without using Dependabot Alerts?
> https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#using-the-dependency-graph
1. [x] Yes
1. [ ] No
> You can use Dependency Graph without using Dependabot Alerts. However you can't use Dependabot Alerts with Dependency Graph disabled.
### Which feature is a pre-requisite for using Dependabot Alerts on a repository?
> https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#using-the-dependency-graph
1. [x] Dependency graph
1. [ ] Dependency review
1. [ ] Dependency security updates
1. [ ] Dependency version updates
### Which of these statements about Dependabot Alerts are true? (Choose three.)
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
- [x] They partially rely on the GitHub Advisory Database
- [x] To enable Dependabot Alerts you first need to have Dependency Graph enabled on your repository
- [x] When GitHub identifies a vulnerable dependency, they generate a Dependabot alert and display it on the Security tab for the repository
- [ ] Dependabot Alerts are enabled by default for all repositories
- [ ] Dependabot Alerts are enabled by default for all public repositories
- [ ] Dependabot alerts tell you that your repository uses an outdated version of a package
### What are the primary benefits of the Security Overview feature in GitHub?
> https://docs.github.com/en/code-security/security-overview/about-security-overview
1. [x] Centralized view of security alerts and policy management in an organization
1. [ ] Automatic code review for every push
1. [ ] Real-time threat detection
1. [ ] Automated dependency updates
### What is CodeQL?
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-code-scanning-with-codeql
1. [x] A code analysis engine developed by GitHub
1. [ ] A new programming language for security analysis
1. [ ] A database used to store code scanning results
1. [ ] A third-party tool for static code analysis
### What do Dependabot alerts indicate in GitHub?
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#about-dependabot-alerts
1. [x] The presence of a vulnerable dependency or malware in your repository
1. [ ] Outdated dependencies that need to be updated
1. [ ] Errors in dependency configuration files
1. [ ] Conflicts between different dependencies
### What is the purpose of code scanning in GitHub?
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning#about-code-scanning
1. [x] To identify vulnerabilities and errors in code
1. [ ] To check code formatting and style
1. [ ] To review pull requests automatically
1. [ ] To synchronize code with production servers
### Is secret scanning available for both public and private repositories on GitHub?
> https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning#about-secret-scanning
1. [x] Yes, but for private repositories, it requires a license for GitHub Advanced Security
1. [ ] Yes, with no additional requirements
1. [ ] No, it is only available for public repositories
1. [ ] No, it is only available for private repositories
### What does the default CodeQL analysis setup in GitHub do?
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-code-scanning-with-codeql
1. [x] Automatically chooses languages to analyze, query suite to run, and events that trigger scans
1. [ ] Manually requires users to specify languages and queries for each scan
1. [ ] Scans code only on a monthly basis
1. [ ] Requires separate installation of third-party scanning tools
### What is the main purpose of using the CodeQL CLI?
> https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli#about-the-codeql-cli
1. [x] To generate a database representation of a codebase, a CodeQL database
1. [ ] To manage repository settings and permissions
1. [ ] To schedule regular maintenance tasks in a repository
1. [ ] To automatically merge pull requests
### Which of the following languages is NOT supported by CodeQL for code scanning?
> https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/#languages-and-compilers
1. [x] PHP
1. [ ] JavaScript/TypeScript
1. [ ] C/C++
1. [ ] Python
### How does CodeQL analyze code in GitHub?
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql
1. [x] It generates a CodeQL database and runs queries to identify problems, displaying results as code scanning alerts
1. [ ] It uses machine learning to predict potential vulnerabilities based on past commits
1. [ ] It performs manual code reviews submitted by GitHub community members
1. [ ] It relies solely on third-party tools for code analysis
### How can CodeQL be used in an external CI system together with GitHub repositories?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#about-using-code-scanning-with-your-existing-ci-system
1. [x] Run CodeQL CLI in the external CI system to scan code and upload the results to the GitHub repository
1. [ ] CodeQL cannot be used in external CI systems; it is exclusive to GitHub Actions
1. [ ] Upload source code to GitHub for analysis and then download results for use in the CI system
1. [ ] Manually run CodeQL locally and email the results to the GitHub repository administrators
### Which of these statements isn't true about secret scanning on GitHub?
> https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
1. [x] Secret scanning is a tool for secure secret storage and management.
1. [ ] Secret scanning will scan your entire Git history on all branches present in your GitHub repository for secrets.
1. [ ] Secret scanning will scan titles, descriptions, and comments, in open and closed historical issues for secrets.
1. [ ] Secret scanning can prevent supported secrets from being pushed into your enterprise, organization, or repository.
### Which top-level keys are required in the `dependabot.yml` file?
> https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#about-the-dependabotyml-file
1. [x] `version` and `updates`
1. [ ] `version` and `package-ecosystem`
1. [ ] `assignees` and `directory`
1. [ ] `updates` and `directory`
### Which GitHub Action can be used to upload a third-party SARIF file?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions
1. [x] `github/codeql-action/upload-sarif`
1. [ ] `codeql-upload-sarif`
1. [ ] `github/codeql-action`
1. [ ] `actions/upload-sarif`
### Which tool can be used in a third-party CI system to upload code analysis results to GitHub?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#about-using-code-scanning-with-your-existing-ci-system
1. [x] CodeQL CLI
1. [ ] CodeQL API
1. [ ] GitHub Actions `github/codeql-action`
1. [ ] GitHub CLI
### What is required for a CI server to upload SARIF results to GitHub?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#generating-a-token-for-authentication-with-github
1. [x] A GitHub App or personal access token with `security_events` write permission.
1. [ ] A direct connection to the GitHub Advisory Database.
1. [ ] Administrator access to the GitHub repository.
1. [ ] A special plugin installed in the CI system.
### What happens when a second SARIF results file is uploaded to GitHub for a single commit?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#uploading-your-results-to-github
1. [x] It replaces the original set of data.
1. [ ] It appends the results to the existing file.
1. [ ] It creates a new branch in the repository
1. [ ] It is ignored by GitHub.
### How can users exclude specific directories from secret scanning alerts on GitHub?
> https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users
1. [x] By configuring a `secret_scanning.yml` file, under the `.github` path in the repository.
1. [ ] Through the repository's `Security` tab, in the `Secret scanning` menu.
1. [ ] Through the repository's `Settings` tab, in the `Code security and analysis` menu.
1. [ ] By editing the repository's `README.md` file.
### Which key should be used in a `secret_scanning.yml` file to exclude directories from secret scanning alerts in GitHub?
> https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#excluding-directories-from-secret-scanning-alerts-for-users
1. [x] `paths-ignore:`
1. [ ] `paths-exclude:`
1. [ ] `ignore-directories`
1. [ ] `exclude-paths:`
### What is the maximum number of custom patterns that can be defined for secret scanning on GitHub?
> https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#about-custom-patterns-for-secret-scanning
1. [x] 500 for organizations/enterprises and 100 for repositories.
1. [ ] 100 for organizations/enterprises and 500 for repositories.
1. [ ] 100 for organizations, enterprises and repositories.
1. [ ] There's no limit to the number of custom patterns you can define for secret scanning in GitHub.
### Fill in the blank: `GitHub __________ is a feature that you can use to analyze code in a GitHub repository to find security vulnerabilities and coding errors.`
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning
1. [x] Code Scanning
1. [ ] Dependency Graph
1. [ ] Security Advisories
1. [ ] Vulnerability Detection
### Which GitHub Advanced Security feature allows you to find, triage, and prioritize fixes for new and existing problems in your code?
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning
1. [x] Code scanning
1. [ ] Dependabot alerts
1. [ ] Security policies
1. [ ] Security advisories
### How can you enable code scanning for a repository?
> https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning
1. [x] Go to the security tab of the repository settings and enable code scanning with default or advanced setup.
1. [ ] Go to your user settings and enable code scanning, you can choose to enable it for all or only selected repositories.
1. [ ] Add a `.github/codeql.yml`configuration file to the repository.
1. [ ] Go to the security tab of the repository settings and answer a questionnaire about the repository contents. Based on the answers, GitHub will enable code scanning with the appropriate configuration.
### How can you configure your GitHub repository to run CodeQL analysis on a schedule? (Choose two.)
> https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup
- [x] By creating a GitHub Actions workflow with a `schedule` trigger. The workflow should leverage actions from the `github/codeql-action` repository.
- [x] By using the default CodeQL analysis setup.
- [ ] By setting the `codeql.trigger` property in the repository settings to `schedule`.
- [ ] By adding a `schedule` property to the `.github/codeql.yml` configuration file.
- [ ] By raising a request with GitHub support to enable scheduled CodeQL analysis for the repository.
### An organization has recently started using CodeQL analysis for all pull requests on their repositories as well as running the analysis on an hourly schedule. Since then they are experiencing larger than usual GitHub Actions bills. What is the most likely cause of this?
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning#about-billing-for-code-scanning
1. [x] Code scanning uses GitHub Actions and the organization is being billed for the additional usage.
1. [ ] The code scanning analysis is finding more issues than expected and is taking longer to complete.
1. [ ] Code scanning can only be run on a daily schedule and the organization is being billed for the additional usage.
1. [ ] There is no correlation between code scanning and GitHub Actions billing. The organization is being billed for other GitHub Actions workflows.
### If you don't want to use GitHub Actions, you can run code scanning in an external CI system, then upload the results to GitHub.
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#about-using-code-scanning-with-your-existing-ci-system
1. [x] True
1. [ ] False
### When using a third party CI system to run code scanning, what GitHub tool do you need to analyze the codebase?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system#about-using-code-scanning-with-your-existing-ci-system
1. [x] You don't specifically need a GitHub tool, any static analysis tool that can produce results in SARIF format will work.
1. [ ] You need to install the GitHub Code Scanning tool.
1. [ ] You need to install CodeQL CLI
1. [ ] You need to install GitHub CLI
### When using GitHub Actions as your CI system and a third party tool to run code scanning, how can you upload the SARIF results to GitHub?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions
1. [x] By using the `github/codeql-action/upload-sarif` GitHub Action
1. [ ] When using GitHub Actions the SARIF results are automatically uploaded to GitHub.
1. [ ] You can only use CodeQL when running code scanning in GitHub Actions. Third party code scanning tools are not supported.
1. [ ] By using the `actions/upload-artifact` GitHub Action
### Can you use CodeQL analysis with third party CI systems?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system
1. [x] Yes, you just need to use the CodeQL CLI
1. [ ] No, because it requires using the `github/codeql-action` GitHub Action
### Which of these is true about code scanning? (Choose two.)
> https://docs.github.com/en/code-security/supply-chain-security/end-to-end-supply-chain/securing-code#scan-your-code-for-vulnerable-patterns
- [x] Code scanning helps finding insecure code patterns which can be missed by manual code review.
- [x] Code scanning can be integrated into the CI pipeline to find security issues early in the development process.
- [ ] Code scanning is a replacement for manual code review.
- [ ] Code scanning helps finding any leaked credentials in the codebase such as API keys or cloud credentials.
> That is secret scanning
- [ ] Code scanning scans your code to search for all dependencies and their versions to find any vulnerable dependencies.
### When using CodeQL analysis in your GitHub Actions workflow, how often is the scan triggered?
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning#about-code-scanning
1. [x] Code scanning can be triggered for many different events that happen in the repository.
1. [ ] Code scanning is triggered on every push to the repository.
1. [ ] Code scanning is triggered on a configurable schedule
1. [ ] Code scanning can be triggered on a configurable schedule or on pull requests.
### What is the effect of adding the `paths-ignore` keyword to your code scanning GitHub Actions workflow?
```yaml
.github/workflows/codeql-analysis.yml
on:
pull_request:
branches: [main]
paths-ignore:
- '**/*.md'
- '**/*.txt'
```
> https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#avoiding-unnecessary-scans-of-pull-requests
1. [x] Avoiding unnecessary scans when files that are not relevant to the analysis are changed.
1. [ ] It tells CodeQL to omit all `*.txt` and `*.md` files from the analysis.
1. [ ] Preventing the CodeQL analysis from running on pull requests that change files with the specified extensions.
1. [ ] Pull request checks will ignore any CodeQL vulnerabilities that are found in `*.txt` and `*.md` files.
### CodeQL scanning supports:
> https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql
1. [x] Both compiled and interpreted languages
1. [ ] Only compiled languages
1. [ ] Only interpreted languages
1. [ ] All programming languages
### What are CodeQL queries used for?
> https://codeql.github.com/docs/writing-codeql-queries/about-codeql-queries/
1. [x] CodeQL queries can be run against a CodeQL database to identify patterns that may indicate coding errors or security vulnerabilities.
1. [ ] CodeQL queries analyze your codebase and are used to create a CodeQL database.
1. [ ] CodeQL queries are used for code review purposes in GitHub.
1. [ ] CodeQL queries are text-based questions you can ask the CodeQL engine about your codebase.
### What is QL?
> https://codeql.github.com/docs/ql-language-reference/about-the-ql-language/
1. [x] QL is a query language that underlies CodeQL
1. [ ] QL stands for Quality Level and is a metric used by CodeQL
1. [ ] QL is a similar product to CodeQL but is used for scanning text files instead of code
1. [ ] QL is a npm package that is used by CodeQL to scan code
### What is a CodeQL query suite?
> https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#about-codeql-query-suites
1. [x] CodeQL suite is a collections of CodeQL queries
1. [ ] CodeQL suite is a collection of CodeQL databases
1. [ ] CodeQL suite is a collection of CodeQL results
1. [ ] CodeQL suite is a collection of CodeQL supported languages
### What are the different types of CodeQL packs? (Choose three.)
> https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#about-codeql-packs
- [x] Query packs
- [x] Library packs
- [x] Model packs
- [ ] Code packs
- [ ] Language packs
- [ ] Vulnerability packs
### What is a CodeQL query pack?
> https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#about-codeql-packs
1. [x] It's a set of pre-compiled queries with all transitive dependencies such as libraries and models
1. [ ] It's a library used by CodeQL queries
1. [ ] It's a collection of CodeQL queries
> That's a CodeQL query suite
1. [ ] It's a set of results that were generated in the process of analyzing a CodeQL database
### What are the steps of CodeQL analysis workflow?
> https://codeql.github.com/docs/codeql-overview/about-codeql/#codeql-analysis
1. [x] Creating a CodeQL database -> Running CodeQL queries -> Interpreting the results
1. [ ] Running CodeQL queries -> Creating a CodeQL database -> Interpreting the results
1. [ ] Running CodeQL queries -> Interpreting the results
1. [ ] Creating a CodeQL database -> Interpreting the results -> Running CodeQL queries
### What is extraction in the context of CodeQL code analysis?
> https://codeql.github.com/docs/codeql-overview/about-codeql/#database-creation
1. [x] Extraction is the process of creating a relational representation of each source file in the codebase.
1. [ ] Extraction is the action of running CodeQL queries against a CodeQL database and extracting the results.
1. [ ] Extraction is the process of creating CodeQL queries specific to the codebase.
1. [ ] Extraction is the process of exporting data from a CodeQL database.
### Which of these statements are true regarding running CodeQL analysis on codebases with multiple programming languages? (Choose two.)
> https://codeql.github.com/docs/codeql-overview/about-codeql/#database-creation
- [x] CodeQL uses a different extractor for each programming language
- [x] CodeQL creates separate databases for each programming language
- [ ] CodeQL creates one database for all programming languages in the codebase, as long as they are supported by CodeQL
- [ ] CodeQL database schema is the same for each programming language
### What are the differences when running CodeQL database creation for compiled and interpreted languages? (Choose two.)
> https://codeql.github.com/docs/codeql-overview/about-codeql/#database-creation
- [x] For compiled languages, extraction works by monitoring the build process. All information is collected each time the compiler is invoked to process a source file.
- [x] For interpreted languages, the extractor runs directly on the source code.
- [ ] For interpreted languages, extraction works by monitoring the build process. All information is collected each time the interpreter is invoked to process a source file.
- [ ] For compiled languages, the extractor runs directly on the source code.
- [ ] For compiled languages, the extractor runs on the executable file.
- [ ] For interpreted languages, the extractor runs on the executable file.
### Where can you see when the last CodeQL analysis was run when using the default code scanning setup?
> https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning#evaluating-code-scanning-with-the-tool-status-page
1. [x] In the code scanning tool status page
1. [ ] In repository insights
1. [ ] In the Dependabot tab
1. [ ] You can't see that information with the default setup
### Which of the following statements about enabling CodeQL scanning default setup are true? (Choose three.)
> https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning
- [x] You can enable default setup for all eligible repositories in an organization at once in the organization settings
- [x] GitHub Actions need to be enabled as a prerequisite
- [x] You can enable default setup on any repository, regardless of the contents of the repository
- [ ] You can only enable default setup on repositories that contain at least one CodeQL-supported language
> If you enable default setup on a repository that does not include any CodeQL-supported languages, default setup will not run any scans
- [ ] Default setup will scan the repository on a schedule that you can configure. For event based scanning, you need to configure a GitHub Action workflow
> Default setup includes scheduled scanning and pull request / push scanning on the default and protected branches
- [ ] You can only use the default query suite with default CodeQL scanning setup
### How can you customize your advanced CodeQL scanning setup with additional CodeQL query suites? (Choose two.)
> https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
- [x] By using a custom configuration file and defining additional queries there
- [x] By defining the customizations in the CodeQL analysis GitHub Actions workflow as input parameters to the `github/codeql-action/init` action
- [ ] By using the CodeQL CLI with a custom configuration file to run the analysis
- [ ] By defining the customizations in the Security / Code scanning repository settings
- [ ] By using the `github/codeql-customizations` GitHub Action
### When running CodeQL analysis in GitHub Actions, what Actions should you use? (Choose three.)
> https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-the-codeql-analysis-workflow-and-compiled-languages
- [x] `github/codeql-action/init`
- [x] `github/codeql-action/analyze`
- [x] `github/codeql-action/autobuild` only for compiled programming languages
- [ ] `github/codeql-action/autobuild`
- [ ] `github/codeql-action/init` only for compiled programming languages
- [ ] `github/codeql-action/analyze` only for interpreted programming languages
### What is the simplest method to execute CodeQL analysis concurrently for each language in a multi-language repository using GitHub Actions?
> https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed
1. [x] By creating a `languages` matrix for the job and then reference it in the `github/codeql-action/init` action's `languages` input parameter
1. [ ] By calling the `github/codeql-action/analyze` action in separate steps for each language
1. [ ] By creating a separate workflow for each language
1. [ ] Define the parallelism in the `github/codeql-action/analyze` action
### How can you use a custom CodeQL configuration file in a GitHub Actions workflow?
> https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-a-custom-configuration-file
1. [x] By explicitly providing the configuration file path in the `config-file` input parameter of the `github/codeql-action/init` action
1. [ ] By storing the configuration in `.github/codeql/config-config.yml` file. The `github/codeql-action/init` action will automatically detect the file and use it
1. [ ] By uploading that file in the Code Scanning section of the Security tab in the repository
1. [ ] By storing the configuration in `.github/workflows/codeql-analysis.yml` file. The `github/codeql-action/init` action will automatically detect the file and use it
### Where can you specify the CodeQL queries to run in a GitHub Actions workflow? (Choose two.)
> https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#running-additional-queries
- [x] In the `queries` input parameter of the `github/codeql-action/init` action
- [x] In a CodeQL configuration YAML file
- [ ] In the `paths` input parameter of the `github/codeql-action/queries` action
- [ ] In the Code Scanning section of the Security tab in the repository
- [ ] In the `codeql` field of the `.github/settings.yml` file
### What is the purpose of the `external-repository-token` parameter in `github/codeql-action/init` GitHub Action?
> https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs
1. [x] It allows the action to access a private GitHub repository that contains configuration files, queries or packs that are required for the analysis.
1. [ ] It allows the action to upload the results of the analysis to a private GitHub repository.
1. [ ] It allows the action to access a private GitHub repository that contains the source code to be analyzed.
1. [ ] It allows the action to upload the generated CodeQL database to a private GitHub repository.
### What CodeQL CLI command is used to create a CodeQL database?
> https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#running-codeql-database-create
1. [x] `codeql database create`
1. [ ] `gh codeql-database create`
1. [ ] `ql database generate`
1. [ ] `qlcli database create`
### What is the purpose of the `codeql database analyze` command in CodeQL CLI?
> https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-codeql-database-analyze
1. [x] Analyzing a CodeQL database, producing results usually in the form of a SARIF file.
1. [ ] Analyzing a CodeQL database, producing results usually in the form of security advisories.
1. [ ] Analyzing the source code, producing a CodeQL database.
1. [ ] Analyzing a CodeQL database and uploading the results to GitHub.
> The results are not uploaded to GitHub, a separate command is used for that.
### As part of your Jenkins CI pipeline you've successfully created and then analyzed a CodeQL database, therefore producing a SARIF file. How can you upload the SARIF file to GitHub? (Choose two.)
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#about-sarif-file-uploads-for-code-scanning
- [x] Using the `codeql github upload-results` command from CodeQL CLI
- [x] Using the GitHub REST API `POST /repos/{owner}/{repo}/code-scanning/sarifs` endpoint
- [ ] Using the `gh codeql upload-results` command from GitHub CLI
- [ ] By committing the SARIF file to the GitHub repository
- [ ] Using the `github/codeql-action/upload-sarif` GitHub Action
> You can't use GitHub Actions in Jenkins pipelines.
### What details can you find on a code scanning alert page? (Choose three.)
> https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-details
- [x] Branches affected by the vulnerability
- [x] Highlighted vulnerable code
- [x] Severity of the vulnerability
- [ ] Information how many times the vulnerability has been exploited
- [ ] Assigned developer to fix the vulnerability
- [ ] ID of the CodeQL database that was used to find the vulnerability
### Which of these statements regarding viewing the results of a CodeQL analysis are true? (Choose two.)
> https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository
- [x] You need write permission to view a summary of all the alerts for a repository in the Security tab.
- [x] Anyone with read permission for a repository can see code scanning annotations on pull requests.
- [ ] You need write permission to view code scanning annotations on pull requests.
- [ ] Anyone with read permissions for a repository can view code scanning alerts in the Security tab.
- [ ] Only the repository owner can see the code scanning alerts in the Security tab.
### When a CodeQL analysis GitHub Actions workflow detects a new vulnerability on a pull request, where can you find the information about that vulnerability?
> https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#about-code-scanning-results-on-pull-requests
1. [x] Directly in the pull request in the form of a PR comment and a check failure
1. [ ] In the security tab of the repository
1. [ ] In the workflow run logs
1. [ ] The CodeQL analysis workflow will fail and produce an artifact with the results
### When viewing a code scanning alert what is the `Show paths` option used for?
> https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository
1. [x] It will display the path through the code that leads to the issue causing the alert.
1. [ ] It's used for showing the paths to the CodeQL queries that were used to find the vulnerability
1. [ ] It will show recommendations on how to fix the vulnerability
1. [ ] It's used for showing the file path to the CodeQL database that was used to find the vulnerability
### What does it mean to dismiss a code scanning alert?
> https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#dismissing--alerts1. [x] Single-Choice Correct Answer
1. [x] Closing an alert that you don't think needs to be fixed
1. [ ] Closing the alert after fixing the vulnerability in the code
### Which of these is NOT a valid approach one can take to reduce the time it takes for CodeQL analysis workflow to complete?
> https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/analysis-takes-too-long
1. [x] Run the analysis on every push event
1. [ ] Use runners with more CPU/RAM resources
1. [ ] Parallelize the analysis for multi-language codebases
1. [ ] Ignore irrelevant files and directories from the analysis
1. [ ] Reduce the number of queries that are run
### What is the purpose of defining a SARIF category?
> https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit
1. [x] Use the category to distinguish between multiple analyses for the same tool or commit, but performed on different languages or different parts of the code.
1. [ ] Use the category to distinguish files that have been analyzed from files that have not been analyzed.
1. [ ] Use the category to distinguish files that contain vulnerabilities from files that do not contain vulnerabilities.
1. [ ] Use a different category for each file that has been analyzed to easily track back the vulnerabilities to the files that contain them.
### How can you enable GitHub Advanced Security features on GitHub Enterprise Server? (Choose two.)
> https://docs.github.com/en/[email protected]/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise
- [x] In the Security tab of the Site admin management console
- [x] By connecting directly to the GitHub Enterprise Server instance through SSH and using the administrative shell `ghe-config` commands.
- [ ] By requesting an upgrade from GitHub Support
- [ ] By setting the `github.advanced_security.enabled` configuration option to `true` in the `config.yml` file in the `/etc/github` directory on the GitHub Enterprise Server instance.
- [ ] By setting the `github.advanced_security.enabled` configuration option to `true` in the `config.yml` file in the `.github` repository.
### How can you enable GitHub Advanced Security features for all repositories in an organization in GitHub Enterprise Cloud?
> https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories
1. [x] In `Code security and analysis` section of the organization settings
1. [ ] By connecting directly to the GitHub Enterprise Cloud instance through SSH and using the administrative shell `ghe-config` commands.
> That is an option when using GitHub Enterprise Server
1. [ ] By requesting an upgrade from GitHub Support
1. [ ] In the Site admin page of your enterprise account
### As a repository maintainer where should you put instructions on how to report a security vulnerability in your codebase?
> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies
1. [x] In the `SECURITY.md` file
1. [ ] In the `CONTRIBUTING.md` file
1. [ ] In the `README.md` file
1. [ ] In the `CODE_OF_CONDUCT.md` file
### What is a GitHub security policy?
> https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies
1. [x] It's a document that instructs users on how to responsibly report security vulnerabilities in a project. It's typically defined in a `SECURITY.md` file in a repository.
1. [ ] It's a tool for automatically fixing security vulnerabilities in your code.
1. [ ] It's a feature that allows you to encrypt your repository.
1. [ ] A GitHub security policy is a subscription service that provides antivirus protection for your projects.
### How can you set a default security policy for all repositories in `my-org` GitHub Organization?
> https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file#supported-file-types
1. [x] By creating a `SECURITY.md` file in the `my-org/.github` repository
1. [ ] By editing the security policy in the organization's `Code Security and analysis` settings
1. [ ] Default security policies can only be set by GitHub support
1. [ ] You can set a default security policy for all repositories in `my-org` GitHub Organization by adding a `SECURITY.md` file to each individual repository.
### Which API endpoint can be used to retrieve a list of all Dependabot alerts for an enterprise?
> https://docs.github.com/en/rest/dependabot/alerts?apiVersion=2022-11-28#list-dependabot-alerts-for-an-enterprise
1. [x] `GET /enterprises/{enterprise}/dependabot/alerts`
1. [ ] `GET /orgs/{org}/dependabot/alerts`
> That is a correct endpoint for organization, but not for an enterprise
1. [ ] `GET /repos/{owner}/{repo}/dependabot/alerts`
> That is a correct endpoint for a repository, but not for an enterprise
1. [ ] `GET /github/{enterprise}/dependabot/alerts`
### Which API endpoint can be used to retrieve a list of all secret scanning alerts for an organization?
> https://docs.github.com/en/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28#list-secret-scanning-alerts-for-an-organization
1. [x] `GET /orgs/{org}/secret-scanning/alerts`
1. [ ] `GET /enterprises/{enterprise}/secret-scanning/alerts`
> That is a correct endpoint for enterprise, but not for an organization
1. [ ] `GET /repos/{owner}/{repo}/secret-scanning/alerts`
> That is a correct endpoint for a repository, but not for an organization
1. [ ] `GET /github/{org}/secret-scanning/alerts`
### Which API endpoint can be used to retrieve a list of all code scanning alerts for a repository?
> https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28#list-code-scanning-alerts-for-a-repository
1. [x] `GET /repos/{owner}/{repo}/code-scanning/alerts`
1. [ ] `GET /orgs/{org}/{repo}/code-scanning/alerts`
1. [ ] `GET /{enterprise}/{org}/{repo}/code-scanning/alerts`
1. [ ] `GET /github/{repo}/code-scanning/alerts`
### Which of these statements best defines a vulnerable dependency?
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
1. [x] A vulnerable dependency is dependency that a project relies on, which contains security flaws that could potentially be exploited, compromising the project's security.
1. [ ] A vulnerable dependency is dependency that a project relies on, which has not been updated in a long time.
1. [ ] A vulnerable dependency is dependency that a project relies on, which is not widely used or popular.
1. [ ] A vulnerable dependency is dependency that a project relies on, which is not verified by GitHub.
### What are Dependabot security updates?
> https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
1. [x] It's a Dependabot feature that automatically creates pull requests to update vulnerable dependencies in your repository.
1. [ ] It's a Dependabot feature that creates a list of vulnerable dependencies in your repository.
1. [ ] It's a Dependabot feature that creates alerts when a security vulnerability is detected in one of your dependencies.
> That's Dependabot alerts, Dependabot security updates are based on Dependabot alerts.
1. [ ] It's a Dependabot feature that automatically creates pull requests to update dependencies in your repository when they release a new version.
> That's Dependabot version updates
### Dependabot Alerts are enabled by default on:
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#configuration-of-dependabot-alerts
1. [x] Dependabot Alerts are not enabled by default on any repositories.
1. [ ] Only public repositories.
> GitHub detects vulnerable dependencies in public repositories and displays the dependency graph, but does not generate Dependabot alerts by default.
1. [ ] All repositories.
1. [ ] Only private repositories.
### Who can enable Dependabot alerts on a repository?
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#configuration-of-dependabot-alerts
1. [x] Repository owners and people with admin access
1. [ ] Only the repository owner
1. [ ] Dependabot alerts are enabled on all repositories by GitHub and can't be disabled or enabled by any individual.
1. [ ] Dependabot alerts are enabled by adding a GitHub Action to the repository, so anyone with write access to the repository can enable them.
### What's the lowest access level needed to see Dependabot alerts in a repository within an organization?
> https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#access-requirements-for-security-features
1. [x] Write
1. [ ] Read
1. [ ] Maintain
1. [ ] Triage
1. [ ] Admin
### To enable Dependabot Alerts on all repositories in an organization you should:
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#enabling-or-disabling-dependabot-alerts-for-all-existing-repositories
1. [x] Go to the organization's `Code security and analysis` settings and enable Dependabot Alerts for all repositories at once.
1. [ ] Make all repositories in the organization private.
1. [ ] On all repositories in the organization - run the `actions/enable-ghas` GitHub Action with `alerts` parameter set to `true`
1. [ ] Create a script that will enable Dependabot Alerts on all repositories in the organization.
### Which of these is a valid `dependabot.yml` configuration file?
> https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
1. [x]
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
```
1. [ ]
```yaml
version: 2
config:
- directory: "/"
schedule:
interval: "daily"
```
1. [ ]
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "everyday"
```
1. [ ]
```yaml
version: 2
config:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
```
### Which of these is not a GitHub supported channel for receiving Dependabot alerts?
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/configuring-notifications-for-dependabot-alerts#configuring-notifications-for-dependabot-alerts
1. [x] SMS/Call
1. [ ] github.com notification inbox
1. [ ] GitHub Mobile
1. [ ] GitHub CLI
> Warnings are displayed as callbacks when you push to repositories with any insecure dependencies
1. [ ] Email
### What are Dependabot auto-triage rules?
> https://docs.github.com/en/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules
1. [x] It's a feature that allows Dependabot to automatically dismiss Dependabot alerts that match certain criteria.
1. [ ] Auto-triage rules are defined in the `dependabot.yml` configuration file to specify which package managers should be used to scan your project for vulnerabilities.
1. [ ] Dependabot auto-triage rules are used for automatically deleting old dependencies in your project.
1. [ ] Auto triage rules define how often Dependabot should scan your project for vulnerabilities.
### How can you automate dismissing low severity Dependabot alerts?
> https://docs.github.com/en/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules
1. [x] By using Dependabot's auto-triage rules.
1. [ ] By setting the `severity` field in `dependabot.yml` file to high
1. [ ] By removing all dependencies that cause low severity alerts
1. [ ] By setting the `dismiss-severity` field in `dependabot.yml` file to low
### To enable Dependabot security updates on all repositories in an organization you should:
> https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories
1. [x] Go to the organization's `Code security and analysis` settings and enable Dependabot Security Updates for all repositories at once.
1. [ ] Make all repositories in the organization private.
1. [ ] Run the `actions/enable-ghas` GitHub Action with `security-updates` parameter set to `true` on all repositories in the organization.
1. [ ] Create a script that will enable Dependabot Security Updates on all repositories in the organization.
### The tool that checks if a pull request introduces any dependencies with security vulnerabilities is called:
> https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review
1. [x] Dependency Review
1. [ ] Dependabot Alerts
1. [ ] Dependabot Security Updates
1. [ ] Dependabot Version Updates
### You need GitHub Actions enabled for
> https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-dependabot-version-updates
1. [x] Dependency Review
1. [ ] Dependabot Security Updates
1. [ ] Dependabot Version Updates
1. [ ] All of these
> GitHub Actions is not required for Dependabot version updates and Dependabot security updates to run on GitHub. However, pull requests opened by Dependabot can trigger workflows that run actions.
1. [ ] None of these
> Dependency review uses `actions/dependency-review-action` GitHub Action
### What does `CVSS` stand for?
> https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels
1. [x] `Common Vulnerability Scoring System`
1. [ ] `Code Verification Security System`
1. [ ] `Critical Vulnerability Scanning Service`
1. [ ] `Cybersecurity Validation Scoring Scheme`
### What does `CVE` stand for?
> https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers
1. [x] `Common Vulnerabilities and Exposures`
1. [ ] `Common Virus Elimination`
1. [ ] `Cybersecurity Verification Entity`
1. [ ] `Code Validation and Enumeration`
### What does `CWE` stand for?
> https://cwe.mitre.org/
1. [x] `Common Weakness Enumeration`
1. [ ] `Cybersecurity Weakness Enumeration`
1. [ ] `Code Wrapping Engine`
1. [ ] `Critical Web Elements`
### Which Dependabot comment command will get a pull request successfully completed?
> https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands
1. [ ] `@dependabot close`
1. [x] `@dependabot merge`
1. [ ] `@dependabot cancel merge`
1. [ ] `@dependabot rebase`
### Jobs that run on macOS runners that GitHub hosts consume minutes at __ rate as Linux runners consume
> https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions#minute-multipliers
1. [ ] the same
1. [ ] 2x
1. [ ] 5x
1. [x] 10x
Found this practice test useful?
Leave a ⭐ on the repository and consider giving back to the community by:
- contributing one or more mock exam questions (takes minutes)