Microsoft GH-500 - GitHub Advanced Security Certification Exam
Question #1 (Topic: demo questions)
As a repository owner, you want to receive specific notifications, including security alerts, for an
individual repository. Which repository notification setting should you use?
Correct Answer: D
Explanation:
This setting is configurable per repository and allows users to stay aware of critical issues while
This setting is configurable per repository and allows users to stay aware of critical issues while
minimizing notification noise.
Page 6
Using the Custom setting allows you to subscribe to specific event types, such as Dependabot alerts
or vulnerability notifications, without being overwhelmed by all repository activity. This is essential
for repository maintainers who need fine-grained control over what kinds of events trigger
noti ficati ons.
Question #2 (Topic: demo questions)
What is a security policy?
Correct Answer: C
Explanation:
A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory.
A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory.
This file informs contributors and security researchers about how to responsibly report
vulnerabilities. It improves your project’s transparency and ensures timely communication and
mitigation of any reported issues.A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory.
This file informs contributors and security researchers about how to responsibly report
vulnerabilities. It improves your project’s transparency and ensures timely communication and
mitigation of any reported issues.A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory.
This file informs contributors and security researchers about how to responsibly report
vulnerabilities. It improves your project’s transparency and ensures timely communication and
mitigation of any reported issues.
Question #3 (Topic: demo questions)
Which of the following is the most complete method for Dependabot to find vulnerabilities in thirdparty
dependencies?
Correct Answer: C
Explanation:
Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your
This method provides a comprehensive and automated way to discover all known vulnerabilities
Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your
repository. This graph includes both direct and transitive dependencies. It then compares this graph
against the GitHub Advisory Database, which includes curated, security-reviewed advisories.
This method provides a comprehensive and automated way to discover all known vulnerabilities
across your dependency tree.
Question #4 (Topic: demo questions)
When does Dependabot alert you of a vulnerability in your software development process?
Correct Answer: B
Explanation:
Dependabot alerts are generated as soon as GitHub detects a known vulnerability in one of your
Dependabot alerts are generated as soon as GitHub detects a known vulnerability in one of your
dependencies. GitHub does this by analyzing your repository’s dependency graph and matching it
against vulnerabilities listed in the GitHub Advisory Database. Once a match is found, the system
raises an alert automatically without waiting for a PR or manual action.
This allows organizations to proactively mitigate vulnerabilities as early as possible, based on realtime
detection.
Question #5 (Topic: demo questions)
After investigating a code scanning alert related to injection, you determine that the input is properly
sanitized using custom logic. What should be your next step?
Correct Answer: D
Explanation:
When you identify that a code scanning alert is a false positive—such as when your code uses a