
[Nov 03, 2025] GH-500 Exam Dumps 100% Same Q&A In Your Real Exam
GH-500 Test Engine Dumps Training With 77 Questions
NEW QUESTION # 36
Which details do you have to provide to create a custom pattern for secret scanning? (Each answer presents part of the solution. Choose two.)
- A. Additional match requirements for the secret format
- B. A list of repositories to scan
- C. The secret format
- D. The name of the pattern
Answer: C,D
Explanation:
When defining a custom pattern for secret scanning, two key fields are required:
Name of the pattern: A unique label to identify the pattern
Secret format: A regular expression that defines what the secret looks like (e.g., token format) You can optionally specify additional match requirements (like required context keywords), but they're not mandatory. Listing repositories is also not part of the required fields during pattern creation.
NEW QUESTION # 37
Which of the following is the best way to prevent developers from adding secrets to the repository?
- A. Make the repository public
- B. Create a CODEOWNERS file
- C. Enable push protection
- D. Configure a security manager
Answer: C
Explanation:
The best proactive control is push protection. It scans for secrets during a git push and blocks the commit before it enters the repository.
Other options (like CODEOWNERS or security managers) help with oversight but do not prevent secret leaks.
Making a repo public would increase the risk, not reduce it.
NEW QUESTION # 38
Which patterns are secret scanning validity checks available to?
- A. Partner patterns
- B. High entropy strings
- C. Push protection patterns
- D. Custom patterns
Answer: A
Explanation:
Validity checks - where GitHub verifies if a secret is still active - are available for partner patterns only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.
Custom patterns and high entropy patterns do not support automated validity checks.
NEW QUESTION # 39
Which CodeQL query suite provides queries of lower severity than the default query suite?
- A. github/codeql-go/ql/src@main
- B. security-extended
- C. github/codeql/cpp/ql/src@main
Answer: B
Explanation:
The security-extended query suite includes additional CodeQL queries that detect lower severity issues than those in the default security-and-quality suite.
It's often used when projects want broader visibility into code hygiene and potential weak spots beyond critical vulnerabilities.
The other options listed are paths to language packs, not query suites themselves.
NEW QUESTION # 40
What does code scanning do?
- A. It contacts maintainers to ask them to create security advisories if a vulnerability is found
- B. It scans your entire Git history on branches present in your GitHub repository for any secrets
- C. It analyzes a GitHub repository to find security vulnerabilities
- D. It prevents code pushes with vulnerabilities as a pre-receive hook
Answer: C
Explanation:
Code scanning is a static analysis feature that examines your source code to identify security vulnerabilities and coding errors. It runs either on every push, pull request, or a scheduled time depending on the workflow configuration.
It does not automatically contact maintainers, scan full Git history, or block pushes unless explicitly configured to do so.
NEW QUESTION # 41
Which of the following options would close a Dependabot alert?
- A. Leaving the repository in its current state
- B. Creating a pull request to resolve the vulnerability that will be approved and merged
- C. Viewing the dependency graph
- D. Viewing the Dependabot alert on the Dependabot alerts tab of your repository
Answer: B
Explanation:
A Dependabot alert is only marked as resolved when the related vulnerability is no longer present in your code - specifically after you merge a pull request that updates the vulnerable dependency.
Simply viewing alerts or graphs does not affect their status. Ignoring the alert by leaving the repo unchanged keeps the vulnerability active and unresolved.
NEW QUESTION # 42
Which of the following information can be found in a repository's Security tab?
- A. GHAS settings
- B. Two-factor authentication (2FA) options
- C. Number of alerts per GHAS feature
- D. Access management
Answer: C
Explanation:
The Security tab in a GitHub repository provides a central location for viewing security-related information, especially when GitHub Advanced Security is enabled. The following can be accessed:
Number of alerts related to:
Code scanning
Secret scanning
Dependency (Dependabot) alerts
Summary and visibility into open, closed, and dismissed security issues.
It does not show 2FA options, access control settings, or configuration panels for GHAS itself. Those belong to account or organization-level settings.
NEW QUESTION # 43
Assuming security and analysis features are not configured at the repository, organization, or enterprise level, secret scanning is enabled on:
- A. Public repositories
- B. User-owned private repositories
- C. All new repositories within your organization
- D. Private repositories
Answer: A
Explanation:
By default, secret scanning is enabled automatically for all public repositories. For private or internal repositories, secret scanning must be enabled manually unless configured at the organization or enterprise level.
This default behavior helps protect open-source projects without requiring additional configuration.
NEW QUESTION # 44
As a repository owner, you do not want to run a GitHub Actions workflow when changes are made to any .txt or markdown files. How would you adjust the event trigger for a pull request that targets the main branch? (Each answer presents part of the solution. Choose three.) on:
pull_request:
branches: [main]
- A. - 'docs/*.md'
- B. - '/*.txt'
- C. - '/*.md'
- D. paths:
- E. paths-ignore:
Answer: B,C,E
Explanation:
To exclude .txt and .md files from triggering workflows on pull requests to the main branch:
on: defines the event (e.g., pull_request)
pull_request: is the trigger
paths-ignore: is the key used to ignore file patterns
Example YAML:
yaml
CopyEdit
on:
pull_request:
branches:
- main
paths-ignore:
- '*.md'
- '*.txt'
Using paths: would include only specific files instead - not exclude. paths-ignore: is correct here.
NEW QUESTION # 45
Where can you find a deleted line of code that contained a secret value?
- A. Commits
- B. Dependency graph
- C. Insights
- D. Issues
Answer: A
Explanation:
Secrets committed and then deleted are still accessible in the repository's Git history. To locate them, navigate to the Commits tab. GitHub's secret scanning can detect secrets in both current and historical commits, which is why remediation should also include revoking the secret, not just removing it from the latest code.
NEW QUESTION # 46
What is a security policy?
- A. A file in a GitHub repository that provides instructions to users about how to report a security vulnerability
- B. A security alert issued to a community in response to a vulnerability
- C. An alert about dependencies that are known to contain security vulnerabilities
- D. An automatic detection of security vulnerabilities and coding errors in new or modified code
Answer: A
Explanation:
A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory. This file informs contributors and security researchers about how to responsibly report vulnerabilities. It improves your project's transparency and ensures timely communication and mitigation of any reported issues.
Adding this file also enables a "Report a vulnerability" button in the repository's Security tab.
NEW QUESTION # 47
What do you need to do before you can define a custom pattern for a repository?
- A. Provide match requirements for the secret format.
- B. Provide a regular expression for the format of your secret pattern.
- C. Enable secret scanning on the repository.
- D. Add a secret scanning custom pattern.
Answer: C
Explanation:
Stack Overflow
Explanation:
Comprehensive and Detailed Explanation:
Before defining a custom pattern for secret scanning in a repository, you must enable secret scanning for that repository. Secret scanning must be active to utilize custom patterns, which allow you to define specific formats (using regular expressions) for secrets unique to your organization.
Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of sensitive information tailored to your needs.
NEW QUESTION # 48
A repository's dependency graph includes:
- A. Annotated code scanning alerts from your repository's dependencies.
- B. A summary of the dependencies used in your organization's repositories.
- C. Dependencies from all your repositories.
- D. Dependencies parsed from a repository's manifest and lock files.
Answer: D
Explanation:
The dependency graph in a repository is built by parsing manifest and lock files (like package.json, pom.xml, requirements.txt). It helps GitHub detect dependencies and cross-reference them with known vulnerability databases for alerting.
It is specific to each repository and does not show org-wide or cross-repo summaries.
NEW QUESTION # 49
Which of the following workflow events would trigger a dependency review? (Each answer presents a complete solution. Choose two.)
- A. workflow_dispatch
- B. pull_request
- C. trigger
- D. commit
Answer: A,B
Explanation:
Comprehensive and Detailed Explanation:
Dependency review is triggered by specific events in GitHub workflows:
pull_request: When a pull request is opened, synchronized, or reopened, GitHub can analyze the changes in dependencies and provide a dependency review.
workflow_dispatch: This manual trigger allows users to initiate workflows, including those that perform dependency reviews.
The trigger and commit options are not recognized GitHub Actions events and would not initiate a dependency review.
NEW QUESTION # 50
Which of the following steps should you follow to integrate CodeQL into a third-party continuous integration system? (Each answer presents part of the solution. Choose three.)
- A. Upload scan results
- B. Process alerts
- C. Install the CLI
- D. Analyze code
- E. Write queries
Answer: A,C,D
Explanation:
When integrating CodeQL outside of GitHub Actions (e.g., in Jenkins, CircleCI):
Install the CLI: Needed to run CodeQL commands.
Analyze code: Perform the CodeQL analysis on your project with the CLI.
Upload scan results: Export the results in SARIF format and use GitHub's API to upload them to your repo's security tab.
You don't need to write custom queries unless extending functionality. "Processing alerts" happens after GitHub receives the results.
NEW QUESTION # 51
Which key is required in the update settings of the Dependabot configuration file?
- A. rebase-strategy
- B. package-ecosystem
- C. commit-message
- D. assignees
Answer: B
Explanation:
In a dependabot.yml configuration file, package-ecosystem is a required key. It defines the package manager being used in that update configuration (e.g., npm, pip, maven, etc.).
Without this key, Dependabot cannot determine how to analyze or update dependencies. Other keys like rebase-strategy or commit-message are optional and used for customizing behavior.
NEW QUESTION # 52
What is required to trigger code scanning on a specified branch?
- A. The repository must be private.
- B. Developers must actively maintain the repository.
- C. Secret scanning must be enabled on the repository.
- D. The workflow file must exist in that branch.
Answer: D
Explanation:
Comprehensive and Detailed Explanation:
For code scanning to be triggered on a specific branch, the branch must contain the appropriate workflow file, typically located in the .github/workflows directory. This YAML file defines the code scanning configuration and specifies the events that trigger the scan (e.g., push, pull_request).
Without the workflow file in the branch, GitHub Actions will not execute the code scanning process for that branch. The repository's visibility (private or public), the status of secret scanning, or the activity level of developers do not directly influence the triggering of code scanning.
NEW QUESTION # 53
What role is required to change a repository's code scanning severity threshold that fails a pull request status check?
- A. Write
- B. Maintain
- C. Admin
- D. Triage
Answer: C
Explanation:
To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must have Admin access on the repository. This is because modifying these settings falls under repository configuration privileges.
Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.
NEW QUESTION # 54
When using CodeQL, how does extraction for compiled languages work?
- A. By resolving dependencies to give an accurate representation of the codebase
- B. By monitoring the normal build process
- C. By running directly on the source code
- D. By generating one language at a time
Answer: B
Explanation:
For compiled languages, CodeQL performs extraction by monitoring the normal build process. This means it watches your usual build commands (like make, javac, or dotnet build) and extracts the relevant data from the actual build steps being executed. CodeQL uses this information to construct a semantic database of the application.
This approach ensures that CodeQL captures a precise, real-world representation of the code and its behavior as it is compiled, including platform-specific configurations or conditional logic used during build.
NEW QUESTION # 55
Which of the following is the best way to prevent developers from adding secrets to the repository?
- A. Make the repository public
- B. Create a CODEOWNERS file
- C. Enable push protection
- D. Configure a security manager
Answer: C
Explanation:
The best proactive control is push protection. It scans for secrets during a git push and blocks the commit before it enters the repository.
Other options (like CODEOWNERS or security managers) help with oversight but do not prevent secret leaks.
Making a repo public would increase the risk, not reduce it.
NEW QUESTION # 56
......
Microsoft GH-500 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
GH-500 Practice Test Pdf Exam Material: https://www.dumpstorrent.com/GH-500-exam-dumps-torrent.html
GH-500 Questions Pass on Your First Attempt Dumps for GitHub Administrator Certified: https://drive.google.com/open?id=1xdOyXt_N0m8FoiuUoANG-qG9YPPW6X4k