Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Microsoft
  3. GH-500

Microsoft GH-500 Exam (page: 1)
Microsoft GitHub Advanced Security
Updated on: 31-Mar-2026

Viewing Page 1 of 11
GH-500 PDF 113 Questions

­ [Configure and Use Code Scanning]

After investigating a code scanning alert related to injection, you determine that the input is properly sanitized using custom logic.
What should be your next step?

  1. Draft a pull request to update the open-source query.
  2. Ignore the alert.
  3. Open an issue in the CodeQL repository.
  4. Dismiss the alert with the reason "false positive."

Answer(s): D

Explanation:

When you identify that a code scanning alert is a false positive--such as when your code uses a custom sanitization method not recognized by the analysis--you should dismiss the alert with the reason "false positive." This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.

As per GitHub's documentation:

"If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis."

By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.



­ [Configure and Use Dependency Management]

When does Dependabot alert you of a vulnerability in your software development process?

  1. When a pull request adding a vulnerable dependency is opened
  2. As soon as a vulnerable dependency is detected
  3. As soon as a pull request is opened by a contributor
  4. When Dependabot opens a pull request to update a vulnerable dependency

Answer(s): B

Explanation:

Dependabot alerts are generated as soon as GitHub detects a known vulnerability in one of your dependencies. GitHub does this by analyzing your repository's dependency graph and matching it against vulnerabilities listed in the GitHub Advisory Database. Once a match is found, the system raises an alert automatically without waiting for a PR or manual action.

This allows organizations to proactively mitigate vulnerabilities as early as possible, based on real- time detection.


Reference:

GitHub Docs ­ About Dependabot alerts; Managing alerts in GitHub Dependabot



­ [Configure and Use Dependency Management]

Which of the following is the most complete method for Dependabot to find vulnerabilities in third- party dependencies?

  1. Dependabot reviews manifest files in the repository
  2. CodeQL analyzes the code and raises vulnerabilities in third-party dependencies
  3. A dependency graph is created, and Dependabot compares the graph to the GitHub Advisory database
  4. The build tool finds the vulnerable dependencies and calls the Dependabot API

Answer(s): C

Explanation:

Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your repository. This graph includes both direct and transitive dependencies. It then compares this graph against the GitHub Advisory Database, which includes curated, security-reviewed advisories.

This method provides a comprehensive and automated way to discover all known vulnerabilities across your dependency tree.


Reference:

GitHub Docs ­ About the dependency graph; About Dependabot alerts



­ [Describe the GHAS Security Features and Functionality]

What is a security policy?

  1. An automatic detection of security vulnerabilities and coding errors in new or modified code
  2. A security alert issued to a community in response to a vulnerability
  3. A file in a GitHub repository that provides instructions to users about how to report a security vulnerability
  4. An alert about dependencies that are known to contain security vulnerabilities

Answer(s): C

Explanation:

A security policy is defined by a SECURITY.md file in the root of your repository or .github/ directory. This file informs contributors and security researchers about how to responsibly report vulnerabilities. It improves your project's transparency and ensures timely communication and mitigation of any reported issues.

Adding this file also enables a "Report a vulnerability" button in the repository's Security tab.


Reference:

GitHub Docs ­ Adding a security policy to your repository



­ [Configure GitHub Advanced Security Tools in GitHub Enterprise]

As a repository owner, you want to receive specific notifications, including security alerts, for an individual repository.
Which repository notification setting should you use?

  1. Ignore
  2. Participating and @mentions
  3. All Activity
  4. Custom

Answer(s): D

Explanation:

Using the Custom setting allows you to subscribe to specific event types, such as Dependabot alerts or vulnerability notifications, without being overwhelmed by all repository activity. This is essential for repository maintainers who need fine-grained control over what kinds of events trigger notifications.

This setting is configurable per repository and allows users to stay aware of critical issues while minimizing notification noise.


Reference:

GitHub Docs ­ Configuring notifications; Managing security alerts



­ [Configure GitHub Advanced Security Tools in GitHub Enterprise]

Which of the following Watch settings could you use to get Dependabot alert notifications? (Each answer presents part of the solution. Choose two.)

  1. The Custom setting
  2. The Participating and @mentions setting
  3. The All Activity setting
  4. The Ignore setting

Answer(s): A,C

Explanation:

Comprehensive and Detailed Explanation;
To receive Dependabot alert notifications for a repository, you can utilize the following Watch settings:

Custom setting: Allows you to tailor your notifications, enabling you to subscribe specifically to security alerts, including those from Dependabot.

All Activity setting: Subscribes you to all notifications for the repository, encompassing issues, pull requests, and security alerts like those from Dependabot.

The Participating and @mentions setting limits notifications to conversations you're directly involved in or mentioned, which may not include security alerts. The Ignore setting unsubscribes you from all notifications, including critical security alerts.

GitHub Docs

+1

GitHub Docs

+1


Reference:

GitHub Docs ­ Configuring notifications; Managing security alerts



­ [Configure and Use Dependency Management]

Which Dependabot configuration fields are required? (Each answer presents part of the solution.
Choose three.)

  1. directory
  2. package-ecosystem
  3. milestone
  4. schedule.interval
  5. allow

Answer(s): A,B,D

Explanation:

Comprehensive and Detailed Explanation;
When configuring Dependabot via the dependabot.yml file, the following fields are mandatory for each update configuration:

directory: Specifies the location of the package manifest within the repository. This tells Dependabot where to look for dependency files.

package-ecosystem: Indicates the type of package manager (e.g., npm, pip, maven) used in the specified directory.

schedule.interval: Defines how frequently Dependabot checks for updates (e.g., daily, weekly). This ensures regular scanning for outdated or vulnerable dependencies.

The milestone field is optional and used for associating pull requests with milestones. The allow field is also optional and used to specify which dependencies to update.

GitLab


Reference:

GitHub Docs ­ Configuration options for dependency updates



­ [Configure and Use Code Scanning]

What is required to trigger code scanning on a specified branch?

  1. The repository must be private.
  2. Secret scanning must be enabled on the repository.
  3. Developers must actively maintain the repository.
  4. The workflow file must exist in that branch.

Answer(s): D

Explanation:

Comprehensive and Detailed Explanation;
For code scanning to be triggered on a specific branch, the branch must contain the appropriate workflow file, typically located in the .github/workflows directory. This YAML file defines the code scanning configuration and specifies the events that trigger the scan (e.g., push, pull_request).

Without the workflow file in the branch, GitHub Actions will not execute the code scanning process for that branch. The repository's visibility (private or public), the status of secret scanning, or the activity level of developers do not directly influence the triggering of code scanning.


Reference:

GitHub Docs ­ About workflows; About code scanning alerts



Viewing Page 1 of 11



Share your comments for Microsoft GH-500 exam with other users:

Aderonke 10/23/2023 1:07:00 PM

very helpful assessments
UNITED KINGDOM


Simmi 8/24/2023 7:25:00 AM

hi there, i would like to get dumps for this exam
AUSTRALIA


johnson 10/24/2023 5:47:00 AM

i studied for the microsoft azure az-204 exam through it has 100% real questions available for practice along with various mock tests. i scored 900/1000.
GERMANY


Manas 9/9/2023 1:48:00 AM

please upload 1z0-1072-23 exam dups
UNITED STATES


SB 9/12/2023 5:15:00 AM

i was hoping if you could please share the pdf as i’m currently preparing to give the exam.
Anonymous


Jagjit 8/26/2023 5:01:00 PM

i am looking for oracle 1z0-116 exam
UNITED STATES


S Mallik 11/27/2023 12:32:00 AM

where we can get the answer to the questions
Anonymous


PiPi Li 12/12/2023 8:32:00 PM

nice questions
NETHERLANDS


Dan 8/10/2023 4:19:00 PM

question 129 is completely wrong.
UNITED STATES


gayathiri 7/6/2023 12:10:00 AM

i need dump
UNITED STATES


Deb 8/15/2023 8:28:00 PM

love the site.
UNITED STATES


Michelle 6/23/2023 4:08:00 AM

can you please upload it back?
Anonymous


Ajay 10/3/2023 12:17:00 PM

could you please re-upload this exam? thanks a lot!
Anonymous


him 9/30/2023 2:38:00 AM

great about shared quiz
Anonymous


San 11/14/2023 12:46:00 AM

goood helping
Anonymous


Wang 6/9/2022 10:05:00 PM

pay attention to questions. they are very tricky. i waould say about 80 to 85% of the questions are in this exam dump.
UNITED STATES


Mary 5/16/2023 4:50:00 AM

wish you would allow more free questions
Anonymous


thomas 9/12/2023 4:28:00 AM

great simulation
Anonymous


Sandhya 12/9/2023 12:57:00 AM

very g inood
Anonymous


Agathenta 12/16/2023 1:36:00 PM

q35 should be a
Anonymous


MD. SAIFUL ISLAM 6/22/2023 5:21:00 AM

sap c_ts450_2021
Anonymous


Satya 7/24/2023 3:18:00 AM

nice questions
UNITED STATES


sk 5/13/2023 2:10:00 AM

ecellent materil for unserstanding
INDIA


Gerard 6/29/2023 11:14:00 AM

good so far
Anonymous


Limbo 10/9/2023 3:08:00 AM

this is way too informative
BOTSWANA


Tejasree 8/26/2023 1:46:00 AM

very helpfull
UNITED STATES


Yolostar Again 10/12/2023 3:02:00 PM

q.189 - answers are incorrect.
Anonymous


Shikha Bakra 9/10/2023 5:16:00 PM

awesome job in getting these questions
AUSTRALIA


Kevin 10/20/2023 2:01:00 AM

i cant find aws certified practitioner clf-c01 exam in aws website but i found aws certified practitioner clf-c02 exam. can everyone please verify the difference between the two clf-c01 and clf-c02? thank you
UNITED STATES


D Mario 6/19/2023 10:38:00 PM

grazie mille. i got a satisfactory mark in my exam test today because of this exam dumps. sorry for my english.
ITALY


Bharat Kumar Saraf 10/31/2023 4:36:00 AM

some of the answers are incorrect. need to be reviewed.
HONG KONG


JP 7/13/2023 12:21:00 PM

so far so good
Anonymous


Kiky V 8/8/2023 6:32:00 PM

i am really liking it
Anonymous


trying 7/28/2023 12:37:00 PM

thanks good stuff
UNITED STATES