Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Microsoft
  3. GH-500

Microsoft GH-500 Exam (page: 2)
Microsoft GitHub Advanced Security
Updated on: 12-Feb-2026

Viewing Page 2 of 11
GH-500 PDF 113 Questions

­ [Describe GitHub Advanced Security Best Practices]

As a contributor, you discovered a vulnerability in a repository.
Where should you look for the instructions on how to report the vulnerability?

  1. support.md
  2. readme.md
  3. contributing.md
  4. security.md

Answer(s): D

Explanation:

The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.

This file is considered a GitHub best practice and, when present, activates a "Report a vulnerability" button in the repository's Security tab.


Reference:

GitHub Docs ­ Adding a security policy to your repository



­ [Configure and Use Dependency Management]

Assuming there is no custom Dependabot behavior configured, where possible, what does Dependabot do after sending an alert about a vulnerable dependency in a repository?

  1. Creates a pull request to upgrade the vulnerable dependency to the minimum possible secure version
  2. Scans repositories for vulnerable dependencies on a schedule and adds those files to a manifest
  3. Constructs a graph of all the repository's dependencies and public dependents for the default branch
  4. Scans any push to all branches and generates an alert for each vulnerable repository

Answer(s): A

Explanation:

After generating an alert for a vulnerable dependency, Dependabot automatically attempts to create a pull request to upgrade that dependency to the minimum required secure version--if a fix is available and compatible with your project.

This automated PR helps teams fix vulnerabilities quickly with minimal manual intervention. You can also configure update behaviors using dependabot.yml, but in the default state, PR creation is automatic.


Reference:

GitHub Docs ­ About Dependabot alerts; About Dependabot security updates



­ [Configure and Use Secret Scanning]

What is the first step you should take to fix an alert in secret scanning?

  1. Archive the repository.
  2. Update your dependencies.
  3. Revoke the alert if the secret is still valid.
  4. Remove the secret in a commit to the main branch.

Answer(s): C

Explanation:

The first step when you receive a secret scanning alert is to revoke the secret if it is still valid. This ensures the secret can no longer be used maliciously. Only after revoking it should you proceed to remove it from the code history and apply other mitigation steps.

Simply deleting the secret from the code does not remove the risk if it hasn't been revoked -- especially since it may already be exposed in commit history.


Reference:

GitHub Docs ­ About secret scanning alerts; Remediating a secret scanning alert



­ [Configure and Use Dependency Management]

A dependency has a known vulnerability.
What does the warning message include?

  1. The security impact of these changes
  2. An easily understandable visualization of dependency change
  3. How many projects use these components
  4. A brief description of the vulnerability

Answer(s): D

Explanation:

When a vulnerability is detected, GitHub shows a warning that includes a brief description of the vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue, severity level, and potential impact. The message also links to additional advisory data from the GitHub Advisory Database.

This helps developers understand the context and urgency of the vulnerability before applying the fix.


Reference:

GitHub Docs ­ About Dependabot alerts; Reviewing and managing alerts



­ [Configure and Use Dependency Management]

Assuming that notification and alert recipients are not customized, what does GitHub do when it identifies a vulnerable dependency in a repository where Dependabot alerts are enabled? (Each answer presents part of the solution. Choose two.)

  1. It generates a Dependabot alert and displays it on the Security tab for the repository.
  2. It notifies the repository administrators about the new alert.
  3. It generates Dependabot alerts by default for all private repositories.
  4. It consults with a security service and conducts a thorough vulnerability review.

Answer(s): A,B

Explanation:

Comprehensive and Detailed Explanation;
When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:

Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.

Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.

GitHub Docs

These actions ensure that responsible parties are informed promptly to address the vulnerability.


Reference:

GitHub Docs ­ About Dependabot alerts; Configuring notifications for Dependabot alerts



­ [Configure and Use Secret Scanning]

What do you need to do before you can define a custom pattern for a repository?

  1. Provide a regular expression for the format of your secret pattern.
  2. Add a secret scanning custom pattern.
  3. Enable secret scanning on the repository.
  4. Provide match requirements for the secret format.
    Stack Overflow

Answer(s): C

Explanation:

Comprehensive and Detailed Explanation;
Before defining a custom pattern for secret scanning in a repository, you must enable secret scanning for that repository. Secret scanning must be active to utilize custom patterns, which allow you to define specific formats (using regular expressions) for secrets unique to your organization.

Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of sensitive information tailored to your needs.


Reference:

GitHub Docs ­ Managing alerts from secret scanning



­ [Configure and Use Dependency Management]

Assuming that no custom Dependabot behavior is configured, who has the ability to merge a pull request created via Dependabot security updates?

  1. An enterprise administrator
  2. A user who has write access to the repository
  3. A user who has read access to the repository
  4. A repository member of an enterprise organization

Answer(s): B

Explanation:

Comprehensive and Detailed Explanation;
By default, users with write access to a repository have the ability to merge pull requests, including those created by Dependabot for security updates. This access level allows contributors to manage and integrate changes, ensuring that vulnerabilities are addressed promptly.

Users with only read access cannot merge pull requests, and enterprise administrators do not automatically have merge rights unless they have write or higher permissions on the specific repository.


Reference:

GitHub Docs ­ About Dependabot security updates; Configuring Dependabot security updates



­ [Configure and Use Code Scanning]

Who can fix a code scanning alert on a private repository?

  1. Users who have the Triage role within the repository
  2. Users who have Read permissions within the repository
  3. Users who have Write access to the repository
  4. Users who have the security manager role within the repository

Answer(s): C

Explanation:

Comprehensive and Detailed Explanation;
In private repositories, users with write access can fix code scanning alerts. They can do this by committing changes that address the issues identified by the code scanning tools. This level of access ensures that only trusted contributors can modify the code to resolve potential security vulnerabilities.

GitHub Docs

Users with read or triage roles do not have the necessary permissions to make code changes, and the security manager role is primarily focused on managing security settings rather than directly modifying code.


Reference:

GitHub Docs ­ Resolving code scanning alerts

GitHub Docs



Viewing Page 2 of 11



Share your comments for Microsoft GH-500 exam with other users:

Liz 9/11/2022 11:27:00 PM

support team is fast and deeply knowledgeable. i appreciate that a lot.
UNITED STATES


Namrata 7/15/2023 2:22:00 AM

helpful questions
Anonymous


lipsa 11/8/2023 12:54:00 PM

thanks for question
Anonymous


Eli 6/18/2023 11:27:00 PM

the software is provided for free so this is a big change. all other sites are charging for that. also that fucking examtopic site that says free is not free at all. you are hit with a pay-wall.
EUROPEAN UNION


open2exam 10/29/2023 1:14:00 PM

i need exam questions nca 6.5 any help please ?
Anonymous


Gerald 9/11/2023 12:22:00 PM

just took the comptia cybersecurity analyst (cysa+) - wished id seeing this before my exam
UNITED STATES


ryo 9/10/2023 2:27:00 PM

very helpful
MEXICO


Jamshed 6/20/2023 4:32:00 AM

i need this exam
PAKISTAN


Roberto Capra 6/14/2023 12:04:00 PM

nice questions... are these questions the same of the exam?
Anonymous


Synt 5/23/2023 9:33:00 PM

need to view
UNITED STATES


Vey 5/27/2023 12:06:00 AM

highly appreciate for your sharing.
CAMBODIA


Tshepang 8/18/2023 4:41:00 AM

kindly share this dump. thank you
Anonymous


Jay 9/26/2023 8:00:00 AM

link plz for download
UNITED STATES


Leo 10/30/2023 1:11:00 PM

data quality oecd
Anonymous


Blessious Phiri 8/13/2023 9:35:00 AM

rman is one good recovery technology
Anonymous


DiligentSam 9/30/2023 10:26:00 AM

need it thx
Anonymous


Vani 8/10/2023 8:11:00 PM

good questions
NEW ZEALAND


Fares 9/11/2023 5:00:00 AM

good one nice revision
Anonymous


Lingaraj 10/26/2023 1:27:00 AM

i love this thank you i need
Anonymous


Muhammad Rawish Siddiqui 12/5/2023 12:38:00 PM

question # 142: data governance is not one of the deliverables in the document and content management context diagram.
SAUDI ARABIA


al 6/7/2023 10:25:00 AM

most answers not correct here
Anonymous


Bano 1/19/2024 2:29:00 AM

what % of questions do we get in the real exam?
UNITED STATES


Oliviajames 10/25/2023 5:31:00 AM

i just want to tell you. i took my microsoft az-104 exam and passed it. your program was awesome. i especially liked your detailed questions and answers and practice tests that made me well-prepared for the exam. thanks to this website!!!
UNITED STATES


Divya 8/27/2023 12:31:00 PM

all the best
UNITED STATES


KY 1/1/2024 11:01:00 PM

very usefull document
Anonymous


Arun 9/20/2023 4:52:00 PM

nice and helpful questions
INDIA


Joseph J 7/11/2023 2:53:00 PM

i found the questions helpful
UNITED STATES


Meg 10/12/2023 8:02:00 AM

q 105 . ans is d
INDIA


Navaneeth S 7/14/2023 7:57:00 AM

i have interest to get a sybase iq dba certification
UNITED STATES


Aish 10/11/2023 5:27:00 AM

want to pass exm.
INDIA


Anonymous 6/12/2023 7:23:00 AM

are the answers correct?
INDIA


Kris 7/7/2023 9:43:00 AM

good morning, could you please upload this exam again, i need it to test my knowledge in sd-wan with version 7.0.
Anonymous


Meghraj mali 10/7/2023 1:47:00 PM

very nice question
CANADA


Noel 11/1/2022 9:14:00 PM

i have learning disability and this exam dumps allowed me to focus on the actual questions and not worry about notes and the those other study materials.
SOUTH AFRICA