100+ Free GitHub Advanced Security Practice Questions

Pass your GitHub Advanced Security Certification (GH-500) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65-75% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

What is GitHub Advanced Security (GHAS)?

A backup service for GitHub repositories

A suite of security features including code scanning (CodeQL), secret scanning, and dependency review for GitHub repositories

A static website hosting service

An identity provider

to track

2026 Statistics

Key Facts: GitHub Advanced Security Exam

Exam Questions

GitHub

70%

Passing Score

GitHub

100 min

Exam Duration

GitHub

$99

Exam Fee

GitHub USD

35%

Dependabot Domain

Largest

2 years

Validity

Must retake

GH-500 has 65 questions in 100 minutes with a 70% passing score. Five domains: GHAS features overview (~15%), Secret scanning (~15%), Dependabot and Dependency Review (~35% — largest), Code scanning with CodeQL (~25%), Best practices (~10%). Costs $99 USD, delivered via PSI. GitHub certifications are valid 2 years.

Sample GitHub Advanced Security Practice Questions

Try these sample questions to test your GitHub Advanced Security exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What is GitHub Advanced Security (GHAS)?

A.A backup service for GitHub repositories

B.A suite of security features including code scanning (CodeQL), secret scanning, and dependency review for GitHub repositories

C.A static website hosting service

D.An identity provider

Explanation: GHAS is a paid suite of security features for GitHub repositories: code scanning with CodeQL (and third-party SARIF), secret scanning with push protection, dependency review, security overview dashboards, and security campaigns. Available on GitHub Enterprise Cloud (GHEC) and GitHub Enterprise Server (GHES) as an add-on. Many features are free for public repos. Exam tip: GHAS extends free open-source security to private repos with enterprise governance.

2Which language and analysis engine powers default code scanning in GitHub?

A.CodeQL

B.ESLint only

C.SonarQube only

D.Snyk only

Explanation: CodeQL is GitHub's semantic code analysis engine that powers default code scanning. It treats code as data and uses queries to find vulnerability patterns across multiple languages (C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, Swift). Third-party engines (Snyk, Checkmarx) can integrate via SARIF. Exam tip: CodeQL queries can be Microsoft-published or custom-authored; the QL language is purpose-built for code analysis.

3What's the difference between default and advanced setup for code scanning?

A.Default uses GitHub-managed configuration with auto-detection; advanced uses a customizable workflow file (codeql-analysis.yml)

B.Default is paid; advanced is free

C.Default uses CodeQL; advanced uses ESLint

D.There is no default setup

Explanation: Default setup auto-detects supported languages and enables code scanning with sensible defaults — no YAML editing needed. Advanced setup uses a customizable workflow file (.github/workflows/codeql-analysis.yml) for fine-grained control over languages, query suites, build steps, and triggers. Exam tip: Use default for fast onboarding; switch to advanced for custom queries, monorepo scoping, or non-standard build steps.

4Which feature blocks commits containing secrets at git push time?

A.Branch protection rules

B.Push protection (part of secret scanning)

C.Code scanning

D.Dependency review

Explanation: Push protection is a secret scanning feature that blocks pushes containing detected secret patterns. Developers see the block at git push time and must remove the secret or explicitly bypass with a justification (which is logged). This shifts secret prevention left — before secrets reach the repo. Exam tip: Push protection works for ~200 supported secret types from major providers and custom patterns.

5What does Dependabot alerts do?

A.Automatically deletes vulnerable dependencies

B.Notifies repository owners about known vulnerabilities in dependencies (via GitHub Advisory Database)

C.Encrypts dependency files

D.Removes all dependencies

Explanation: Dependabot alerts notify repository owners about known vulnerabilities in dependencies, sourced from the GitHub Advisory Database (GHAD). Alerts include CVE details, affected version range, and severity. Dependabot security updates can automatically open PRs to patch vulnerable dependencies. Exam tip: Free for all repos (public and private); separate from Dependabot version updates which keep dependencies current.

6What does dependency review in pull requests show?

A.A view of dependency changes (added/removed/updated) in a PR with vulnerability and license information for the new versions

B.A list of all repository contributors

C.Code formatting issues

D.Test coverage

Explanation: Dependency review in PRs shows the diff of dependencies being added/removed/updated, with vulnerability data (severity, CVE) and license info for the new versions. Reviewers can block merging vulnerable or non-compliant dependency changes. Configured via the dependency-review-action or built-in PR feature. Exam tip: Pair with branch protection requiring the dependency-review-action to fail on critical/high vulnerabilities.

7Which CodeQL query suite is recommended for finding common security vulnerabilities?

A.security-and-quality (broader) or security-extended (deeper) — security-extended is more thorough than the default suite

B.code-style only

C.format-check only

D.performance-tuning only

Explanation: CodeQL ships with query suites: 'default' (security + maintainability, balanced for noise), 'security-extended' (more security checks, slightly higher false positives), and 'security-and-quality' (combines security with quality issues). Choose based on your team's tolerance for noise vs. coverage. Exam tip: Start with default; expand to security-extended if you want broader vulnerability coverage.

8Which is a key difference between secret scanning for public vs. private repositories?

A.Secret scanning for public repos is free for all GitHub users; secret scanning for private repos requires GHAS

B.It's identical

C.Public is paid; private is free

D.Public is unsupported

Explanation: Secret scanning is free for all public repositories on GitHub.com. For private repositories, it requires GitHub Advanced Security (GHAS). Both use the same detection patterns and partner program — partners (AWS, Stripe, etc.) can choose to revoke detected secrets automatically. Exam tip: Free public-repo secret scanning is a foundational defense for OSS projects; consider GHAS for private/enterprise repos.

9What is a custom secret pattern in GitHub secret scanning?

A.A user-defined regex pattern to detect organization-specific secrets (e.g., internal API key formats)

B.A built-in pattern only Microsoft can edit

C.A type of branch

D.A repository topic

Explanation: Custom secret patterns let admins define regex patterns for organization-specific secrets — internal API key formats, custom token shapes, proprietary credentials. Defined at repo, org, or enterprise level. Use 'dry-run' mode to test patterns before activation to avoid false-positive floods. Exam tip: Custom patterns are essential for orgs with non-standard secret formats; partner-detection only covers known third-party patterns.

10Which feature provides organization-wide visibility into security alerts across repositories?

A.Security Overview dashboard

B.Pull request reviews

C.GitHub Pages

D.Repository Insights

Explanation: Security Overview (org and enterprise level) provides dashboards showing security alerts across all repositories — code scanning, secret scanning, Dependabot, and security advisories. It supports filtering by repo, severity, and team, plus security campaigns and risk metrics. Exam tip: Security Overview is the central pane for security teams managing alerts across many repos.

About the GitHub Advanced Security Exam

The GitHub Advanced Security (GHAS) Certification validates expertise in code scanning with CodeQL (default and advanced setup, custom queries, autofix), secret scanning (push protection, custom patterns, partner program), Dependabot and dependency review (alerts, security updates, dependency graph), security overview dashboards, security campaigns, branch protection integration, and GHAS best practices for security engineers and DevSecOps practitioners.

Questions

65 scored questions

Time Limit

100 minutes

Passing Score

70%

Exam Fee

$99 USD (GitHub / PSI)

GitHub Advanced Security Exam Content Outline

15%

GHAS Features Overview

GHAS suite (code scanning, secret scanning, Dependabot, security overview), licensing per active committer, Security tab, GHEC vs. GHES deployment, public vs. private repo coverage, free vs. paid features

15%

Secret Scanning

Push protection, custom secret patterns (with dry-run), partner program (auto-revocation), historical and incremental scans, alert triage, credential leak response, bypass logging, public vs. private coverage, history coverage

35%

Dependabot and Dependency Review

Dependabot alerts, security updates, version updates, dependabot.yml configuration (package-ecosystem, schedule, ignore, groups), dependency graph, dependency review action and PR feature, GitHub Advisory Database (GHAD), Docker/monorepo configurations, transitive dependencies, breaking change handling

25%

Code Scanning with CodeQL

Default vs. advanced setup, query suites (default/security-extended/security-and-quality), CodeQL CLI, QL language and packs, SARIF, taint analysis, autofix, language support, multi-language matrix, false positive management, in-source suppression, dismissals, build-step requirements

10%

Best Practices

Security overview dashboards, security campaigns, branch protection integration, security configurations (org-level baselines), shift-left culture, supply chain security, audit log streaming to SIEM, IDE integration, action security, KPIs (MTTR, coverage)

How to Pass the GitHub Advanced Security Exam

What You Need to Know

Passing score: 70%
Exam length: 65 questions
Time limit: 100 minutes
Exam fee: $99 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GitHub Advanced Security Study Tips from Top Performers

1Focus heavily on Dependabot and Dependency Review (35%) — the largest domain by far

2Get hands-on: enable GHAS features in a test org, configure dependabot.yml for multiple ecosystems, write custom secret patterns

3Master CodeQL fundamentals: default vs. advanced setup, query suites (default/security-extended), packs, SARIF, taint analysis

4Understand the difference between secret scanning for public (free) vs. private (GHAS-required) repos

5Know push protection: how it blocks at git push time, bypass logging, partner auto-revocation

6Study Security Overview dashboards, security campaigns, and security configurations for org-wide governance

7GitHub certifications are valid 2 years — plan budget for retakes; many candidates pair with GitHub Actions (GH-200) certification

Frequently Asked Questions

What is the GitHub Advanced Security (GHAS) certification?

The GitHub Advanced Security Certification (GH-500) validates expertise in GitHub's security suite: code scanning with CodeQL, secret scanning with push protection, Dependabot and dependency review, security overview dashboards, security campaigns, and branch protection integration. It's targeted at security engineers, DevSecOps practitioners, and platform admins.

How many questions are on the GH-500 exam?

GH-500 has 65 questions delivered in 100 minutes (about 90 seconds per question). Question types include multiple choice and multiple select; some questions are scenario-based with realistic configurations. The passing score is 70%. Delivered via PSI online proctoring.

What does GH-500 cost?

The GH-500 exam fee is $99 USD. GitHub certifications are valid for 2 years and must be retaken to renew (no free annual renewal). Retake policies apply: typically a 24-hour wait after the first failed attempt; subsequent retakes may have longer waiting periods.

What is the largest domain on the GH-500 exam?

Dependabot and Dependency Review is the largest domain at approximately 35% of the exam. It covers Dependabot alerts/security updates/version updates, dependabot.yml configuration, dependency graph, dependency review action, GitHub Advisory Database, Docker/monorepo support, transitive dependencies, and grouped updates.

How should I prepare for the GH-500 exam?

Recommended preparation: 1) Hands-on with GHAS in a test org (enable code scanning, secret scanning, push protection, Dependabot), 2) Configure dependabot.yml for various ecosystems (npm, docker, pip), 3) Set up custom secret patterns and test with dry-run, 4) Write a basic CodeQL custom query (use the VS Code extension), 5) Explore Security Overview dashboards, 6) Complete 100+ practice questions covering all five domains.

Is GHAS certification worth it for my career?

Yes — security and DevSecOps roles are growing rapidly. The GHAS certification validates concrete skills with industry-standard tooling that many enterprises have deployed. It's particularly valuable for application security engineers, DevSecOps practitioners, and platform/SRE teams responsible for software supply chain security.