100+ Free GitLab Security Specialist Practice Questions

Pass your GitLab Certified Security Specialist exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70-80% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which GitLab security scanner analyzes source code in the repository for vulnerabilities without executing it?

DAST

SAST

Fuzz Testing

API Security

to track

2026 Statistics

Key Facts: GitLab Security Specialist Exam

30-50

Exam Questions

GitLab

70%

Passing Score

GitLab

90 min

Exam Duration

GitLab

$99

Exam Fee

GitLab

2 years

Validity

GitLab

Ultimate

Tier Required

Most features

The GitLab Certified Security Specialist exam has ~30-50 questions in 90 minutes with a 70% passing score. Key areas: security scanners (SAST, DAST, Dependency, Container, Secret, IaC, API, Fuzz), the Vulnerability Report and management workflow, security policies (scan execution, scan result, MR approval), Compliance Center and frameworks, and the MR security widget. Requires GitLab Ultimate features. Certification is valid for 2 years. Exam fee is $99 USD. Delivered online by GitLab University.

Sample GitLab Security Specialist Practice Questions

Try these sample questions to test your GitLab Security Specialist exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which GitLab security scanner analyzes source code in the repository for vulnerabilities without executing it?

A.DAST

B.SAST

C.Fuzz Testing

D.API Security

Explanation: Static Application Security Testing (SAST) inspects source code for vulnerable patterns without executing the application. DAST runs against a deployed application, Fuzz Testing sends malformed inputs to a running target, and API Security tests live API endpoints. SAST is enabled by including the SAST.gitlab-ci.yml template.

2Which template do you include in a .gitlab-ci.yml file to enable SAST?

A.Template/Security/SAST.gitlab-ci.yml

B.Template/SAST/Static.gitlab-ci.yml

C.Template/Scan/SAST-Static.gitlab-ci.yml

D.Template/Code/SAST-Code.gitlab-ci.yml

Explanation: SAST is enabled by adding `- template: Security/SAST.gitlab-ci.yml` under the `include:` keyword. GitLab also auto-enables SAST as part of Auto DevOps. The template adds a `sast` job to the `test` stage that selects analyzers based on the project languages detected.

3Where do you view all vulnerabilities discovered by GitLab security scanners across a project?

A.The Issue board

B.The Vulnerability Report

C.The Audit Events log

D.The Pipeline list

Explanation: The Vulnerability Report (Secure -> Vulnerability report) is the centralized view of all findings in a project. From there you can filter by severity, status, scanner, and tool, and triage individual vulnerabilities. Group-level Vulnerability Reports aggregate findings across all projects in the group.

4Which scanner detects credentials and API keys committed to a repository?

A.License Compliance

B.Secret Detection

C.Container Scanning

D.DAST

Explanation: Secret Detection scans the entire git history for high-entropy strings and patterns that match known credential formats (AWS keys, GitHub tokens, private keys, etc.). It runs in pipelines and can also be enabled as a pre-receive Push Protection rule on Ultimate to block secrets before they are committed.

5What severity levels does GitLab use to classify vulnerabilities?

A.Urgent, High, Normal, Low

B.Critical, High, Medium, Low, Info

C.P0, P1, P2, P3

D.Severe, Major, Minor

Explanation: GitLab uses five severity levels: Critical, High, Medium, Low, and Info. There is also an Unknown severity for findings the scanner cannot rate. These map to CVSS-like scoring and are used in the Vulnerability Report filters and in scan result policy thresholds.

6Which scanner runs against a running application to identify vulnerabilities by sending crafted HTTP requests?

A.SAST

B.Dependency Scanning

C.DAST

D.License Compliance

Explanation: Dynamic Application Security Testing (DAST) runs against a deployed application — typically in a review or staging environment — and probes it with attack patterns. GitLab DAST is built on a customized OWASP ZAP engine. SAST analyzes source code, Dependency Scanning analyzes lockfiles, and License Compliance reviews dependency licenses.

7Which scanner identifies known vulnerabilities in third-party libraries declared in lock files?

A.Container Scanning

B.Dependency Scanning

C.Secret Detection

D.Fuzz Testing

Explanation: Dependency Scanning analyzes manifest and lock files (e.g., package-lock.json, Gemfile.lock, go.sum) to identify libraries with known CVEs. The findings appear in the Vulnerability Report with the affected dependency name, version, and the CVE that triggered the alert.

8Which scanner inspects container images for known operating system and language package vulnerabilities?

A.Container Scanning

B.IaC Scanning

C.DAST

D.Fuzz Testing

Explanation: Container Scanning inspects built container images and identifies known vulnerabilities in OS packages and application libraries inside the image. GitLab's default Container Scanning analyzer is based on Trivy. The scanner consumes the image produced earlier in the pipeline (typically by a `build` job).

9Which open-source engine powers GitLab Container Scanning by default?

A.Clair

B.Trivy

C.Anchore

D.Snyk

Explanation: GitLab Container Scanning uses Trivy as its default analyzer. Earlier versions used Clair, but Trivy is now the default and recommended scanner. Trivy detects vulnerabilities in OS packages and language-specific dependencies inside the image.

10What does IaC Scanning analyze?

A.Built container images

B.Infrastructure as Code configuration files such as Terraform and Kubernetes manifests

C.API endpoints in production

D.Source code for SQL injection

Explanation: Infrastructure as Code (IaC) Scanning checks configuration files such as Terraform, CloudFormation, Kubernetes YAML, Helm charts, Ansible, and Dockerfiles for misconfigurations and insecure defaults. The scanner used is KICS (Keeping Infrastructure as Code Secure).

About the GitLab Security Specialist Exam

The GitLab Certified Security Specialist exam validates expertise in GitLab DevSecOps. It covers configuring and interpreting SAST, DAST, Dependency Scanning, Container Scanning, Secret Detection, License Compliance, IaC Scanning, API Security, and Fuzz Testing, as well as managing findings in the Vulnerability Report, building scan execution and merge request approval policies, and using the Compliance Center.

Questions

40 scored questions

Time Limit

90 minutes

Passing Score

70%

Exam Fee

$99 (GitLab)

GitLab Security Specialist Exam Content Outline

30-35%

Security Scanners

Configuring and tuning SAST, DAST, Dependency Scanning, Container Scanning, Secret Detection, License Compliance, IaC Scanning, API Security, and Fuzz Testing in CI/CD pipelines

20-25%

Vulnerability Management

Vulnerability Report, severity (Critical/High/Medium/Low/Info), CVE/CWE mapping, dismissal as false positive, status workflow (Detected/Confirmed/Resolved/Dismissed), vulnerability export, SBOM (CycloneDX), and the MR security widget

20-25%

Security Policies

Scan execution policies, scan result policies, merge request approval policies, pipeline execution policies, security policy projects, and policy enforcement at group and project scope

15-20%

Compliance and Reporting

Compliance Center, compliance frameworks, Security Dashboard at group and project levels, Security and Compliance Reports, audit events, and GitLab Duo Vulnerability Summary and Resolution

How to Pass the GitLab Security Specialist Exam

What You Need to Know

Passing score: 70%
Exam length: 40 questions
Time limit: 90 minutes
Exam fee: $99

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GitLab Security Specialist Study Tips from Top Performers

1Spend hands-on time in a GitLab Ultimate trial — configure each scanner template (SAST.gitlab-ci.yml, DAST.gitlab-ci.yml, etc.) and observe results in the Vulnerability Report

2Memorize which scanners run by default with Auto DevOps versus which must be explicitly enabled (DAST, Fuzz, API Security)

3Understand the difference between scan execution policies (force scans to run) and scan result policies / MR approval policies (block merges based on findings)

4Know the vulnerability lifecycle states: Detected, Confirmed, Resolved, Dismissed — and how dismissal reasons map to false positive workflows

5Study CVE and CWE references — questions may ask which scanner detects which CWE category (e.g., CWE-89 SQL injection by SAST/DAST)

6Practice exporting vulnerability reports and generating SBOMs in CycloneDX format

7Review GitLab Duo Vulnerability Summary and Vulnerability Resolution — what they generate and which scanners they support

Frequently Asked Questions

What is the GitLab Certified Security Specialist exam?

The GitLab Certified Security Specialist exam validates a practitioner's ability to use GitLab's DevSecOps capabilities. It tests configuration of SAST, DAST, Dependency Scanning, Container Scanning, Secret Detection, IaC Scanning, API Security, and Fuzz Testing, as well as managing findings in the Vulnerability Report and enforcing security policies.

How many questions are on the GitLab Security Specialist exam?

The exam has approximately 30-50 multiple-choice questions delivered in 90 minutes. The passing score is 70%. Questions are scenario-based and require both conceptual knowledge of GitLab's security features and practical experience configuring scanners and policies.

Are there prerequisites for the GitLab Security Specialist exam?

GitLab recommends completing the GitLab Security Essentials and Security Specialist learning paths on GitLab University. Hands-on experience with GitLab CI/CD and a GitLab Ultimate tier instance is strongly recommended, as most security features (DAST, IaC scanning, security policies) require Ultimate.

What GitLab tier is required for the security features on the exam?

Most exam topics rely on GitLab Ultimate. SAST, Secret Detection, and Container Scanning are available on Free and Premium with limited functionality, but the Vulnerability Report, Security Dashboard, DAST, IaC Scanning, API Security, Fuzz Testing, security policies, and the Compliance Center all require Ultimate. Expect questions to assume Ultimate features.

How should I prepare for the GitLab Security Specialist exam?

Plan for 30-50 hours over 4-6 weeks. Complete the GitLab University Security Specialist learning path, review the official Security and Compliance documentation, practice configuring each scanner in a real GitLab Ultimate project, build scan execution and MR approval policies, and complete 100+ practice questions targeting 80%+ before scheduling.

How long is the GitLab Security Specialist certification valid?

GitLab certifications are valid for 2 years from the date of passing. After 2 years you must re-certify by passing the current version of the exam, which reflects updates to GitLab features and security best practices.

What jobs can I get with this certification?

The GitLab Security Specialist certification supports roles including: DevSecOps Engineer, Application Security Engineer, Security Engineer, Platform Security Engineer, Compliance Engineer, and DevOps Engineer with security responsibilities. It is particularly valuable for organizations that have standardized on GitLab Ultimate.