Use this quick start guide to collect all the information about Microsoft GitHub Advanced Security (GH-500) Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the GH-500 Microsoft GitHub Advanced Security exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual Microsoft GitHub Advanced Security certification exam.
The Microsoft GitHub Advanced Security certification is mainly targeted to those candidates who want to build their career in GitHub domain. The Microsoft GitHub Advanced Security exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of Microsoft GitHub Advanced Security.
Microsoft GitHub Advanced Security Exam Summary:
| Exam Name | Microsoft GitHub Advanced Security |
| Exam Code | GH-500 |
| Exam Price | $99 (USD) |
| Duration | 100 mins |
| Number of Questions | 75 |
| Passing Score | 700 / 1000 |
| Books / Training | GH-500T00-A: GitHub Advanced Security |
| Schedule Exam | Pearson VUE |
| Sample Questions | Microsoft GitHub Advanced Security Sample Questions |
| Practice Exam | Microsoft GH-500 Certification Practice Exam |
Microsoft GH-500 Exam Syllabus Topics:
| Topic | Details |
|---|---|
Describe the GHAS security features and functionality (15%) |
|
| Contrast GHAS features and their role in the security ecosystem |
- Differentiate the security features that come automatically for open source projects, and what features are available when GHAS is paired with GHEC or GHES
- Describe the features and benefits of Security Overview - Describe the differences between secret scanning and code scanning - Describe how secret scanning, code scanning, and Dependabot create a more secure software development life cycle - Contrast a security scenario with isolated security review and an advanced scenario, with security integrated into each step of the software development life cycle |
| Explain and use specific GHAS features |
- Describe how vulnerable dependencies are identified (by looking at the manifest files and comparing with databases of known vulnerabilities)
- Choose how to act on alerts from GHAS - Explain the implications of ignoring an alert - Explain the role of a developer when they discover a security alert - Describe the differences in access management to view alerts for different security features - Identify where to use Dependabot alerts in the software development lifecycle |
Configure and use secret scanning (15%) |
|
|
Configure and use Secret Scanning
|
- Describe secret scanning
- Describe push protection - Describe validity checks - Contrast secret scanning availability for public and private repositories - Enable secret scanning for private repositories - Pick an appropriate response to a secret scanning alert - Determine if an alert is generated for a given secret, pattern, or service provider - Determine if a given user role will see secret scanning alerts and how they will be notified |
|
Customize default secret scanning behavior
|
- Configure the recipients of a secret scanning alert (also includes how to provide access to members and teams other than admins)
- Exclude certain files from being scanned for secrets - Enable custom secret scanning for a repository |
Configure and use Dependabot and Dependency Review (35%) |
|
|
Describe tools for managing vulnerabilities in dependencies
|
- Define the dependency graph
- Describe how the dependency graph is generated - Describe what a Software Bill of Materials (SBOM) is, and the SBOM format used by GitHub - Define a dependency vulnerability - Describe Dependabot alerts - Describe Dependabot security updates - Describe Dependency Review - Describe how alerts are generated for vulnerable dependencies (driven from the dependency graph, sourced from the GitHub Advisory Database) - Describe the difference between Dependabot and Dependency Review |
| Enable and configure tools for managing vulnerable dependencies |
- Identify the default settings for Dependabot alerts in public and private repositories
- Identify the permissions and roles required to enable Dependabot alerts - Identify the permissions and roles required to view Dependabot alerts - Enable Dependabot alerts for private repositories - Enable Dependabot alerts for organizations - Create a valid Dependabot configuration file to group security updates - Create a Dependabot Rule to auto-dismiss low severity alerts until a patch is available - Create a Dependency Review GitHub Actions workflow - Configure license checks and custom severity thresholds in a Dependency Review workflow - Configure notifications for vulnerable dependencies |
| Identify and remediate vulnerable dependencies |
- Identify a vulnerable dependency from a Dependabot alert
- Identify vulnerable dependencies from a pull request - Enable Dependabot security updates - Remedy a vulnerability from a Dependabot alert in the Security tab (could include updating or removing the dependency) - Remedy a vulnerability from a Dependabot alert in the context of a pull request (could include updating or removing the dependency) - Take action on any Dependabot alerts by testing and merging pull requests |
Configure and use Code Scanning with CodeQL (25%) |
|
| Use code scanning with third-party tools |
- Enable code scanning for use with a third-party analysis
- Contrast the steps for using CodeQL versus third party analysis when enabling code scanning - Contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party CI tool - Upload 3rd party SARIF results via the SARIF endpoint |
| Describe and enable code scanning |
=- Describe how code scanning fits in the software development life cycle
- Contrast the frequency of code scanning workflows (scheduled versus triggered by events) - Choose a triggering event for a given development pattern (for example, in a pull request and for specific files) - Edit the default template for Actions workflow to fit an active, open source, production repository - Describe how to view code scanning results from CodeQL analysis - Troubleshoot a failing code scanning workflow using CodeQL, including creating or changing a custom configuration in the CodeQL workflow - Follow the data flow through code using the show paths experience - Explain the reason for a code scanning alert given documentation linked from the alert - Determine if and why a code scanning alert needs to be dismissed - Describe potential shortfalls in CodeQL via model of compilation and language support - Explain the purpose of defining a SARIF category |
Describe GitHub Advanced Security best practices, results, and how to take corrective measures (10%) |
|
| GitHub Advanced Security results & best practices |
- Use a Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) to describe a GitHub Advanced Security alert and list potential remediation
- Describe the decision-making process for closing and dismissing security alerts (documenting the dismissal, making a decision based on data) - Describe the default CodeQL query suites - Describe how CodeQL analyzes code and produces results, including differences between compiled and interpreted language - Determine the roles and responsibilities of development and security teams on a software development workflow - Describe how the severity threshold for code scanning pull request status checks can be changed - Explain how filters and sorting can be used to prioritize secret scanning remediation (validity:active) - Explain how CodeQL & Dependency Review workflows can be enforced with Repository Rulesets - Describe how code scanning can be configured to identify and remediate vulnerabilities earlier (scanning upon pull request) - Describe how secret scanning can be configured to identify and remediate vulnerabilities earlier (enabling push protection) - Describe how dependency analysis can be configured to identify and remediate vulnerabilities earlier (enable dependency review to scan upon pull request) |
To ensure success in Microsoft GitHub Advanced Security certification exam, we recommend authorized training course, practice test and hands-on experience to prepare for Microsoft GitHub Advanced Security (GH-500) exam.