Study Guid

GitHub Advanc d S curity

G t xam-r ady or th GitHub Advanc d S curity C rti ication

ith our compr h n iv tudy guid . W ’v curat d th ntial
r ourc and l arning activiti to b r pr par you or th
xam and boo t your chanc o ucc .

Audi nc Pro il
Thi xam i d ign d or xp ri nc d pro ional in th i ld o o t ar d v lopm nt and curity. Thi
c rti ication i d ign d or individual ho hav a d p und r tanding o GitHub and it curity atur ,
a ll a hand -on xp ri nc in curing o t ar d v lopm nt ork lo .

Obj ctiv Domain

An obj ctiv domain or a c rti ication xam, o t n r rr d to a a “domain” or “ xam domain,” i a
tructur d outlin or ram ork that d in th p ci ic kno l dg , kill , and topic that th c rti ication
xam ill cov r. It provid a cl ar roadmap or hat candidat hould xp ct to ncount r on th xam
and hat th y n d to tudy and pr par or.

Th domain provid d in thi tudy guid ar int nd d to provid in ight into th topic cat gori cov r d in
th GitHub Advanc d S curity xam, along ith th l arning obj ctiv ithin ach domain.

Domain Breakdown Exam Percentages

Domain 1: Describe the GHAS security features and functionality 10%

Domain 2: Con gure and use secret scanning 10%

Domain 3: Con gure and use dependency management 15%

Domain 4: Con gure and use code scanning 15%

Domain 5: Use code scanning with CodeQL 20%

Domain 6: Describe GitHub Advanced Security best practices 20%

Domain 7: Con gure GitHub Advanced Security tools in GitHub Enterprise 10%

R comm ndation and B t Practic or Succ

To incr a your chanc o ucc in pa ing th GitHub Advanc d S curity xam, candidat hould
hav a d p und r tanding o GitHub and it curity atur , a ll a hand -on xp ri nc in curing
o t ar d v lopm nt ork lo . Th r comm nd d l arning path or thi xam provid you ith an in-
d pth tudy o th l arning cont nt, ollo d by hand -on x rci and pr paration a m nt qu tion
that r cr at d to nabl you to in -tun your kno l dg and r adin or th c rti ication xam.
w
e
s
e
s
e
e
s
e
e
s
e
e
f
e
w
s
e
w
e
w
e
f
w
e
e
w
e
e
s
e
e
e
e
e
e
e
s
s
s
e
e
e
e
e
s
e
e
e
e
s
e
s
e
e
fi
fi
fi
fi
f
e
s
e
e
s
e
s
e
e
e
e
f
e
e
s
e
s
f
e
e
e
e
e
s
e
e
e
f
f
e
e
e
s
f
e
w
e
e
e
e
s
s
f
s
s
e
e
s
e
e
e
w
e
f
s
f
e
s
s
f
s
e
e
e
w
e
f
e
s
s
e
f
e
s
e
e
s
f
s
e
e
e
s
e
f
e
e
e
e
s
tt
e
e
s
e
e
w
e
e
s
e
f
e
e
w
s
f
e
e
e
f
s
e
e
s
s
e
s
e
w
f
s
e
s
s
s
f
f
e
e
e
w
e
w
e
e
e
s
e
e
e
e
e
e
s
e
e
e
e
e
e
w
s
f
e
e
e
s
f
f
e
e
f
e
e
e
f
f
e
e
s
e
s
e
e
e
f
e
e
e
e
e
w
s
e
s
s
e
e
s
e
e
s
s
s
e
f
e
s
s
w
w
e
s
s
e
e
e
e
f
f
s
s
w
w
e
s
f
e
e
s
s
s
f
s
w
e
e
s
f
e
s
e
e
e
e
s
e
e
e
e
e
e
e
s
e
s
f
s
e
s
e
e
e
s
s
e
e
e
s
e
e
s
e
e
w
e
e
e
s
e
s
s
e
s
s
f
e
f
e
e
e
e
s
e
e
s
s
s
 Study Guid GitHub Advanc d S curity

Cont nt R ourc
Th ollo ing r ourc hav b n cr at d in collaboration ith GitHub a r comm nd d cont nt that
cov r th l arning obj ctiv in ach domain or th GitHub Advanc d S curity xam. Both icro o t
L arn and Link dIn L arning provid a compl t l arning path or th xam, but o r a di r nt l arning
xp ri nc .

icro o t L arn

Th GitHub Advanc d S curity l arning path on S L arn provid a robu t

coll ction o l arning modul d ign d to pr par you or th GitHub Advanc d
S curity xam. L arn ho to cur your cod ith advanc d curity atur at
v ry tag o your d v lopm nt li cycl . GitHub Advanc d S curity i an add-on
to GitHub Ent rpri that allo you to u curity atur , uch a cr t
canning, cod canning, and d p nd ncy manag m nt on your privat
r po itori . Th ollo ing modul ill alk you through GitHub' advanc d curity atur and provid
you ith th kill n d d to r cogniz , apply, and valuat th atur ithin your o n GitHub
nvironm nt. (Thi l arning path i curr ntly b ing updat d and a r vi d v r ion i coming F bruary
2024)

Link dIn L arning

Di cov r th art o a guarding your cod u ing advanc d curity t chniqu

throughout th ntir o t ar d v lopm nt proc by going through th
Pr par or th GitHub Advanc d S curity C rti ication l arning path on
Link dIn L arning. With GitHub Advanc d S curity, you gain acc to a uit o
robu t curity tool , including cr t canning, cod canning, and d p nd ncy
manag m nt, tailor-mad or your privat r po itori . Thi vid o-ba d l arning path compri a ri
o ngaging cour that ill guid you through th intricaci o GitHub’ advanc d curity capabiliti .
By th nd o thi l arning path, you’ll b ll- quipp d ith th kno l dg and xp rti to aml ly
apply, a , and maximiz th curity atur ithin your GitHub nvironm nt. (Thi l arning path
ill b availabl to ard th nd o arch, 2024)
e
M
e
s
e
w
e
e
f
e
s
e
e
e
e
e
e
e
e
w
e
f
s
s
e
e
e
s
s
e
e
e
e
s
s
e
e
s
e
w
e
s
f
e
e
e
e
e
f
e
e
e
s
e
s
e
e
f
s
f
s
e
f
e
e
e
e
e
e
e
e
e
e
e
e
s
s
s
s
s
e
s
f
s
f
e
s
e
s
w
s
e
s
e
e
e
e
e
e
e
e
w
e
f
s
e
s
e
e
e
e
w
f
e
s
e
w
w
s
f
e
e
e
e
e
s
s
e
s
w
e
e
e
e
e
s
s
e
e
e
e
e
e
e
e
s
e
e
s
e
e
f
s
e
e
s
e
e
e
s
e
w
f
e
e
e
e
M
e
s
e
e
e
w
e
e
s
e
w
e
e
e
e
e
s
e
e
f
e
s
e
e
e
e
e
e
f
e
w
s
e
e
M
e
e
e
e
e
f
e
s
e
s
e
s
e
f
e
e
e
e
w
s
e
s
e
w
f
e
e
e
e
s
e
e
s
e
w
e
s
s
e
e
s
e
s
e
e
s
e
f
e
e
f
e
s
e
f
s
s
e
s
w
s
e
s
e
e
e
s
e
s
e
e
e
f
e
e
e
e
e
e
s
s
s
s
e
s
e
e
e
e
e
e
s
w
e
e
e
e
s
e
s
e
e
e
s
f
e
s
e
e
f
e
f
e
e
e
s
f
s
e
e
s
w
e
e
f
s
f
e
e
e
s
M
e
s
e
s
e
e
s
e
e
e
s
s
s
s
f
e
e
e
s
s
e
 Study Guid GitHub Advanc d S curity

Domain 1: D crib th GHAS curity atur and unctionality

Contrast GHAS features and their role in the security ecosystem

Di erentiate the security features that come automatically for open source projects, and what features are available
when GHAS is paired with GHEC or GHES

Describe the features and bene ts of Security Overview

Describe the di erences between secret scanning and code scanning

Describe how secret scanning, code scanning, and Dependabot create a more secure software development life cycle

Contrast a security scenario with isolated security review and an advanced scenario, with security integrated into each
step of the software development life cycle

Explain and use speci c GHAS features

Describe how vulnerable dependencies are identi ed (by looking at the manifest les and comparing with databases of
known vulnerabilities)

Explain how to act on alerts from GHAS

Explain the implications of ignoring an alert

Explain the role of a developer when they discover a security alert

Describe the di erences in access management to view alerts for di erent security features

Describe a security policy in a GitHub repository

Identify where to use Dependabot alerts in the software development lifecycle

Domain 2: Con igur and u cr t canning

Enable and use secret scanning

Describe secret scanning

Choose when secret scanning occurs

Contrast secret scanning availability for public and private repositories

Enable secret scanning for private repositories

Enable secret scanning for an organization

Explain how to pick an appropriate response to a secret scanning alert

Determine if an alert is generated for a given secret, pattern, or service provider

Determine if a given user role will see secret scanning alerts

ff
ff
ff
e
s
e
fi
f
e
fi
e
e
s
e
s
s
fi
e
e
e
e
e
s
f
e
ff
e
s
fi
f
 Study Guid GitHub Advanc d S curity

Customize default secret scanning behavior

Con gure the recipients of a secret scanning alert (also includes how to provide access to members and teams other
than admins)

Describe how to exclude certain les from being scanned for secrets

Explain how to enable custom secret scanning for a repository

Explain how to enable custom secret scanning for an organization

Domain 3: Con igur and u d p nd ncy manag m nt

Describe tools for managing vulnerabilities in dependencies

De ne a vulnerability

Describe Dependabot alerts

Describe Dependabot security updates

De ne the dependency graph

Describe how the dependency graph is generated

Describe how alerts are generated for vulnerable dependencies (driven from the dependency graph, sourced from the
Github Advisory Database and from WhiteSource)

Enable and con gure tools for managing vulnerable dependencies

Identify the default settings for Dependabot alerts in public and private repositories

Identify the permissions and roles required to enable Dependabot alerts

Identify the permissions and roles required to view Dependabot alerts

Enable Dependabot alerts for private repositories

Enable Dependabot alerts for organizations

Create a valid Dependabot con guration le

Con gure noti cations for vulnerable dependencies

fi
fi
fi
fi
fi
fi
e
f
fi
e
fi
fi
s
e
e
e
e
e
e
e
e
 Study Guid GitHub Advanc d S curity

Identify and remediate vulnerable dependencies

Identify a vulnerable dependency from a Dependabot alert

Identify vulnerable dependencies from a pull request

Enable Dependabot security updates

Remedy a vulnerability from a Dependabot alert in the Security tab (could include updating or removing the dependency)

Remedy a vulnerability from a Dependabot alert in the context of a pull request (could include updating or removing the
dependency)

Take action on any Dependabot alerts by testing and merging pull requests

Domain 4: Con igur and u cod canning

Describe and enable code scanning

Describe code scanning

List the steps for enabling code scanning in a repository using GitHub Actions (i.e. Security tab and click on “set up
code scanning”, set up the GitHub Actions work ow, make any necessary modi cations to the work ow)

Enable code scanning for use with a CodeQL analysis work ow

Describe how code scanning relates to GitHub Actions consumption

Use code scanning with third-party tools

Enable code scanning for use with a third-party analysis

Contrast the steps for using CodeQL versus third party analysis when enabling code scanning

Contrast how to implement CodeQL analysis in a GitHub Actions work ow versus a third-party CI tool

Con gure code scanning

Describe how code scanning ts in the software development life cycle

Contrast the frequency of code scanning work ows (scheduled versus triggered by events)

Choose a triggering event for a given development pattern (for example, in a pull request and for speci c les)

Edit the default template for Actions work ow to t an active, open source, production repository
fi
e
f
fi
e
fl
s
e
fl
fl
fi
e
e
s
e
fl
fl
fi
fl
fi
fi
 Study Guid GitHub Advanc d S curity

Domain 5: U cod canning ith Cod QL

Explain how CodeQL enables code scanning

Describe CodeQL

De ne a QL pack, code query, code suite

Describe the default CodeQL query suites

Describe how CodeQL analyzes code and produces results, including di erences between compiled and interpreted
language

Use CodeQL for code scanning

Introduce a CodeQL analysis work ow to a repository

List the locations in which CodeQL queries can be speci ed for use with code scanning

Con gure the language matrix in a CodeQL work ow

Reference a CodeQL query from a public repository within a code scanning work ow

Reference a CodeQL query from a private repository within a code scanning work ow

Reference a CodeQL query from a local directory within a code scanning work ow

Reference a con guration le within the same repository

Reference a con guration le in a remote public repository

Execute code scanning with the CodeQL command-line interface (CLI), including creating the CodeQL database,
analyzing that database, and posting the SARIF results to GitHub

Contrast the steps to execute code scanning in GitHub Actions vs the CodeQL CLI

Describe how to triage code scanning results from CodeQL analysis

Describe how to view code scanning results from CodeQL analysis

Troubleshoot a failing code scanning work ow using CodeQL, including creating or changing a custom con guration in
the CodeQL work ow

Follow the data ow through code using the show paths experience

Explain the reason for a code scanning alert given documentation linked from the alert

Determine if and why a code scanning alert needs to be dismissed

Describe potential shortfalls in CodeQL via model of compilation and language support

Optimize CodeQL analysis runtimes

fi
fi
fl
fi
fi
fl
s
e
e
fi
fi
e
s
fl
fl
fl
w
e
fi
e
e
ff
fl
fl
fl
fi
 Study Guid GitHub Advanc d S curity

Use third-party tools with code scanning

Explain how to upload 3rd party SARIF results via the SARIF endpoint

Explain the purpose of de ning a SARIF category

Domain 6: D crib GitHub Advanc d S curity b t practic ,r ult , and

ho to tak corr ctiv m a ur

Describe GitHub Advanced Security best practices, results, and how to take corrective measures

Use a Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) to describe a GitHub
Advanced Security alert and list potential remediation

Describe the decision-making process for closing and dismissing security alerts (documenting the dismissal, making a
decision based on data)

Determine the roles and responsibilities of development and security teams on a software development work ow

Explain how to set a review cadence with security teams, when appropriate

Use security policies to instruct all contributors to better secure their repositories

Compare the code scanning alert against the repository’s security policy (i.e. should we block merges with un xed
security vulnerabilities?)

Align repository branch protection con guration with written security policies

Domain 7: GitHub Advanc d S curity Admini tration

GitHub Advanced Security Administration

Explain how GitHub Advanced Security features are enabled on GitHub Enterprise Server

Explain how GitHub Advanced Security features are enabled for an organization

Set security policies for a repository

Set security policies for an organization

Describe how permissions are interpreted throughout security work ow

Locate API endpoints for GHAS features, like secret scanning, code scanning, and dependabot

List stakeholders that need to be involved in the security work ows enabled by GHAS, including their role in the
work ow

Con gure code scanning within a repository or organization using the default CodeQL work ow

Identify the custom build steps necessary in a CodeQL work ow

w
fi
fl
e
e
s
e
fi
e
e
e
fi
e
e
s
e
e
e
s
e
e
fl
fl
e
fl
s
e
s
fl
e
s
e
s
fl
fi
s