Professional Documents
Culture Documents
Github Advanced Security Exam Preparationdy Guide - 3
Github Advanced Security Exam Preparationdy Guide - 3
Audi nc Pro il
Thi xam i d ign d or xp ri nc d pro ional in th i ld o o t ar d v lopm nt and curity. Thi
c rti ication i d ign d or individual ho hav a d p und r tanding o GitHub and it curity atur ,
a ll a hand -on xp ri nc in curing o t ar d v lopm nt ork lo .
Th domain provid d in thi tudy guid ar int nd d to provid in ight into th topic cat gori cov r d in
th GitHub Advanc d S curity xam, along ith th l arning obj ctiv ithin ach domain.
Domain 7: Con gure GitHub Advanced Security tools in GitHub Enterprise 10%
Cont nt R ourc
Th ollo ing r ourc hav b n cr at d in collaboration ith GitHub a r comm nd d cont nt that
cov r th l arning obj ctiv in ach domain or th GitHub Advanc d S curity xam. Both icro o t
L arn and Link dIn L arning provid a compl t l arning path or th xam, but o r a di r nt l arning
xp ri nc .
icro o t L arn
Di erentiate the security features that come automatically for open source projects, and what features are available
when GHAS is paired with GHEC or GHES
Describe how secret scanning, code scanning, and Dependabot create a more secure software development life cycle
Contrast a security scenario with isolated security review and an advanced scenario, with security integrated into each
step of the software development life cycle
Describe how vulnerable dependencies are identi ed (by looking at the manifest les and comparing with databases of
known vulnerabilities)
Describe the di erences in access management to view alerts for di erent security features
Con gure the recipients of a secret scanning alert (also includes how to provide access to members and teams other
than admins)
Describe how to exclude certain les from being scanned for secrets
De ne a vulnerability
Describe how alerts are generated for vulnerable dependencies (driven from the dependency graph, sourced from the
Github Advisory Database and from WhiteSource)
Identify the default settings for Dependabot alerts in public and private repositories
Remedy a vulnerability from a Dependabot alert in the Security tab (could include updating or removing the dependency)
Remedy a vulnerability from a Dependabot alert in the context of a pull request (could include updating or removing the
dependency)
Take action on any Dependabot alerts by testing and merging pull requests
List the steps for enabling code scanning in a repository using GitHub Actions (i.e. Security tab and click on “set up
code scanning”, set up the GitHub Actions work ow, make any necessary modi cations to the work ow)
Contrast the steps for using CodeQL versus third party analysis when enabling code scanning
Contrast how to implement CodeQL analysis in a GitHub Actions work ow versus a third-party CI tool
Contrast the frequency of code scanning work ows (scheduled versus triggered by events)
Choose a triggering event for a given development pattern (for example, in a pull request and for speci c les)
Edit the default template for Actions work ow to t an active, open source, production repository
fi
e
f
fi
e
fl
s
e
fl
fl
fi
e
e
s
e
fl
fl
fi
fl
fi
fi
Study Guid GitHub Advanc d S curity
Describe CodeQL
Describe how CodeQL analyzes code and produces results, including di erences between compiled and interpreted
language
List the locations in which CodeQL queries can be speci ed for use with code scanning
Reference a CodeQL query from a public repository within a code scanning work ow
Reference a CodeQL query from a private repository within a code scanning work ow
Reference a CodeQL query from a local directory within a code scanning work ow
Execute code scanning with the CodeQL command-line interface (CLI), including creating the CodeQL database,
analyzing that database, and posting the SARIF results to GitHub
Contrast the steps to execute code scanning in GitHub Actions vs the CodeQL CLI
Troubleshoot a failing code scanning work ow using CodeQL, including creating or changing a custom con guration in
the CodeQL work ow
Follow the data ow through code using the show paths experience
Explain the reason for a code scanning alert given documentation linked from the alert
Describe potential shortfalls in CodeQL via model of compilation and language support
Explain how to upload 3rd party SARIF results via the SARIF endpoint
Describe GitHub Advanced Security best practices, results, and how to take corrective measures
Use a Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) to describe a GitHub
Advanced Security alert and list potential remediation
Describe the decision-making process for closing and dismissing security alerts (documenting the dismissal, making a
decision based on data)
Determine the roles and responsibilities of development and security teams on a software development work ow
Explain how to set a review cadence with security teams, when appropriate
Use security policies to instruct all contributors to better secure their repositories
Compare the code scanning alert against the repository’s security policy (i.e. should we block merges with un xed
security vulnerabilities?)
Align repository branch protection con guration with written security policies
Explain how GitHub Advanced Security features are enabled on GitHub Enterprise Server
Explain how GitHub Advanced Security features are enabled for an organization
Locate API endpoints for GHAS features, like secret scanning, code scanning, and dependabot
List stakeholders that need to be involved in the security work ows enabled by GHAS, including their role in the
work ow
Con gure code scanning within a repository or organization using the default CodeQL work ow