GH-100: Cheatsheet โ
โ Overview ยท โ Exam Guide
Exam Day Reference
Review this page 5 minutes before the exam.
Admin Core Principles (SLG) โ
- Security โ Default to the more secure option
- Least Privilege โ Grant minimum permissions needed
- Governance โ Define policies before deploying
GitHub Products at a Glance โ
| Need | Product |
|---|---|
| Cloud-hosted enterprise | GitHub Enterprise Cloud (GHEC) |
| On-premises / self-hosted | GitHub Enterprise Server (GHES) |
| Isolated managed instance | GitHub AE (GHAE) |
| Company-controlled identities | Enterprise Managed Users (EMU) |
Identity & Authentication (SAML vs SCIM vs Team Sync) โ
| Tool | Purpose |
|---|---|
| SAML SSO | Authentication โ how users log in via IdP |
| SCIM | Provisioning โ create/update/remove accounts automatically |
| Team Sync | Mirror IdP group membership into GitHub teams |
| 2FA | Require 2-factor for all org members |
| EMU | Lock all identities to company-managed accounts |
Rule: SAML = door. SCIM = guest list. Team Sync = seating chart.
Permission Levels (Least โ Most) โ
Repository roles: Read โ Triage โ Write โ Maintain โ Admin
Org roles: Member โ Owner (Billing Manager = billing-only, no code)
Outside Collaborator: Repo-specific only, no seat license consumed.
Security Feature Lookup โ
| Feature | What it does |
|---|---|
| Secret scanning | Detects leaked credentials after commit |
| Push protection | Blocks secrets before they enter the repo |
| CodeQL | Scans source code for vulnerability patterns |
| Dependabot Alerts | Notifies on vulnerable dependencies |
| Dependabot Security Updates | Opens a fix PR automatically |
| Audit Log API | Records all actions (REST + GraphQL) |
| BFG Repo Cleaner | Removes secrets from Git history (recommended) |
| filter-branch | Git-native history rewrite (slower, legacy) |
| Deploy Key | Repo-scoped SSH key for server/CI access |
Token Types โ
| Token | Tied to | Expiry | Best for |
|---|---|---|---|
| PAT (classic) | User | Never (optional) | Personal CLI/scripts |
| Fine-grained PAT | User | Required (โค1 yr) | Scoped personal access |
| GitHub App token | App installation | 1 hour | Machine accounts, bots |
| OAuth Token | User (delegated) | Until revoked | User-facing apps |
| Deploy Key | Repo | Never | Single-repo server access |
Prefer GitHub Apps over PATs for machine/bot accounts.
Runners Quick Reference โ
| GitHub-Hosted | Self-Hosted | |
|---|---|---|
| Managed by | GitHub | You |
| Private network access | No | Yes |
| IP allow-listing | Not reliable (dynamic IPs) | Yes (static IPs) |
| Cost | Per-minute | Infrastructure only |
| Public repo risk | Safe | Never use on public repos |
Runner groups = control which orgs/repos can use specific runners.
Quick Decision Rules โ
Need to enforce a rule across ALL orgs? โ Enterprise policy (overrides org settings)
Bot/machine account authenticating to GitHub? โ GitHub App (preferred) over PAT
Need to access on-prem resources in CI? โ Self-hosted runner
Secret committed to history? โ Revoke first โ BFG to purge โ GitHub Support if public
User should only access one specific repo? โ Outside collaborator (not org member)
Need to block a secret before it's pushed? โ Push protection (not just secret scanning)
Enterprise needs all user accounts company-managed? โ Enterprise Managed Users (EMU)
Reuse CI logic across repos? โ Reusable workflows (stored in shared-workflows repo)
Terminology Check โ
- SAML SSO: Federates login to an external IdP. Does not provision accounts.
- SCIM: Automates user provisioning/deprovisioning. Works alongside SAML.
- EMU: GitHub users that are fully owned/managed by the enterprise. No personal GitHub accounts.
- GHES: Self-hosted GitHub โ you manage the server, upgrades, and backups.
- GHEC: GitHub-hosted enterprise โ managed by GitHub, SAML/SCIM supported.
- CodeQL: GitHub's static analysis engine. Treats code as a database of queryable facts.
- BFG: BFG Repo Cleaner โ the recommended tool for purging sensitive data from Git history.
- Runner group: Access control layer for self-hosted runners โ restricts which orgs/repos can use them.
- Reusable workflow: A
workflow_call-triggered workflow callable from other workflows to share CI logic. - Deploy Key: An SSH key scoped to a single repository. Preferred for read-only server access.