GH-500: GitHub Advanced Security

An intermediate certification for developers, security engineers, and DevSecOps practitioners who configure and use GitHub Advanced Security (GHAS) features to protect code, detect vulnerabilities, and maintain compliance. Validates expertise in secret scanning, Dependabot, dependency review, and CodeQL code scanning.

⏱100 min🎯700/1000 to pass 🎓Intermediate🏢Pearson VUE📅Valid 2 years

This is a configuration and application exam

Think like a security-aware developer or DevSecOps engineer. Questions test your ability to configure GHAS features, interpret their results, and apply corrective measures — not just define what they are.

Certification Achieved ✅

Earned: March 2026 Credential: Verify Certificate

Notes Prepared: March 2026 · Last Updated: 2026-03-16 Notes valid as of: March 16, 2026

✨Generated by NotebookLM

🔍 Click to Enlarge

Audio Refresher

A podcast-style walkthrough of key exam tactics. Made to listen on the drive to the exam center as a last-minute refresher.

---

Official Exam Domains

The GH-500 exam currently measures 7 domains. Use this page as the master index so the structure in the notes matches the certification blueprint exactly.

Domain	Weight	Notes
Domain 1: Describe the GHAS security features and functionality	10%	GHAS capabilities, availability, licensing, feature roles
Domain 2: Configure and use secret scanning	10%	Secret scanning, push protection, custom patterns, remediation
Domain 3: Configure and use dependency management	15%	Dependency graph, Dependabot, dependency review, SBOM
Domain 4: Configure and use code scanning	15%	Code scanning setup, alerts, SARIF, PR enforcement
Domain 5: Use code scanning with CodeQL	20%	Default vs advanced setup, queries, suites, packs, troubleshooting
Domain 6: Describe GitHub Advanced Security best practices	20%	Rollout, governance, remediation, reducing alert fatigue
Domain 7: Configure GitHub Advanced Security tools in GitHub Enterprise	10%	Enterprise policy, Security Overview, roles, metrics

Reorganized for the official blueprint

Some GHAS topics naturally overlap, but these notes are intentionally split so that:

• Domain 4 covers general code scanning behavior and SARIF
• Domain 5 focuses specifically on CodeQL
• Domain 6 covers rollout and operational best practices
• Domain 7 covers enterprise-wide configuration and reporting

---

Study Progress

GitHub Advanced Security Study Progress

0/100%

Domain 1: Describe the GHAS security features and functionality (10%) ↗

• What GHAS includes and licensing requirements ↗
• Secret scanning, Dependabot, code scanning overview ↗
• GHEC vs GHES GHAS availability ↗

Domain 2: Configure and use secret scanning (10%) ↗

• Enabling secret scanning at repo, org, and enterprise level ↗
• Push protection — block secrets before commit ↗
• Custom patterns, partner patterns, and validity checks ↗
• Managing and remediating secret scanning alerts ↗

Domain 3: Configure and use dependency management (15%) ↗

• Dependency graph — what it tracks and how ↗
• Dependabot alerts vs Dependabot security updates ↗
• Dependabot version updates and dependabot.yml ↗
• Dependency review action in pull requests ↗
• Remediating vulnerabilities and CVSS severity levels ↗

Domain 4: Configure and use code scanning (15%) ↗

• Default vs advanced code scanning setup ↗
• SARIF format and third-party tool integration ↗
• Code scanning in pull requests and branch protection ↗

Domain 5: Use code scanning with CodeQL (20%) ↗

• Built-in queries, custom queries, and query suites ↗
• Interpreting code scanning alerts and severity levels ↗
• CodeQL packs and database creation ↗

Domain 6: Describe GitHub Advanced Security best practices (20%) ↗

• Rollout strategies and organizational adoption ↗
• SBOM export and compliance ↗
• Corrective measures and alert remediation ↗

Domain 7: Configure GitHub Advanced Security tools in GitHub Enterprise (10%) ↗

• Security overview across the enterprise ↗
• Security metrics and reporting ↗
• Enterprise-level GHAS policies and configuration ↗

Reviewed exam guide & traps

Reviewed cheatsheet

Ready for exam

💾 Progress is saved in your browser's local storage. Clearing your browser data will reset your progress.

---

Official Resources

• GH-500 Exam Page
• GH-500 Study Guide
• GH-500: GitHub Advanced Security - MS Learn YouTube Course
• GitHub Advanced Security Documentation

External Resources

• GitHub Advanced Security Learning Path — Microsoft Learn
• CodeQL Documentation
• Dependabot Documentation
• Secret Scanning Documentation

---

Start Study Notes → · Cheatsheet →