Domain 1: Describe the GHAS security features and functionality (10%) โ
โ Overview ยท Next Domain โ
Exam Tip
This domain tests your conceptual understanding of what GHAS is, what it includes, and who can use it. Expect questions on feature definitions, licensing requirements, and plan availability โ not deep configuration.
What is GitHub Advanced Security (GHAS)? โ
GitHub Advanced Security is a set of security features built into GitHub to help organizations find and fix vulnerabilities earlier in the development lifecycle (shift-left security).
Memory hook
If the question is asking why GHAS exists, the answer is usually shift-left security: detect and remediate secrets, vulnerable dependencies, and insecure code as early as possible instead of waiting for production or a later audit.
GHAS includes three primary pillars:
| Pillar | Feature | What it does |
|---|---|---|
| Secret Scanning | Secret scanning | Detects exposed credentials, tokens, and API keys |
| Secret Scanning | Push protection | Blocks commits containing secrets before they're pushed |
| Supply Chain Security | Dependabot alerts | Notifies you of vulnerable dependencies |
| Supply Chain Security | Dependabot security updates | Auto-creates PRs to fix vulnerable dependencies |
| Supply Chain Security | Dependabot version updates | Auto-creates PRs to keep dependencies up to date |
| Supply Chain Security | Dependency review | Blocks PRs that introduce vulnerable dependencies |
| Code Scanning | CodeQL analysis | SAST โ finds security vulnerabilities in your source code |
| Code Scanning | SARIF upload | Lets you import third-party SAST results into GitHub |
GHAS Licensing and Availability โ
Public Repositories โ
- GHAS features are free for all public repositories on GitHub.com
- No license purchase required โ secret scanning, code scanning, and dependency review are enabled automatically
Exam shortcut
For public repositories on GitHub.com, the safe default answer is: GHAS features are free.
Private and Internal Repositories โ
| Plan | GHAS Available? | Notes |
|---|---|---|
| GitHub Free / Pro | โ | No GHAS on private repos |
| GitHub Team | โ | No GHAS on private repos |
| GitHub Enterprise Cloud (GHEC) | โ | Requires GHAS license add-on per active committer |
| GitHub Enterprise Server (GHES) | โ | Requires GHAS license; features available from GHES 3.0+ |
Exam Trap
GHAS is not included with GitHub Team. It requires GitHub Enterprise (GHEC or GHES) plus an additional Advanced Security license purchase. The exam often presents GitHub Team as an option โ it's always wrong for private-repo GHAS.
GHAS License Seat Model โ
- GHAS is licensed per active committer โ any user who commits to a private or internal repository with GHAS enabled in the last 90 days
- Enabling GHAS on a repository doesn't require a seat for read-only contributors
- Org owners can view seat usage in: Org Settings โ Advanced Security โ Active committers
Exam Trap
Remember the seat window: GHAS licensing is based on active committers in the last 90 days, not total organization members and not all repository collaborators.
Feature-by-Feature Overview โ
Secret Scanning โ
- Scans the full history of a repository (including all branches and commits) for known secret formats
- Uses partner patterns (GitHub-verified patterns for AWS keys, Stripe API keys, etc.) and optionally custom patterns
- Sends alerts to repository admins and security managers when a secret is detected
- Optional: validity checking โ GitHub queries the service provider to check if a detected secret is still active
Push Protection โ
- Prevents a
git pushfrom succeeding if the pushed code contains a known secret - Works at the network level โ the push is rejected before the commit reaches the remote
- Developer sees an error explaining what was blocked and can bypass with a reason (if allowed by policy)
- Can be enforced at repo, org, or enterprise level
Dependabot Alerts โ
- Triggered when a repository's dependency is found in the GitHub Advisory Database (or NVD) with a known CVE
- Severity levels: Critical, High, Medium, Low (based on CVSS score)
- Available for all repositories (even without GHAS) if the dependency graph is enabled
Dependabot Security Updates โ
- Automatically opens a PR to update the vulnerable dependency to a safe version
- Requires: Dependabot alerts enabled + security updates feature enabled
- The PR includes the CVSS score, CVE details, and changelog notes
Dependabot Version Updates โ
- Scheduled PRs to update dependencies to their latest version (not necessarily security-driven)
- Configured via
.github/dependabot.yml
Dependency Review โ
- A GitHub Action that blocks PR merges if the PR introduces a new vulnerable dependency
- Works as a pull request check โ displays a diff of dependency changes including CVE details
- Requires GHAS license for private repositories
Code Scanning (CodeQL) โ
- Static Application Security Testing (SAST) โ analyzes source code for security vulnerabilities
- Uses CodeQL, a semantic code analysis engine originally developed by Semmle (acquired by GitHub)
- Supports: C, C++, C#, Go, Java, Kotlin, JavaScript/TypeScript, Python, Ruby, Swift
- Alerts include: CWE category, severity, location, and recommended fix
SARIF (Static Analysis Results Interchange Format) โ
- Standard JSON-based format for exchanging static analysis results
- Allows third-party tools (Snyk, Checkmarx, SonarCloud, Semgrep) to upload results into GitHub's code scanning UI
- Uploaded via the
github/codeql-action/upload-sarifaction
Access and Visibility โ
Different GHAS features expose alerts to different roles, which is a common exam topic.
| Feature | Typical viewers |
|---|---|
| Secret scanning alerts | Repository admins, organization owners, security managers, delegated users/teams |
| Dependabot alerts | Repository admins, maintainers, security managers |
| Code scanning alerts | Repository admins, maintainers, security managers |
The exact role mapping can vary by repository ownership and enterprise configuration, but the exam usually wants you to distinguish who can triage alerts from who can only read code.
TIP
Security Overview itself is covered in more depth in Domain 7, because it is primarily an organization and enterprise reporting capability.
Domain 1 Quick Quiz
Which GitHub plans support GHAS on private repositories?
(Click to reveal)