GH-500: Exam Guide โ
โ Overview ยท Cheatsheet โ
How the Exam Wants You to Think โ
The GH-500 exam is for Developers, DevOps Engineers, and Security Engineers working with GHAS. It values Shift-Left Security, Proactive Detection, and Least-Exposure Remediation.
Answer Philosophy โ
- Shift left: The correct answer always prevents a problem earlier in the pipeline rather than catching it later.
- Automation first: The exam prefers automated remediation (Dependabot security updates, push protection) over manual processes.
- Blocking is better than alerting: When asked about the most secure approach, prefer a feature that blocks the action over one that merely notifies.
Keyword Detection Table โ
| If you see... | Look for this in the answer... |
|---|---|
| "Exposed API key / token in a commit" | Secret scanning + push protection |
| "Block a secret before it's committed" | Push protection |
| "Custom secret format (e.g., internal token)" | Custom patterns in secret scanning |
| "Outdated library with a CVE" | Dependabot alert |
| "Auto-fix a vulnerable dependency" | Dependabot security update (auto PR) |
| "Prevent merging a PR that adds a vulnerable dep" | Dependency review action |
| "Schedule weekly dependency updates" | Dependabot version updates (dependabot.yml) |
| "Static analysis / SAST" | Code scanning with CodeQL |
| "SQL injection / XSS / path traversal in code" | Code scanning alert |
| "Third-party SAST tool results in GitHub" | SARIF upload to code scanning |
| "Block PR merge if code has security issues" | Code scanning + branch protection |
| "Inventory all dependencies / software bill of materials" | Dependency graph + SBOM export |
| "Track security posture across the org" | Security overview / organization security view |
| "GHAS license requirement" | GitHub Advanced Security seat = GHEC or GHES |
Exam Traps โ
Look out for these!
- Secret scanning vs push protection: Secret scanning detects secrets already in the repo (alerts after the fact). Push protection blocks secrets from being committed in the first place. Push protection is the more proactive, secure option.
- Dependabot alerts vs Dependabot security updates: Alerts notify you of a vulnerability. Security updates automatically open a PR to fix it. These are two separate features โ both can be enabled independently.
- Dependabot security updates vs version updates: Security updates fix vulnerabilities (triggered by a new CVE/advisory). Version updates keep dependencies up to date with latest releases (scheduled via
dependabot.yml) โ they don't require a CVE. - Code scanning default setup vs advanced setup: Default setup = GitHub auto-configures CodeQL with no YAML needed (quickest). Advanced setup = you write a
.github/workflows/codeql.ymlfor custom query suites, language configuration, and scheduled scans. - SARIF: SARIF (Static Analysis Results Interchange Format) is the standard format for code scanning results. Used to upload results from third-party tools (Checkmarx, Snyk, SonarCloud) into GitHub's code scanning interface.
- GHAS licensing: GHAS features (secret scanning, code scanning, dependency review) require a GitHub Advanced Security license โ available with GHEC or GHES. Public repositories on GitHub.com get them free.
- Content exclusions in secret scanning: You can configure custom patterns and also exclude paths. Be careful: excluding a path means Copilot and secret scanning won't scan those files โ the exam may present this as a misconfiguration risk.
Decision Quick Reference โ
"Which GHAS feature?" โ
Secret already committed to a branch โ Secret scanning alert
Block a secret before commit โ Push protection
Vulnerable npm/pip/maven dependency โ Dependabot alert
Auto-PR to fix vulnerable dependency โ Dependabot security update
Keep all deps on latest versions โ Dependabot version updates
SQL injection in application code โ Code scanning (CodeQL)
Third-party SAST results in GitHub โ SARIF upload
Full inventory of all dependencies โ Dependency graph / SBOM"What is the most secure approach?" โ
Secret in code โ Push protection (blocks at commit) > Secret scanning (detects after push)
Vulnerable dependency โ Security update (auto-PR) > Alert only
Code vulnerability in PR โ Block merge via branch protection + code scanning"Which setup for code scanning?" โ
Quick start, no YAML โ Default setup (CodeQL auto-configured)
Custom queries, specific languages, scheduled scan โ Advanced setup (codeql.yml workflow)
Third-party tool โ Upload SARIF file"What plan is needed?" โ
Public repo โ GHAS features free
Private repo โ GitHub Advanced Security license required (GHEC or GHES)Final Strategy โ
- Domain 3 is 35% of the exam โ Dependabot and dependency review is the single largest topic. Know every configuration option in
dependabot.yml, the difference between security updates and version updates, and how dependency review blocks PRs. - Domain 4 is 25% โ Know default vs advanced CodeQL setup, what SARIF is, and how code scanning integrates with branch protection rules.
- Together, Domains 3 and 4 are 60% of the exam โ master these two before anything else.
- For every feature, know: how to enable it, where to configure it, what it produces (alert, PR, block), and how to remediate.