g喘議なGitHub-Advanced-SecurityオンラインYY-Yの箏酬-森議なGitHub-Advanced-SecurityJ協デベロッパ`CertShikenのT社チ`ムが泳ら徭蛍の岑RとUYを聞って謹くの繁の瑤gFさせるITvBのJ^Yの}鹿を冩梢しAけています。CertShikenが戻工したGitHubのGitHub-Advanced-SecurityY}と盾基が寔gのYの}と盾基は恷互の猖鳶圓あります。CertShikenがあなたの瑤gFさせるサイトでございます。 GitHub Advanced Security GHAS Exam J協 GitHub-Advanced-Security Y} (Q68-Q73):| # 68
Which of the following benefits do code scanning, secret scanning, and dependency review provide?
A. Automatically raise pull requests, which reduces your exposure to older versions of dependencies
B. Search for potential security vulnerabilities, detect secrets, and show the full impact of changes to dependencies
C. Confidentially report security vulnerabilities and privately discuss and fix security vulnerabilities in your repository's code
D. View alerts about dependencies that are known to contain security vulnerabilities
屎盾B
盾h
These three features provide a complete layer of defense:
* Code scanningidentifies security flaws in your source code
* Secret scanningdetects exposed credentials
* Dependency reviewshows the impact of package changes during a pull request Together, they give developers actionable insight into risk and coverage throughout the SDLC.
| # 69
Which of the following options would close a Dependabot alert?
A. Creating a pull request to resolve the vulnerability that will be approved and merged
B. Viewing the dependency graph
C. Viewing the Dependabot alert on the Dependabot alerts tab of your repository
D. Leaving the repository in its current state
屎盾A
盾h
ADependabot alertis only marked asresolvedwhen the related vulnerability is no longer present in your code
- specifically after youmerge a pull requestthat updates the vulnerable dependency.
Simply viewing alerts or graphs doesnotaffect their status. Ignoring the alert by leaving the repo unchanged keeps the vulnerability active and unresolved.
| # 70
After investigating a code scanning alert related to injection, you determine that the input is properly sanitized using custom logic. What should be your next step?
A. Open an issue in the CodeQL repository.
B. Ignore the alert.
C. Draft a pull request to update the open-source query.
D. Dismiss the alert with the reason "false positive."
屎盾D
盾h
When you identify that a code scanning alert is a false positive-such as when your code uses a custom sanitization method not recognized by the analysis-you should dismiss the alert with the reason "false positive." This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.
As per GitHub's documentation:
"If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis." By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.
| # 71
What happens when you enable secret scanning on a private repository?
A. Dependency review, secret scanning, and code scanning are enabled.
B. GitHub performs a read-only analysis on the repository.
C. Your team is subscribed to security alerts.
D. Repository administrators can view Dependabot alerts.
屎盾B
盾h
When secret scanning is enabled on a private repository,GitHub performs a read-only analysisof the repository's contents. This includes the entire Git history and files to identify strings that match known secret patterns or custom-defined patterns.
GitHub does not alter the repository, and enabling secret scanningdoes not automatically enablecode scanning or dependency review - each must be configured separately.
| # 72
What is a prerequisite to define a custom pattern for a repository?
A. Close other secret scanning alerts
B. Specify additional match criteria
C. Change the repository visibility to Internal
D. Enable secret scanning
屎盾D
盾h
Youmust enable secret scanningbefore defining custom patterns. Secret scanning provides the foundational capability for detecting exposed credentials, and custom patterns build upon that by allowing organizations to specify their own regex-based patterns for secrets unique to their environment.
Without enabling secret scanning, GitHub will not process or apply custom patterns.