| Describe the GHAS security features and functionality |
10% |
Contrast GHAS features and their role in the security ecosystem
- Differentiate the security features that come automatically for open source projects, and what features are available when GHAS is paired with GHEC or GHES
- Describe the features and benefits of Security Overview
- Describe the differences between secret scanning and code scanning
- Describe how secret scanning, code scanning, and Dependabot create a more secure software development life cycle
- Contrast a security scenario with isolated security review and an advanced scenario, with security integrated into each step of the software development life cycle
Explain and use specific GHAS features
- Describe how vulnerable dependencies are identified (by looking at the manifest files and comparing with databases of
- known vulnerabilities)
- Explain how to act on alerts from GHAS
- Explain the implications of ignoring an alert
- Explain the role of a developer when they discover a security alert
- Describe the differences in access management to view alerts for different security features
- Describe a security policy in a GitHub repository
- Identify where to use Dependabot alerts in the software development lifecycle
|
| Explain and use specific GHAS features |
10% |
- Describe how vulnerable dependencies are identified (by looking at the manifest files and comparing with databases of known vulnerabilities)
- Explain how to act on alerts from GHAS
- Explain the implications of ignoring an alert
- Explain the role of a developer when they discover a security alert
- Describe the differences in access management to view alerts for different security features
- Describe a security policy in a GitHub repository
- Identify where to use Dependabot alerts in the software development lifecycle
|
| Configure and use dependency management |
15% |
Describe tools for managing vulnerabilities in dependencies
- Define a vulnerability
- Describe Dependabot alerts
- Describe Dependabot security updates
- Define the dependency graph
- Describe how the dependency graph is generated
- Describe how alerts are generated for vulnerable dependencies (driven from the dependency graph, sourced from the Github Advisory Database and from WhiteSource)
Enable and configure tools for managing vulnerable dependencies
- Identify the default settings for Dependabot alerts in public and private repositories
- Identify the permissions and roles required to enable Dependabot alerts
- Identify the permissions and roles required to view Dependabot alerts
- Enable Dependabot alerts for private repositories
- Enable Dependabot alerts for organizations
- Create a valid Dependabot configuration file
- Configure notifications for vulnerable dependencies
Identify and remediate vulnerable dependencies
- Identify a vulnerable dependency from a Dependabot alert
- Identify vulnerable dependencies from a pull request
- Enable Dependabot security updates
- Remedy a vulnerability from a Dependabot alert in the Security tab (could include updating or removing the dependency)
- Remedy a vulnerability from a Dependabot alert in the context of a pull request (could include updating or removing the
- dependency)
- Take action on any Dependabot alerts by testing and merging pull requests
|
| Configure and use code scanning |
15% |
Enable and use secret scanning
- Describe secret scanning
- Choose when secret scanning occurs
- Contrast secret scanning availability for public and private repositories
- Enable secret scanning for private repositories
- Enable secret scanning for an organization
- Explain how to pick an appropriate response to a secret scanning alert
- Determine if an alert is generated for a given secret, pattern, or service provider
- Determine if a given user role will see secret scanning alerts
Customize default secret scanning behavior
- Configure the recipients of a secret scanning alert (also includes how to provide access to members and teams other
- than admins)
- Describe how to exclude certain files from being scanned for secrets
- Explain how to enable custom secret scanning for a repository
- Explain how to enable custom secret scanning for an organization
|
| Use code scanning with CodeQL |
20% |
Explain how CodeQL enables code scanning
- Describe CodeQL
- Define a QL pack, code query, code suite
- Describe the default CodeQL query suites
- Describe how CodeQL analyzes code and produces results, including differences between compiled and interpreted
- Explain how CodeQL enables code scannin
Use CodeQL for code scanning
- Introduce a CodeQL analysis workflow to a repository
- List the locations in which CodeQL queries can be specified for use with code scanning
- Configure the language matrix in a CodeQL workflow
- Reference a CodeQL query from a public repository within a code scanning workflow
- Reference a CodeQL query from a private repository within a code scanning workflow
- Reference a CodeQL query from a local directory within a code scanning workflow
- Reference a configuration file within the same repository
- Reference a configuration file in a remote public repository
- Execute code scanning with the CodeQL command-line interface (CLI), including creating the CodeQL database,
- analyzing that database, and posting the SARIF results to GitHub
- Contrast the steps to execute code scanning in GitHub Actions vs the CodeQL CLI
Describe how to triage code scanning results from CodeQL analysis
- Describe how to view code scanning results from CodeQL analysis
- Troubleshoot a failing code scanning workflow using CodeQL, including creating or changing a custom configuration in
- the CodeQL workflow
- Follow the data flow through code using the show paths experience
- Explain the reason for a code scanning alert given the documentation linked from the alert
- Determine if and why a code scanning alert needs to be dismissed
- Describe potential shortfalls in CodeQL via a model of compilation and language support
- Optimize CodeQL analysis runtimes
Use third-party tools with code scanning
- Explain how to upload 3rd party SARIF results via the SARIF endpoint
- Explain the purpose of defining a SARIF category
|
| Describe GitHub Advanced Security best practices, results, and how to take corrective measures |
20% |
Describe GitHub Advanced Security best practices, results, and how to take corrective measures
- Use a Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) to describe a GitHub
- Advanced Security alert and list potential remediation
- Describe the decision-making process for closing and dismissing security alerts (documenting the dismissal, making a
- decision based on data)
- Determine the roles and responsibilities of development and security teams on a software development workflow
- Explain how to set a review cadence with security teams, when appropriate
- Use security policies to instruct all contributors to better secure their repositories
- Compare the code scanning alert against the repository’s security policy (i.e. should we block merges with unfixed
- security vulnerabilities?)
- Align repository branch protection configuration with written security policies
|
| GitHub Advanced Security Administration |
10% |
GitHub Advanced Security Administration
- Explain how GitHub Advanced Security features are enabled on GitHub Enterprise Server
- Explain how GitHub Advanced Security features are enabled for an organization
- Set security policies for a repository
- Set security policies for an organization
- Describe how permissions are interpreted throughout security workflow
- Locate API endpoints for GHAS features, like secret scanning, code scanning, and dependabot
- List stakeholders that need to be involved in the security workflows enabled by GHAS, including their role in the
- workflow
- Configure code scanning within a repository or organization using the default CodeQL workflow
- Identify the custom build steps necessary in a CodeQL workflow
|
| Official Information |
|
https://assets.ctfassets.net/wfutmusr1t3h/4WQrNeENScZlISZKdknVbK/4c5d4a2174291da207efb57aa814899d/github-advanced-security-exam-preparation-study-guide__3_.pdf?utm_source=chatgpt.com |
