GHAS Certification Exam Prep: Part One - Getting Started 🔒

[queenofcorgis]

This discussion and some of its comments have been edited and modified from its original format to enable evergreen learning

Welcome to the first part of the GitHub Advanced Security certification prep course! To begin, we’ll be going over some intro materials and best practices to build a strong foundation for the exam. This discussion is your space to ask questions, review study guides, and do some exam practice.

Step One: Prep 📚

We’ve assembled some materials for this first section.

• Microsoft Learn Modules
  • Introduction to GitHub Advanced Security
  • Configure Dependabot security updates on your GitHub repo
• Study guides from @NickLiffen
  • Understanding GitHub Advanced Security
  • Enabling GitHub Advanced Security
• Study guides from @LadyKerr
  • Describe the GHAS features and their functionality
  • Configure and use Dependency Management
• Videos
  • GitHub Advanced Security - Pass the Exam from freeCodeCamp
    • GHAS Overview
    • Dependency Management
• Community member materials
  • @Salgado2004's breakdown in their comment

Step Two: Test Your Knowledge ⚡

Question 1: Which of the following is a feature of Dependabot?

A) Dependabot automatically commits changes to the main branch.
B) Dependabot opens pull requests to update dependencies.
C) Dependabot only works with public repositories.
D) Dependabot can update Docker images directly.

Question 2: Which of the following features is part of GitHub Advanced Security?

A) Secret Scanning to detect and alert on leaked secrets in your code.
B) Dependabot to create alerts on and update insecure dependencies.
C) Code Scanning to identify and fix security vulnerabilities and other errors in your code.
D) All of the above

Question 3: Which of the following is a feature of GitHub Advanced Security?

A) Real-time collaboration.
B) Automated code formatting.
C) Dependency scanning.
D) Issue tracking.

View the answers in my comment 🧠

Use the discussion below to share additional study resources and respond to our prep questions

Join Part Two's Discussion on Scanning

[RishavKumarSinha]

Awesome curated list of resources! For the Answers, I think,

1. Option B
2. Option D
3. Option C

[juanlujand]

Question 1: Which of the following is a feature of Dependabot?
B) Dependabot opens pull requests to update dependencies.

Question 2: Which of the following features is part of GitHub Advanced Security?
D) All of the above

Question 3: Which of the following is a feature of GitHub Advanced Security?
C) Dependency scanning.

[Yordan-Ramchev]

1. B
2. D
3. C

[bos-hieu]

1.B
2.D
3.C

[keerthan0521]

1.B
2.D
3.C

[keerthan0521]

Thank you for doing this. I have completed my github action cert and currently preparing advanced security cert. Again thanks for awesome curated list of resources!
Answers:
Option B
Option D
Option C

[KeorapetseMalgas]

1.B
2.D
3.C

[amalayverma]

B, D, C

[Jcodebroken]

1. b
2. d
3. c

[Rei-Suzuki1729]

1. B
2. D
3. C

[queenofcorgis]

The answers are...

Answers

Question 1: Which of the following is a feature of Dependabot? Correct Answer: B) Dependabot opens pull requests to update dependencies. Explanation: A) Incorrect. Dependabot opens pull requests rather than directly committing changes to the main branch. **B) Correct. Dependabot's primary feature is to open pull requests to update dependencies.** C) Incorrect. Dependabot supports both public and private repositories. D) Incorrect. Dependabot does not support updating Docker images directly.

Question 2: Which of the following features is part of GitHub Advanced Security?
All above, to read more about GHAS's features, check out this doc.

Question 3: Which of the following is a feature of GitHub Advanced Security?
Correct Answer: C) Dependency scanning,

[Salgado2004]

I have some!

• Does the GHAS license is included in GitHub Enterprise?
• Does Code scanning provide IDE extensions?

[samsmithnz]

The GHAS license is separate from the GitHub Enterprise license. https://github.com/enterprise/advanced-security#pricing

Can you provide a little more information about the IDE extension you are looking for with Code Scanning?

[soumya03Surya]

There is CodeQL Extension for VS Code - https://docs.github.com/en/enterprise-cloud@latest/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code

[suleman23194]

1. B
2. D
3. C

[Salgado2004]

I'm a little late for this weeks lesson, but let me contribute!

Here's my breakdown for this topic, based on GHAS study guide 😅 I've left some notes with my personal questions, feel free to complement my breakdown and answer my questions, please! I loved the initiative and I'm greateful for the list of resources! Certainly they're going to help 🚀

Domain 1 : Describe the GHAS security features and functionality

Contrast GHAS features and their role in the security ecosystem

• Differentiate the security features that come automatically for open source projects, and what features are available when GHAS is paired with GHEC or GHES:
  Open source projects and public repositories in general automatically have secret scanning and a dependency graph, and can also enable code scanning and dependabot, but as a foundational resource. With the GitHub Advanced Security license, wich provide a deeper protection that is needed for complex and enterprise projects. Those additional features include secret scanning, code scanning and dependency review for private repos.

Note

I didn't get the GHES and GHEC part. Do you need the GitHub Enterprise to be able to purchase the GHAS license? Does the license is included in GitHub Enterprise?

• Describe the features and benefits of Security Overview:
  Security Overview is a feature for GitHub Enterprise. It enables managing repositories from your organization and see which repositories have enabled specific security features. It also allows you to configure available security resources that are not currently in use (like a checklist?).
• Describe the differences between secret scanning and code scanning:
  Secret scanning is a feature that analyses commits for potencial leaked secrets (such as API keys or secret tokens) based on predefined patterns of sensitive information. Code scanning is a SAST tool (such as Fortify or SonarQube) to statically analyses your code and look for vulnerabilities, like SQL injection or XSS.

Note

Does Code scanning provide IDE extensions? Like VS Code integration or something (would be cool)

• Describe how secret scanning, code scanning, and Dependabot create a more secure software development life cycle:
  I believe that these three features complete each other, in the way that each one takes care of one kind of security concerns. By enabling all of them, you can manage and implement different security compliant features directly in your development environment.
• Contrast a security scenario with isolated security review and an advanced scenario, with security integrated into each step of the software development life cycle:
  I don't have much experience in this area... but I could say that isolated security reviews certainly are not as useful, specially because they are usually done after the development cycle (or in the final stages) so you have a lot o rework or refactor to do, sometimes in critical points of the application that would affect how the software was constructed. An advanced scenario with security steps integrated, you can manage security concerns in each commit, avoid great changes in the future, the so called "Early Detection". Which is much better.

Explain and use specific GHAS features

• Describe how vulnerable dependencies are identified (by looking at the manifest files and comparing with databases of known vulnerabilities):
  This is a work fot dependabot 🤖! It is an automated tool for detecting vulnerable dependencies, cause it analyses the explicit declared dependencies in manifest and lockfiles in your repository (which fortunatelly come with the version of the dependency) and search them in GitHub Advisory Database, which is a security vulnerability database that you can also manually check if you are interested.
• Explain how to act on alerts from GHAS:
  To see and manage your alerts, you can go to the Security tab of the repository. There you'll find all the alerts for the repository and you can choose to ignore them or fix them. Before taking one decision, it is important to investigate the nature and severity of the alert. If you choose to fix, GitHub has some automation to help you (at least for dependabot!).

Note

The only alert that I have enabled so far are the dependabot alerts. I have yet to learn how to use the other ones 😅 but it seems pretty cool

• Explain the implications of ignoring an alert:
  It can led to a lot of risks, correct? Ignoring an alert means that your software has potencial vulnerabilities that could be exploited with malicious intentions.
• Explain the role of a developer when they discover a security alert:
  As a developer, therefore the maintainer of the application, it is important to investigate and understand what is the alert about (its nature, severity) and what are the possible risks it represents. By doing that, you can find ways to fix it or, at least, work around it if it's not possible to fix (very specific case in ones application).
• Describe the differences in access management to view alerts for different security features:
  Code scanning and dependabot alerts can be seem by anyone with Write access to the repository (I guess that makes sense, since they are going to fix it). Secret scanning need Admin access.

Note

GitHub allows RBAC (role-based access control) so this is really very costumizable. What would be the best practices to manage access to security alerts? I think code scanning is interesting for all developers, but dependency are not always managed by everyone in the team. Sometimes, updating a dependency can affect the behavior of the application, so it should be reserved to tech leaders and above. What do you think?

• Describe a security policy in a GitHub repository:
  From what I understand, security policies and created in the security.md file, and basically are used to tell your contributors how to manage security vulnerabities and how to work secure within the repository.
• Identify where to use Dependabot alerts in the software development lifecycle:
  GitHub Dependabot proactivelly analyses your dependency graph (not exactly the dependency graph, but both take information from the same place, so...) to find vulnerabilities. Anytime the dependency graph changes or a new vulnerability is added to GitHub's database, it creates an alert. It helps no only the development, but maintainence of your project in long term. With GHAS, dependabot features are extended to dependency review, which is an workflow that analyses new dependencies right in the pull request and automatically block them if they are vulnerable.

Note

It goes further if you use Version Updates with dependabot using the dependabot.yml, where you can configure dependabot to automatically update your dependencies when there's a new version. It's pretty cool, but just like GitHub Actions, it's kinda complex. Has anyone here used it and want to talk about it?

[queenofcorgis]

Awesome job - thanks for making this compilation and sharing with us!

[geopd]

1. B
2. D
3. C

[alexey-lebedev]

1. B
2. D
3. C

[davevad93]

That's great, thanks for the learning resources, looking forward for part 2 of the prep!

[queenofcorgis]

@keerthan0521

We’ve clarified our stance on using generative AI tools like ChatGPT within our Community via this announcement. Please review the guidelines to ensure your post meets them as failure to adhere to those rules can result in action taken by our moderator team.  You can read our updated Code of Conduct and the announcement for more details. Thank you for helping us maintain an authentic and beneficial space for everyone.

[queenofcorgis]

Pare Two's materials and prep questions are posted in a new Discussion - see you there 🤓

[martinondiwa]

Great resources provided for the GitHub Advanced Security certification prep! I found the Microsoft Learn modules particularly useful for getting a solid understanding of GitHub Advanced Security's core features. For those preparing for the exam, I’d recommend also checking out the GitHub Docs for the latest updates and best practices. It’s always helpful to see real-world applications of these tools. Looking forward to seeing everyone's responses to the practice questions!

[keerthan0521]

Thanks for the useful resources for GitHub advanced security certification. Resources I find very helpful for preparation are 1) Microsoft Learn modules 2) GHAS prep by Microsoft Press on LinkedIn Learning 3) Official GitHub documentation.

[jccampanero]

Following @queenofcorgis advice, these are my answers (I promise I didn't see the ones you provided!):

1. B
2. D
3. C

[trivikramm]

See the answers below

1. B
2. D
3. C

[profile-palash]

Question 1: Which of the following is a feature of Dependabot?

Answer: B. Dependabot opens pull requests to update dependencies.

Explanation

Dependabot helps keep your dependencies up-to-date by automatically opening pull requests to update them. This ensures that your project uses the latest versions, which can include important security patches and new features.

Question 2: Which of the following features is part of GitHub Advanced Security?

Answer: D. All of the above

Explanation

GitHub Advanced Security includes several features to enhance the security of your codebase: - Secret Scanning: Detects and alerts on leaked secrets in your code. - Dependabot: Creates alerts on and updates insecure dependencies. - Code Scanning: Identifies and fixes security vulnerabilities and other errors in your code.

Question 3: Which of the following is a feature of GitHub Advanced Security?

Answer: C. Dependency scanning.

Explanation

Dependency scanning is a feature of GitHub Advanced Security that helps identify and manage vulnerabilities in your project's dependencies. This ensures that you are aware of and can address any security risks associated with the libraries and packages your project relies on.