GHAS Certification Exam Prep: Week Four - Managing Your GitHub Securely

[queenofcorgis]

This is our last week of GHAS certification exam, if you missed Week One’s Discussion, Week Two’s Discussion, and/or, Week Three’s Discussion don’t worry feel free to get started and join us when you are caught up. The final installment covers Admin Essentials. We’re here to answer questions and share knowledge 💡 .

Plus, prep materials and test questions to continue on studying. As a reminder, we'll be selecting five participants to receive a free GitHub Certifications exam voucher 🎫 .

Step One: Prep 📚

Use these materials to study before answering this week’s prep questions.

• Microsoft Learn Modules
  • GitHub administration for GitHub Advanced Security
  • Manage sensitive data and security policies within GitHub
• Study guides from @LadyKerr
  • Describe GitHub Advanced Security best practices
• Videos
  • GitHub Advanced Security - Pass the Exam from freeCodeCamp
    • GHAS Best Practices
    • GHAS for Enterprise

Step Two: Test Your Knowledge ⚡

Question One: How can you manage GitHub Advanced Security alerts?

A) By using the GitHub Advanced Security API endpoints
B) By manually checking each repository
C) By using a third-party tool
D) By disabling security features

Question Two: What can you do to ensure that everyone in your organization is using GitHub Advanced Security?

A) Give access to security alerts to users and teams with write permission on their repositories.
B) Add a SECURITY.md file to the root, docs, or .github folder of your organization's repositories.
C) Set a security policy at the organization level.

Question Three: Which GitHub Advanced Security feature isn't available on public repositories?

A) Secret scanning.
B) Security Overview.
C) Code scanning.

Question Four: Which tool helps identify and block secrets from being pushed into repositories?

A) Code scanning
B) Secret scanning
C) Dependency management
D) Issue tracking

Question Five: How can security policies be managed within GitHub?

A) By creating documentation that details security guidelines
B) By setting permissions and rules
C) By automating processes to prevent security breaches
D) All of the above

Question Six: Which of the following is NOT a step in setting security policies within GitHub?

A) Creating documentation that details security guidelines
B) Setting permissions and rules
C) Automating processes to prevent security breaches
D) Allowing unrestricted access to all users

Question Seven: How can you ensure compliance with industry standards when managing sensitive data in GitHub?

A) By ignoring security alerts
B) By using GitHub's basic security tools like secret scanning and code scanning
C) By disabling security features
D) By allowing bulk export of sensitive data

We’ll be sharing the answers in the comments on Friday 🧠

Use the discussion below to share additional study resources, ask questions for our team to answer, and respond to our prep questions

Stay tuned next week for a follow-up discussion to share feedback and more!

[jccampanero]

I believe these are the answers for this week:

Question One: How can you manage GitHub Advanced Security alerts?
A) By using the GitHub Advanced Security API endpoints
B) By manually checking each repository
C) By using a third-party tool
D) By disabling security features

Question Two: What can you do to ensure that everyone in your organization is using GitHub Advanced Security?
A) Give access to security alerts to users and teams with write permission on their repositories.
B) Add a SECURITY.md file to the root, docs, or .github folder of your organization's repositories.
C) Set a security policy at the organization level.

Question Three: Which GitHub Advanced Security feature isn't available on public repositories?
A) Secret scanning.
B) Security Overview.
C) Code scanning.

Question Four: Which tool helps identify and block secrets from being pushed into repositories?
A) Code scanning
B) Secret scanning
C) Dependency management
D) Issue tracking

Question Five: How can security policies be managed within GitHub?
A) By creating documentation that details security guidelines
B) By setting permissions and rules
C) By automating processes to prevent security breaches
D) All of the above

Question Six: Which of the following is NOT a step in setting security policies within GitHub?
A) Creating documentation that details security guidelines
B) Setting permissions and rules
C) Automating processes to prevent security breaches
D) Allowing unrestricted access to all users

Question Seven: How can you ensure compliance with industry standards when managing sensitive data in GitHub?
A) By ignoring security alerts
B) By using GitHub's basic security tools like secret scanning and code scanning
C) By disabling security features
D) By allowing bulk export of sensitive data

Thank you very much for the new course content this week.

Overall, thank you very much for this course. It has been a fantastic learning resource.

And thank you very much for your comments and your kindness, @queenofcorgis, @gitstua.

[queenofcorgis]

@jccampanero thank you so much for participating - I'm glad you enjoyed the course and asked questions ❤️

[RishavKumarSinha]

Thanks again for the awesome list of resources, especially the Microsoft Learn paths! As for the answers,

Q1. A
Q2. C
Q3. B
Q4. B
Q5. D
Q6. D
Q7. B

[Yordan-Ramchev]

1. A) By using the GitHub Advanced Security API endpoints
2. C) Set a security policy at the organization level
3. B) Security Overview
4. B) Secret scanning
5. D) All of the above
6. D) Allowing unrestricted access to all users
7. B) By using GitHub's basic security tools like secret scanning and code scanning

[geopd]

1. A
2. C
3. B
4. B
5. D
6. D
7. B

[profile-palash]

Question 1: How can you manage GitHub Advanced Security alerts?

Answer: A. By using the GitHub Advanced Security API endpoints.

Explanation

The GitHub Advanced Security API endpoints allow you to programmatically manage security alerts across your repositories. This includes retrieving, dismissing, and resolving alerts, which can help automate and streamline your security management processes.

Question 2: What can you do to ensure that everyone in your organization is using GitHub Advanced Security?

Answer: C. Set a security policy at the organization level.

Explanation

Setting a security policy at the organization level ensures that all repositories within the organization adhere to the same security standards. This helps in maintaining consistency and compliance across the board.

Question 3: Which GitHub Advanced Security feature isn’t available on public repositories?

Answer: B. Security Overview.

Explanation

The Security Overview feature, which provides a high-level view of security alerts and vulnerabilities across multiple repositories, is not available for public repositories. This feature is designed for private repositories to help organizations manage their security posture.

Question 4: Which tool helps identify and block secrets from being pushed into repositories?

Answer: B. Secret scanning.

Explanation

Secret scanning is a feature that scans your repositories for sensitive data such as API keys, tokens, and passwords. It helps prevent these secrets from being accidentally committed to your codebase, thereby reducing the risk of security breaches.

Question 5: How can security policies be managed within GitHub?

Answer: D. All of the above.

Explanation

Managing security policies within GitHub involves creating documentation that details security guidelines, setting permissions and rules to control access, and automating processes to prevent security breaches. These combined efforts help ensure a robust security posture.

Question 6: Which of the following is NOT a step in setting security policies within GitHub?

Answer: D. Allowing unrestricted access to all users.

Explanation

Allowing unrestricted access to all users is not a step in setting security policies. Instead, security policies should focus on creating documentation, setting permissions and rules, and automating processes to enhance security.

Question 7: How can you ensure compliance with industry standards when managing sensitive data in GitHub?

Answer: B. By using GitHub’s basic security tools like secret scanning and code scanning.

Explanation

Using GitHub’s basic security tools such as secret scanning and code scanning helps ensure compliance with industry standards by identifying and mitigating potential security risks in your codebase.

[davevad93]

Question 1: How can you manage GitHub Advanced Security alerts?

A) By using the GitHub Advanced Security API endpoints

Question 2: What can you do to ensure that everyone in your organization is using GitHub Advanced Security?

C) Set a security policy at the organization level

Question 3: Which GitHub Advanced Security feature isn’t available on public repositories?

B) Security Overview.

Question 4: Which tool helps identify and block secrets from being pushed into repositories?

B) Secret scanning

Question 5: How can security policies be managed within GitHub?

D) All of the above

Question 6: Which of the following is NOT a step in setting security policies within GitHub?

D) Allowing unrestricted access to all users

Question 7: How can you ensure compliance with industry standards when managing sensitive data in GitHub?

B) By using GitHub's basic security tools like secret scanning and code scanning

[davevad93]

I've been inspired by @profile-palash format style!

[profile-palash]

@davevad93 Wow! You've enhanced readability by abstracting the answers 😍

[juanlujand]

Question One: How can you manage GitHub Advanced Security alerts?
A) By using the GitHub Advanced Security API endpoints

Question Two: What can you do to ensure that everyone in your organization is using GitHub Advanced Security?
C) Set a security policy at the organization level.

Question Three: Which GitHub Advanced Security feature isn't available on public repositories?
B) Security Overview

Question Four: Which tool helps identify and block secrets from being pushed into repositories?
B) Secret scanning

Question Five: How can security policies be managed within GitHub?
D) All of the above

Question Six: Which of the following is NOT a step in setting security policies within GitHub?
D) Allowing unrestricted access to all users

Question Seven: How can you ensure compliance with industry standards when managing sensitive data in GitHub?
B) By using GitHub's basic security tools like secret scanning and code scanning

[soumya03Surya]

Posting the Answers for the questions here, covering @queenofcorgis

Answers

Question One: How can you manage GitHub Advanced Security alerts?

A) By using the GitHub Advanced Security API endpoints

Question Two: What can you do to ensure that everyone in your organization is using GitHub Advanced Security?

C) Set a security policy at the organization level.
You can enforce a security policy at the organization level that allows all repository administrators in your organization to enable features for Advanced Security for their repositories.

Question Three: Which GitHub Advanced Security feature isn't available on public repositories?

B) Security Overview. The Security Overview is only available on private repositories with GitHub Advanced Security.

Question Four: Which tool helps identify and block secrets from being pushed into repositories?

B) Secret scanning

Question Five: How can security policies be managed within GitHub?

D) All of the above

Question Six: Which of the following is NOT a step in setting security policies within GitHub?

D) Allowing unrestricted access to all users

Question Seven: How can you ensure compliance with industry standards when managing sensitive data in GitHub?

B) By using GitHub's basic security tools like secret scanning and code scanning

Have any questions on this week's topics - ask them in this discussion!

[Salgado2004]

Hello guys 🌟👋

For this last week I just want to say I'm gonna miss you all 🥹 It was very fun to come each week studing the prep materials and creating study breakdowns to share with you (it really motivates me!).

I'm grateful for the materials, the questions, the contributions, and all. And thank you @queenofcorgis, you're an excellent moderator 😊.

Here's my last breakdown for GitHub Advanced Security:

Domain 7: Configure GitHub Advanced Security tools in GitHub Enterprise

GitHub Advanced Security Administration

Explain how GitHub Advanced Security features are enabled on GitHub Enterprise Server:

Before enabling GHAS for GitHub Enterprise Server, first you need to enable the Advanced Security for the GH Server instance (and your license must support Advanced security). You can do that either in the interface or the CLI, but it's important to notice you have to enable each feature of Advanced Security (and you'll be billed for them, so take care) . After you do that, you can reload your server instance, navigate to the Settings tab -> Code security and analysis of your organizations and configure how you want to enable the GHAS for the organizations and repositories.

Explain how GitHub Advanced Security features are enabled for an organization:

To enable GHAS features in the organization level, you need to go to your organization's Settings tab -> Code security and analysis. You can choose to enable all the features, or only the features that you want, like dependabot. You can also check to automatically enable the features for new repositories.

Set security policies for a repository:

The security policies for a repository are informations displayed in the security tab of the repo (for those who don't have access to alerts) that tells how to report vulnerabilities, what are the supported versions of the application, and other useful stuff. To configure them, you just need to create the security.md markdown file in the .github/ folder, docs/ folder or in the root of the repository.

Set security policies for an organization:

The security policy in the organization level is a little more powerful. In the enterprise settings, you can create policies to allow all your organizations or only selected ones to enable GHAS features in their repositories (that's smart, because it can become very expensive if uncontrolled).

Describe how permissions are interpreted throughout security workflow:

The permissions in a security workflow are, by default, evaluated using a GITHUB_TOKEN. It will grant read and/or write permissions depending on the scope (actions, issues, PRs, etc). You can also define your own custom permissions overriding the GITHUB_TOKEN using the permissions key in workflow yaml files. It can be applied to the entire workflow or only for specific jobs.

Locate API endpoints for GHAS features, like secret scanning, code scanning, and dependabot:

GitHub also has different API endpoints for each Advanced Security feature, that can be useful in the development lifecycle. Each API has different purposes, but in general, they allow users to enable/disable the security feature and retrieve security alerts. The code scanning API also allows you to update SARIF files from external scanning tools. For more information, you can check the documentation in:

1. Code scanning
2. Secret scanning
3. Repos
4. GraphQL

List stakeholders that need to be involved in the security workflows enabled by GHAS, including their role in the workflow:

With GHAS, I understand the security workflow affects the entire development lifecycle, so this list should include from developers to product owners. The developers are responsible for fixing security vulnerabilities, tech leaders are responsible for managing the technology stack and helping the developers in the solutions, the security managers who create the security policies, the devops engineers who create the pipelines and orchestrate the security workflows and the product owners who manage the timelines and decide what is the standard level of security the product needs.

Configure code scanning within a repository or organization using the default CodeQL workflow:

Go to Settings tab > Code security and analysis, scroll down to code scanning section. In the set up drop-down you select "default". You'll be prompted some basic configurations and GitHub will do the rest for you (creating a hidden workflow file that you don't have access to). After you finish the setup, you can enable code scanning and it will run the first scan for the repository.

Identify the custom build steps necessary in a CodeQL workflow:

The initial steps are similar to the default workflow, but in the code scanning section you'll select "advanced". With this setup you will have a codeql.yml workflow file to work on. There you can configure custom build commands for your application, custom codeQL queries, file exclusions and other useful configuration. You can do it directly in the workflow file or you can reference a configuration file, like codeql-config.yml.

Prep questions

Answers:

1. A
2. C
3. B
4. B
5. D
6. D
7. B

---

Hey @profile-palash, you really inspired people with the details tag 😅 It's everyone now! That's awesome.

[profile-palash]

Yup, learning collaboratively was quite fun. I'll also miss this.

[queenofcorgis]

@Salgado2004 thank you for bringing so much enthusiasm to this engagement - I hope to see you and @profile-palash around the community - the fun doesn't stop here 😃

[profile-palash]

@queenofcorgis Haha absolutely, the fun and learning never stop 😊 I’m looking forward to being active in the community...

[bos-hieu]

I missed this week. Hopefully it is not too late.

• Question One: A

• Question Two: C --> reference

• Question Three: B —> reference

• Question Four: B

• Question Five: D —> reference

• Question Six: D

• Question Seven: B

[queenofcorgis]

@bos-hieu not too late at all - thanks for participating!

[juanlujand]

Hi everyone I would like to know if the certification voucher was already delivered? Congratulations who wins this amazing benefits just in case Have a nice week

…

On Wed, Oct 2, 2024, 9:27 AM MD Palash Hossain ***@***.***> wrote: @queenofcorgis <https://github.com/queenofcorgis> Haha absolutely, the fun and learning never stop 😊 I’m looking forward to being active in the community... — Reply to this email directly, view it on GitHub <#139526 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A2C63CIQVWTA4ZLPVVUUHRLZZP7ELAVCNFSM6AAAAABOWUKPQWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAOBSGE2TMNQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.*** com>

[queenofcorgis]

@juanlujand - we just posted our wrap up discussion if you didn't get the ping 😃

[queenofcorgis]

Congratulations - we've completed the GHAS Certification Exam prep course. Share feedback and see if you were a voucher winner in this Discussion.