Browse GitHub Certification Guides

GitHub GH-100 Cheat Sheet: Org Policy, Teams, and Governance

April 24, 2026

GitHub GH-100 cheat sheet for org policy, teams, governance, traps, and final review.

On this page

Use this cheat sheet for GitHub Administration after you know the admin surfaces and need faster governance decisions. Administration questions usually ask where to enforce policy, how to scale access cleanly, and how to prove the organization is controlled.

Administration answer sequence

Use this when the stem mixes repository governance, access, branch protection, secrets, or audit.

    flowchart TD
	  S["Scenario"] --> O["Identify the GitHub object or setting"]
	  O --> R["Check access, protection, or ownership"]
	  R --> A["Apply the minimum governance change"]
	  A --> V["Verify review, history, or audit behavior"]

Read every Administration question in this order

  1. Identify the scope: repository, organization, enterprise, identity provider, runner, app, or security feature.
  2. Decide whether the task is access, policy enforcement, audit, security triage, automation governance, or lifecycle management.
  3. Prefer team, role, ruleset, and policy-based administration over one-off manual fixes.
  4. Add evidence: audit log, review cadence, required check, alert ownership, or approval trail.
  5. Reject answers that solve one repository when the requirement is organization-wide.

Access and organization management

Requirement Strong answer pattern
grant repo access to a group team-based access instead of individual grants
remove departed user identity lifecycle, access review, token/session cleanup
separate duties teams, roles, repository permissions, and protected workflows
temporary admin need time-bounded access, approval, logging, and removal
external collaborator scoped access, expiration/review, and least privilege
organization-wide role control org or enterprise roles where appropriate

Repository governance

Need Start with
require review before merge branch protection or repository ruleset
require passing tests required status checks
protect sensitive paths CODEOWNERS and required review
standardize new repos templates, defaults, policies, and repository rules
archive stale project archive policy, ownership review, and dependency/security impact
prevent force pushes branch protection/ruleset settings

Enterprise identity and audit

Topic Exam instinct
SSO/SAML centralizes authentication through identity provider
SCIM automates user provisioning and deprovisioning
enterprise managed users centralizes identity ownership for enterprise-controlled accounts
audit log proves administrative, access, policy, and security events
access review verifies least privilege remains true over time
compliance evidence combine policy, audit, access review, and security feature status

Security administration

Requirement Strong answer pattern
enable code risk visibility code scanning ownership and triage process
prevent secret exposure secret scanning, push protection, rotation workflow
handle vulnerable dependencies Dependabot alerts, dependency review, update ownership
govern Actions risk token permissions, allowed actions, runner policy, secret scope
protect production deploys environments, required reviewers, branch rules, audit
prove remediation alert state, PR, commit, owner, and evidence

Apps, tokens, runners, and integrations

Risk Better instinct
app requests broad access review scopes, repositories, webhook events, and owner
long-lived token minimize scope, rotate, expire where possible, and audit use
self-hosted runner isolate by trust level, labels, groups, patching, and repository access
webhook failure verify URL, secret, payload, delivery log, and retry behavior
automation touches production environment protections, approvals, and least privilege

Common traps

Trap Better instinct
user-by-user sprawl manage through teams, roles, and identity lifecycle
policy without enforcement use rulesets, branch protection, required checks, and audit
feature enabled without owner security alerts need triage, SLA, and remediation workflow
unmanaged self-hosted runners runners are execution trust boundaries
integration overpermissioning review scopes and restrict repository access
local fix for enterprise requirement enforce at org or enterprise level

Final 15-minute review

If the stem says… Start here
access governance identity source, teams, roles, least privilege, review
merge control ruleset, branch protection, required review/check, CODEOWNERS
audit or compliance audit log, evidence, policy, owner, access review
security feature rollout enablement, scope, alert owner, triage, remediation proof
Actions governance allowed actions, token permissions, secrets, runners, environments
integration app scopes, token lifecycle, webhook security, repository selection

Practice fit

Use IT Mastery for the exact product route, practice status, spaced review when available, and close-answer explanation practice as coverage expands.

Open the exact IT Mastery route here: Admin on MasteryExamPrep.

One-line decision rule

GitHub Administration answers should enforce policy at the right scope, grant access through governed groups, and leave audit evidence that the control actually operates.

Revised on Sunday, May 10, 2026
Study Plan