Browse GitHub Certification Guides

GitHub GH-500 Cheat Sheet: Code Security, Scanning, and Policy

April 24, 2026

GitHub GH-500 cheat sheet for code security, scanning, policy, traps, and final review.

On this page

Use this cheat sheet for GitHub Advanced Security (GHAS) after you know the feature names and need faster security-program decisions. GHAS questions usually ask which signal, policy, or remediation step reduces software risk in a GitHub workflow.

Advanced Security answer sequence

Use this when the stem mixes secret exposure, code scanning, dependency risk, or response workflow.

    flowchart TD
	  S["Scenario"] --> R["Identify the security risk"]
	  R --> C["Choose secret, code, or supply-chain control"]
	  C --> O["Check alerting, remediation, or policy path"]
	  O --> V["Verify evidence and recurrence prevention"]

Read every GHAS question in this order

  1. Identify the risk class: exposed secret, vulnerable dependency, code weakness, workflow privilege, or governance gap.
  2. Identify where the control runs: repository, organization, enterprise, pull request, workflow, branch, or developer environment.
  3. Decide whether the question asks for detection, prevention, triage, remediation, or rollout governance.
  4. Preserve the fix sequence: identify, contain, rotate or patch, verify, prevent recurrence, and document.
  5. Reject answers that silence alerts without reducing risk.

GHAS feature chooser

Need Start with Watch for
find code-level vulnerabilities code scanning and CodeQL language support, query packs, build mode, alert triage, and SARIF
find exposed credentials secret scanning and push protection rotation, revocation, custom patterns, alert routing, and bypass review
manage vulnerable dependencies Dependabot alerts, dependency review, and updates severity, exploitability, direct versus transitive dependency, and compatibility
prevent risky pull requests branch protection, required checks, dependency review, code scanning status checks required enforcement at the right branch or ruleset
govern at scale organization and enterprise security settings repository visibility, rollout policy, audit logs, and security roles

Secret scanning response

Step Exam instinct
detect identify secret type, location, repository, and exposure path
contain revoke or disable the credential quickly
rotate issue a replacement through the owning system
investigate check audit logs, usage logs, and blast radius
clean up remove from code and history where appropriate
prevent push protection, custom patterns, secret hygiene, and developer education

Dependency security response

Scenario Strong answer pattern
known vulnerable dependency assess severity and exposure, update or patch, test, and merge safely
vulnerable transitive dependency update direct dependency or override where supported after compatibility review
risky new dependency in PR dependency review before merge
frequent dependency drift Dependabot version updates plus test automation
compliance asks for inventory dependency graph, SBOM concepts, ownership, and reporting evidence

Code scanning and CodeQL

Concept What to remember
code scanning surfaces potential vulnerabilities in code and can use SARIF results
CodeQL semantic code analysis engine with queries and query packs
custom query use when organization-specific patterns or frameworks need detection
alert triage prioritize by severity, precision, reachability/context, and exploit path
pull request checks prevent new vulnerable code from entering protected branches
false positive handling document dismissal reason; do not blanket-disable useful detection

Workflow and automation risk

Risk Better instinct
action has broad token access reduce GITHUB_TOKEN permissions at workflow or job scope
third-party action is untrusted pin versions or SHAs and prefer trusted publishers
deployment secrets in PR workflow isolate secrets and environments from untrusted pull request code
static cloud credentials use OIDC federation when supported
security scan bypassed make checks required on protected branches or rulesets

Enterprise rollout

Requirement Start with
enable GHAS consistently organization or enterprise policy, repository selection, and rollout plan
assign remediation ownership code owners, security managers, teams, and alert routing
prove program health alert trends, time to remediate, bypasses, audit logs, and coverage reports
reduce developer friction PR annotations, clear fix guidance, autofix where appropriate, and tuned queries
protect regulated repositories required checks, rulesets, audit, secret scanning, dependency review, and access review

Common traps

Trap Better instinct
remove secret from repository only revoke, rotate, investigate, and prevent recurrence
Dependabot update equals safe test compatibility and confirm vulnerable path is addressed
CodeQL alert equals definite exploit triage severity, precision, context, and reachable path
dismiss alert to clean dashboard use documented dismissal only when risk is understood
GHAS as repository-only setup enterprise and organization policy often control scale
workflow security ignored Actions can become the path that bypasses code security controls

Final 15-minute review

If the stem says… Start here
leaked token secret scanning, push protection, revoke, rotate, investigate
vulnerable package Dependabot alert, dependency review, update, test, verify
insecure code pattern code scanning, CodeQL query, alert triage, required check
rollout across many repos organization/enterprise policy, coverage, ownership, reporting
pull request gate branch protection, rulesets, required checks, dependency review
cloud credentials in workflow OIDC, environment protection, scoped token, and secret minimization

Practice fit

Use IT Mastery for the exact product route, practice status, spaced review when available, and close-answer explanation practice as coverage expands.

Open the exact IT Mastery route here: GHAS on MasteryExamPrep.

One-line decision rule

GHAS answers should detect the right software risk, route ownership, remediate the underlying exposure, and enforce the control before the same risk re-enters.

Revised on Sunday, May 10, 2026
Study Plan