GitHub GH-500 glossary of code security, scanning, policy, and alerting terms.
Use this glossary when GitHub Advanced Security (GHAS) terms start to blur together. The goal is practical recognition, not encyclopedia coverage.
| Term | Exam meaning |
|---|---|
| CodeQL | Semantic code analysis engine used by GitHub code scanning. |
| SARIF | Standard format for static analysis results. |
| Secret scanning | Detection of credentials or tokens committed to repositories. |
| Dependabot | GitHub tool for dependency alerts and update pull requests. |
| Push protection | Control that blocks known secret patterns before they enter a repository. |
| Security overview | GitHub organization view for repository security posture and alerts. |
| Pair | How to separate them |
|---|---|
| Code scanning vs Secret scanning | Ask which layer the scenario is testing, then match the answer to that layer only. |
| Control vs evidence | A control changes behavior; evidence proves behavior or supports investigation. |
| Managed service vs custom build | Managed services win for lower operational effort unless the requirement needs unsupported customization. |
| Prevention vs detection | Prevention blocks or reduces a bad event; detection finds or reports that it happened. |
Do not memorize terms in isolation. For each term, write one scenario where it is the best answer, one scenario where it is a distractor, and one signal that proves it worked.