GH-500 Preparation Details
Preparing for the GH-500 GitHub Advanced Security certification exam? Start here with a complete, objective-wise GH-500 study guide designed to help you pass faster.
This guide brings together official Microsoft documentation, key concepts, and curated resources for every GH-500 exam objective, making it ideal for both beginners and last-minute revision.
Looking for the best GH-500 preparation resources in one place? This page covers everything you need to get exam-ready with confidence.
If this helped you, share it with others preparing for the GH-500 certification exam.
Exam Voucher for GH-500 with 1 Retake
Get 40% OFF with the combo
GH-500 Copilot Materials
| Udemy | GitHub Advanced Security Practice Exam |
| Coursera | GitHub Actions Masterclass: From Beginner to Advanced |
Domain 1: Describe the GHAS security features and functionality (15%)
Contrast GHAS features and their role in the security ecosystem
Differentiate the security features that come automatically for open source projects, and what features are available when GHAS is paired with GHEC or GHES
About GitHub Advanced Security
GitHub Advanced Security license billing
Managing security and analysis settings for your repository
Describe the features and benefits of Security Overview
Assessing the security risk of your code
Assessing adoption of security features
Describe the differences between secret scanning and code scanning
About GitHub Advanced Security
Describe how secret scanning, code scanning, and Dependabot create a more secure software development life cycle
Best practices for securing code in your supply chain
Introduction to adopting GitHub Advanced Security at scale
Contrast a security scenario with isolated security review and an advanced scenario, with security integrated into each step of the software development life cycle
Introduction to adopting GitHub Advanced Security at scale
Best practices for securing code in your supply chain
Explain and use specific GHAS features
Describe how vulnerable dependencies are identified (by looking at the manifest files and comparing with databases of known vulnerabilities)
Troubleshooting the detection of vulnerable dependencies
About the GitHub Advisory Database
Choose how to act on alerts from GHAS
Viewing and updating Dependabot alerts
Managing alerts from secret scanning
Managing code scanning alerts for your repository
Explain the implications of ignoring an alert
Best practices for securing code in your supply chain
Explain the role of a developer when they discover a security alert
Best practices for securing code in your supply chain
Introduction to adopting GitHub Advanced Security at scale
Describe the differences in access management to view alerts for different security features
Managing security and analysis settings for your repository
Managing security managers in your organization
Permission to view data in security overview
Identify where to use Dependabot alerts in the software development lifecycle
About Dependabot security updates
Domain 2: Configure and use secret scanning (15%)
Configure and use Secret Scanning
Describe secret scanning
Keeping secrets secure with secret scanning
Describe push protection
Enabling push protection for your repository
Describe validity checks
Evaluating alerts from secret scanning
Enabling validity checks for your repository
Supported secret scanning patterns
Contrast secret scanning availability for public and private repositories
About GitHub Advanced Security
GitHub Advanced Security license billing
Enable secret scanning for private repositories
Enabling secret scanning for your repository
Enabling secret scanning features
Pick an appropriate response to a secret scanning alert
Managing alerts from secret scanning
Resolving alerts from secret scanning
Viewing and filtering alerts from secret scanning
Determine if an alert is generated for a given secret, pattern, or service provider
Supported secret scanning patterns
About the GitHub Advisory Database
Determine if a given user role will see secret scanning alerts and how they will be notified
Managing security and analysis settings for your repository
Managing security managers in your organization
Customize default secret scanning behavior
Configure the recipients of a secret scanning alert (also includes how to provide access to members and teams other than admins)
Managing security and analysis settings for your repository
Managing security managers in your organization
Configuring notifications for secret scanning
Exclude certain files from being scanned for secrets
Excluding folders and files from secret scanning
Enabling secret scanning for your repository
Enable custom secret scanning for a repository
Defining custom patterns for secret scanning
About custom patterns for secret scanning
Supported secret scanning patterns
Domain 3: Configure and use Dependabot and Dependency Review (35%)
Describe tools for managing vulnerabilities in dependencies
Define the dependency graph
Configuring the dependency graph
Describe how the dependency graph is generated
Troubleshooting the dependency graph
Describe what a Software Bill of Materials (SBOM) is, and the SBOM format used by GitHub
Exporting a software bill of materials for your repository
REST API endpoints for software bill of materials (SBOM)
Define a dependency vulnerability
About the GitHub Advisory Database
Describe Dependabot alerts
Describe Dependabot security updates
About Dependabot security updates
Configuring Dependabot security updates
Describe Dependency Review
Reviewing dependency changes in a pull request
Describe how alerts are generated for vulnerable dependencies (driven from the dependency graph, sourced from the GitHub Advisory Database)
About the GitHub Advisory Database
Describe the difference between Dependabot and Dependency Review
Enable and configure tools for managing vulnerable dependencies
Identify the default settings for Dependabot alerts in public and private repositories
Identify the permissions and roles required to enable Dependabot alerts
Identify the permissions and roles required to view Dependabot alerts
Managing security and analysis settings for your repository
Enable Dependabot alerts for private repositories
Managing security and analysis settings for your repository
Enable Dependabot alerts for organizations
Managing security and analysis settings for your organization
Create a valid Dependabot configuration file to group security updates
Configuring Dependabot security updates
Create a Dependabot Rule to auto-dismiss low severity alerts until a patch is available
About Dependabot auto-triage rules
Customizing auto-triage rules to prioritize Dependabot alerts
Using GitHub preset rules to prioritize Dependabot alerts
Create a Dependency Review GitHub Actions workflow
Configuring the dependency review action
Customizing your dependency review action configuration
Configure license checks and custom severity thresholds in a Dependency Review workflow
Configuring the dependency review action
Customizing your dependency review action configuration
Configure notifications for vulnerable dependencies
Configuring notifications for Dependabot alerts
Identify and remediate vulnerable dependencies
Identify a vulnerable dependency from a Dependabot alert
Viewing and updating Dependabot alerts
Identify vulnerable dependencies from a pull request
Reviewing dependency changes in a pull request
Enable Dependabot security updates
Configuring Dependabot security updates
About Dependabot security updates
Remedy a vulnerability from a Dependabot alert in the Security tab (could include updating or removing the dependency)
Viewing and updating Dependabot alerts
About Dependabot security updates
Remedy a vulnerability from a Dependabot alert in the context of a pull request (could include updating or removing the dependency)
Reviewing dependency changes in a pull request
Viewing and updating Dependabot alerts
Take action on any Dependabot alerts by testing and merging pull requests
Viewing and updating Dependabot alerts
Automating Dependabot with GitHub Actions
About Dependabot security updates
Domain 4: Configure and use Code Scanning with CodeQL (25%)
Use code scanning with third-party tools
Enable code scanning for use with a third-party analysis
Using code scanning with your existing CI system
Integrating with code scanning
Contrast the steps for using CodeQL versus third party analysis when enabling code scanning
About code scanning with CodeQL
Using code scanning with your existing CI system
Configuring default setup for code scanning
Contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party CI tool
Using code scanning with your existing CI system
Customizing your advanced setup for code scanning
Upload 3rd party SARIF results via the SARIF endpoint
Uploading a SARIF file to GitHub
SARIF support for code scanning
REST API endpoints for code scanning
Describe and enable code scanning
Describe how code scanning fits in the software development life cycle
About code scanning with CodeQL
Best practices for securing code in your supply chain
Contrast the frequency of code scanning workflows (scheduled versus triggered by events)
Customizing your advanced setup for code scanning
Workflow configuration options for code scanning
Choose a triggering event for a given development pattern (for example, in a pull request and for specific files)
Customizing your advanced setup for code scanning
Workflow configuration options for code scanning
Triaging code scanning alerts in pull requests
Edit the default template for Actions workflow to fit an active, open source, production repository
Configuring advanced setup for code scanning
Customizing your advanced setup for code scanning
Workflow configuration options for code scanning
Describe how to view code scanning results from CodeQL analysis
Assessing code scanning alerts for your repository
Managing code scanning alerts for your repository
Triaging code scanning alerts in pull requests
Troubleshoot a failing code scanning workflow using CodeQL, including creating or changing a custom configuration in the CodeQL workflow
Troubleshooting the CodeQL workflow
Configuring advanced setup for code scanning
Follow the data flow through code using the show paths experience
Understanding code scanning alerts
Assessing code scanning alerts for your repository
Explain the reason for a code scanning alert given documentation linked from the alert
Managing code scanning alerts for your repository
Determine if and why a code scanning alert needs to be dismissed
Dismissing code scanning alerts
Managing code scanning alerts for your repository
Describe potential shortfalls in CodeQL via model of compilation and language support
About code scanning with CodeQL
CodeQL code scanning for compiled languages
Troubleshooting the CodeQL workflow
Explain the purpose of defining a SARIF category
SARIF support for code scanning
Uploading a SARIF file to GitHub
Customizing your advanced setup for code scanning
Domain 5: Describe GitHub Advanced Security best practices, results, and how to take corrective measures (10%)
GitHub Advanced Security results & best practices
Use a Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) to describe a GitHub Advanced Security alert and list potential remediation
Resolving code scanning alerts
About the GitHub Advisory Database
Describe the decision-making process for closing and dismissing security alerts (documenting the dismissal, making a decision based on data)
Resolving code scanning alerts
Managing code scanning alerts for your repository
Describe the default CodeQL query suites
About code scanning with CodeQL
Configuring default setup for code scanning
Describe how CodeQL analyzes code and produces results, including differences between compiled and interpreted language
About code scanning with CodeQL
CodeQL code scanning for compiled languages
Troubleshooting the CodeQL workflow
Determine the roles and responsibilities of development and security teams on a software development workflow
Introduction to adopting GitHub Advanced Security at scale
Managing security managers in your organization
Best practices for securing code in your supply chain
Describe how the severity threshold for code scanning pull request status checks can be changed
Set code scanning merge protection
Triaging code scanning alerts in pull requests
Workflow configuration options for code scanning
Explain how filters and sorting can be used to prioritize secret scanning remediation (validity:active)
Evaluating alerts from secret scanning
Viewing and filtering alerts from secret scanning
Organizing remediation efforts for leaked secrets
Explain how CodeQL & Dependency Review workflows can be enforced with Repository Rulesets
Set code scanning merge protection
Enforcing dependency review across an organization
Describe how code scanning can be configured to identify and remediate vulnerabilities earlier (scanning upon pull request)
Triaging code scanning alerts in pull requests
Customizing your advanced setup for code scanning
Set code scanning merge protection
Describe how secret scanning can be configured to identify and remediate vulnerabilities earlier (enabling push protection)
Enabling push protection for your repository
Evaluating alerts from secret scanning
Describe how dependency analysis can be configured to identify and remediate vulnerabilities earlier (enable dependency review to scan upon pull request)
Configuring the dependency review action
Enforcing dependency review across an organization
This brings us to the end of the GH-500 GitHub Advanced Security Study Guide.
What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!
In case you are preparing for other GitHub certification exams, check out the GitHub section for those exams.
Follow Me to Receive Updates on the GH-500 Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the links below so it can benefit others.
