Review GitHub Advanced Security (GH-500) secret scanning, dependency review, CodeQL, code scanning, remediation, and governance traps before practicing in IT Mastery.
GH-500 tests whether you can match the security signal to the right GitHub Advanced Security feature and response. Use this cheat sheet to separate secret scanning, dependency risk, code scanning, CodeQL, remediation, and enterprise governance before practice.
Use this with practice. Review the GHAS control map, then take the free GH-500 diagnostic or open the full Advanced Security route in IT Mastery.
| Field | Detail |
|---|---|
| Vendor | GitHub |
| Credential name | GitHub Advanced Security |
| Exam code | GH-500 |
| Level shown by Microsoft Learn | Intermediate |
| Exam time shown by Microsoft Learn | 100 minutes |
| IT Mastery status | Live GH-500 practice available |
| Domain | Weight | What to know | Common trap |
|---|---|---|---|
| GHAS features and functionality | 10% | Feature boundaries, alerts, security overview, and repository/organization scope | Treating every finding as a CodeQL issue |
| Secret scanning | 10% | Detection, push protection, validity checks, revocation, and alert triage | Closing an alert before rotating or revoking exposed credentials |
| Dependency management | 15% | Dependabot alerts, dependency review, vulnerable versions, and merge risk | Confusing pull-request review with post-merge alert triage |
| Code scanning | 15% | Setup, alerts, SARIF, third-party tools, and result management | Expecting code scanning to detect secrets or dependency CVEs |
| CodeQL | 20% | Languages, query packs, build modes, workflow permissions, and analysis scope | Ignoring build mode or language setup when analysis fails |
| GHAS best practices | 20% | Triage, remediation, false positives, metrics, rollout, and corrective measures | Dismissing findings without evidence or owner review |
| Enterprise configuration | 10% | Enterprise enablement, policies, repositories, organizations, and governance | Applying settings at the wrong scope |
| Distinction | How to decide |
|---|---|
| Secret scanning vs code scanning | Secret scanning detects exposed credentials; code scanning detects code patterns and vulnerabilities. |
| Dependabot alert vs dependency review | Dependabot alerts track known vulnerable dependencies; dependency review checks pull-request dependency changes before merge. |
| CodeQL default setup vs advanced setup | Default setup is simpler; advanced setup is used when custom build, languages, queries, or workflow control are needed. |
| SARIF upload vs CodeQL analysis | SARIF upload imports scanner results; CodeQL analysis runs GitHub’s semantic analysis. |
| Push protection vs alert triage | Push protection blocks secrets before commit; alert triage handles findings already detected. |
| Dismissal vs remediation | Dismiss only with a valid reason; remediation removes, rotates, upgrades, or fixes the underlying risk. |
| Repository setting vs enterprise policy | Repository settings affect one repo; enterprise policy can govern many organizations and repositories. |
security-events: write when a workflow must upload code scanning results.Take the free GH-500 diagnostic and classify every miss by signal: secret, dependency, code pattern, CodeQL setup, or governance. Then drill the matching feature page. GH-500 practice should improve response judgment: what happened, which feature saw it, what the first safe action is, and what evidence closes the loop.