Practical exam blueprint for the GitHub Advanced Security (GH-500) exam, covering code scanning, secret scanning, dependency security, GitHub Actions security, governance, and alert triage.
How to Use This Exam Blueprint
Use this page as a practical readiness map for the GitHub Advanced Security (GH-500) exam from GitHub. It is organized around the skills a candidate should be able to apply in real scenarios: enabling GitHub Advanced Security capabilities, interpreting alerts, configuring workflows, reducing risk, and explaining tradeoffs.
For each area, ask:
Can I explain the feature and when to use it?
Can I configure it at the repository, organization, or enterprise level when applicable?
Can I interpret the alert or result produced by the feature?
Can I choose the right remediation path?
Can I recognize common misconfigurations and security gaps?
This is not a substitute for official exam materials. It is an independent exam blueprint for final review and practice planning.
When you would customize languages, queries, build steps, or paths.
Code Scanning Alert Triage
Alert detail
What it helps determine
Candidate should be able to decide
Severity
Potential impact
Is this urgent compared with other findings?
Rule description
Weakness pattern
What kind of vulnerability is being reported?
File and line
Location
Who owns the code and where should the fix happen?
Data flow path
Source-to-sink reasoning
Can attacker-controlled data reach a dangerous operation?
Branch
Affected code line
Is the issue in active production-bound code?
Tool
Origin of result
Was this found by CodeQL or an imported scanner?
Alert state
Open, fixed, dismissed
Is action still needed?
Dismissal reason
Why no fix was applied
Is the dismissal justified and auditable?
Code Scanning “Can You Do This?” Prompts
Given a repository with no custom build needs, choose a simple code scanning setup.
Given a compiled project that fails autobuild, identify the need for explicit build steps.
Given a third-party SAST tool, explain how SARIF upload fits into code scanning.
Given noisy alerts, recommend query tuning or alert triage instead of disabling scanning entirely.
Given a pull request introducing a vulnerability, explain how code scanning can surface it before merge.
Given an alert marked as a false positive, explain what information should support dismissal.
Given an organization with many repositories, explain how security overview helps find unscanned repositories.
CodeQL Readiness
CodeQL Concepts to Review
Concept
What it means
Ready check
CodeQL database
Extracted representation of code for analysis
Can explain why analysis needs a database
Query
Logic that finds code patterns
Can explain that queries detect vulnerability classes
Query suite
Group of queries selected for analysis
Can choose broader or narrower query coverage conceptually
Query pack
Packaged set of CodeQL queries
Can explain reuse and distribution of queries
Custom query
Organization-specific or specialized detection logic
Can identify when built-in queries may not be enough
Data flow
Tracking values through code
Can reason about source, sink, and sanitizer concepts
Taint tracking
Tracking untrusted input through program paths
Can interpret why a reported path matters
SARIF result
Standardized static-analysis finding format
Can explain how results appear in GitHub
CodeQL Reasoning Checklist
Understand that CodeQL treats code as data that can be queried.
Know why different languages may require different setup behavior.
Understand the idea of a vulnerable flow from source to sink.
Know the difference between a real false positive and an alert that is merely inconvenient.
Know when custom queries help enforce organization-specific security expectations.
Know why query expansion can increase useful coverage and also increase triage volume.
Know why a failed build or incomplete extraction can reduce analysis quality.
Know how CodeQL results are surfaced as code scanning alerts.
Scenario Cues for CodeQL
Scenario
Likely decision
“The project uses a standard interpreted language and needs quick enablement.”
Consider default setup if supported and sufficient
“The project requires generated code or special build commands.”
Use advanced setup with explicit build steps
“The organization has a recurring internal insecure API usage pattern.”
Consider custom CodeQL queries
“A third-party scanner already produces SARIF.”
Upload SARIF to code scanning for centralized alert handling
“A team complains about too many low-value findings.”
Review query selection, severity filters, and triage process
“Analysis succeeds but expected files are not covered.”
Review language detection, paths, build, and workflow configuration
Secret Scanning Readiness
What to Know
Secret scanning is about detecting and preventing exposed credentials. For GH-500, be ready to handle both default provider patterns and organization-specific secret formats.
Topic
Review focus
Ready check
Secret scanning alerts
Detection of committed secrets
Can triage an exposed credential
Push protection
Blocking or warning before secrets are pushed
Can explain prevention versus detection
Secret validity checks
Whether a detected token appears active where supported
Can use validity context without relying on it blindly
Custom patterns
Detect internal secret formats
Can identify when and why to create custom patterns
Alert recipients
Who is notified and who can act
Can route alerts to the right owner
Bypass review
Developer bypass of push protection where allowed
Can evaluate whether bypasses are justified
Remediation
Rotate, revoke, remove, and investigate
Can choose the right response sequence
Secret Remediation Checklist
When a secret is found, you should know that deleting it from the latest file version is usually not enough.
Confirm what secret type was exposed.
Determine whether the secret is active.
Revoke or rotate the credential.
Identify affected systems, repositories, branches, forks, logs, or artifacts where applicable.
Remove the secret from code and configuration.
Avoid committing replacement secrets.
Use a secure secret store or GitHub Actions secrets where appropriate.
Investigate potential misuse when the exposure risk is meaningful.
Close or resolve the alert with an accurate reason.
Educate the contributor on prevention.
Secret Scanning Decision Points
If the scenario says…
Think about…
“A cloud provider key was committed.”
Rotate/revoke immediately, then remove and investigate
“A developer says the token is only for testing.”
Validate scope, exposure, and whether it can access real systems
“The secret is in Git history.”
Rotation is still required; history cleanup alone is not enough
“The pattern is internal and not detected by default.”
Create a custom secret scanning pattern
“Push protection blocked a commit.”
Remove the secret and recommit safely
“The developer bypassed push protection.”
Review bypass reason, risk, and follow-up controls
“A token appears inactive.”
Do not assume zero risk without understanding the system and token lifecycle
Custom Pattern Readiness
Be able to explain the purpose of custom patterns without overfitting to a regex syntax question.
Identify examples of organization-specific secrets.
package-ecosystem identifies the package manager or ecosystem.
directory points to where manifest files are located.
schedule controls update cadence.
Version updates and security updates serve different goals.
Excessive update noise can reduce developer responsiveness.
Grouping, scheduling, or ownership strategies may improve adoption where supported.
Dependency Review Scenario Cues
Scenario
Likely GHAS-related response
“A pull request adds a new package with a known vulnerability.”
Dependency review should flag the change before merge
“A vulnerable transitive dependency appears.”
Review dependency path and update the parent or resolved package where possible
“Dependabot opened a PR but tests fail.”
Investigate compatibility, update strategy, or required code changes
“No dependency alerts appear for a repository.”
Verify dependency graph support and manifest visibility
“Teams ignore frequent update PRs.”
Tune schedule, grouping, ownership, and prioritization
“A dependency is used only in development tooling.”
Still assess risk, but prioritize based on exposure and impact
GitHub Actions Security Readiness
Why Actions Security Matters for GH-500
GitHub Advanced Security is closely tied to secure development workflows. Be prepared to reason about how CI/CD workflows can expose secrets, run untrusted code, or grant excessive permissions.
Area
Review focus
Ready check
Workflow permissions
Principle of least privilege for tokens
Can reduce default token access where possible
GITHUB_TOKEN
Built-in token for workflow automation
Can explain why its permissions matter
Secrets in workflows
Secure handling of sensitive values
Can avoid exposing secrets in logs or untrusted contexts
Pull request workflows
Risk from forked or untrusted contributions
Can identify dangerous trigger patterns
Third-party actions
Supply-chain risk
Can recommend pinning and trusted sources
Reusable workflows
Centralized workflow logic
Can explain benefits and governance concerns
Artifacts and logs
Data exposure risk
Can avoid leaking secrets through outputs
OIDC
Federated identity for cloud access
Can explain why short-lived credentials are preferred to long-lived secrets
Code scanning workflows
Security-events permission and analysis steps
Can troubleshoot why alerts are not uploaded
Workflow Hardening Checklist
Set minimal required permissions for workflows and jobs.
Avoid granting broad write permissions by default.
Treat pull requests from forks or unknown contributors as untrusted.
Avoid running untrusted code with access to sensitive secrets.
Pin third-party actions according to organizational policy.
Prefer trusted and maintained actions.
Review action source and permissions before adoption.
Avoid printing secrets, tokens, or sensitive environment variables.
Use environments and required reviewers where appropriate.
Use OIDC-based federation where suitable instead of long-lived cloud credentials.
Separate build, test, release, and deployment responsibilities.
Monitor workflow changes in sensitive repositories.
Risky Workflow Pattern Recognition
Pattern
Why it matters
Safer thinking
Broad token permissions
Increases blast radius if workflow is compromised
Grant only needed permissions
Unpinned third-party action
Action behavior may change unexpectedly
Pin according to policy and review source
Secrets available to untrusted PR code
Contributor could exfiltrate secrets
Restrict secret access and trigger choice
Deployment from ordinary PR workflow
Blurs review and release boundaries
Require approvals and protected environments
Logging environment variables
May expose credentials or sensitive data
Mask and avoid printing secrets
Automatically running privileged scripts from dependencies
Supply-chain attack path
Review install scripts and lock dependencies
Governance, Settings, and Security Posture
Repository, Organization, and Enterprise Thinking
The exam may test whether you can choose the right level for a setting or control.
Control level
Typical use
Readiness prompt
Repository
Team-specific configuration
Can configure scanning and alerts for one project
Organization
Consistent policy across many repositories
Can identify rollout and visibility controls
Enterprise
Broad governance across organizations
Can reason about central standards and reporting
Branch or ruleset controls
Protect important branches and workflows
Can connect code security to merge controls
Security roles
Delegate security management
Can route responsibility without granting unnecessary admin access
Governance Checklist
Know how to identify repositories without required security features enabled.
Know how to use security overview to find risk across repositories.
Know how security managers or equivalent delegated roles help scale remediation.
Know why repository ownership metadata matters for alert routing.
Know how security policies communicate vulnerability reporting expectations.
Know how branch protection or repository rules can support secure merge behavior.
Know why exceptions should be documented and reviewed.
Know how audit logs or activity records can support investigation and accountability.
Know how to phase GHAS rollout across critical repositories first.
Know how to measure whether teams are fixing alerts, not just enabling tools.
Security Overview Readiness
Be able to use security overview conceptually to answer questions such as:
Which repositories have code scanning disabled?
Which repositories have the most critical open alerts?
Which alerts are stale or unassigned?
Which teams are missing dependency security coverage?
Which repositories have unresolved secret scanning alerts?
Which repositories require onboarding, ownership, or policy cleanup?
Which trends indicate improving or worsening security posture?
Alert Triage and Remediation Workflow
Practical Triage Flow
flowchart TD
A[New security alert] --> B{Is it a real exposure or weakness?}
B -->|Clearly false positive| C[Dismiss with accurate reason]
B -->|Needs investigation| D[Identify owner and affected code]
D --> E{Is there active secret or exploitable vulnerability?}
E -->|Yes| F[Prioritize urgent remediation]
E -->|No or lower risk| G[Prioritize by severity and context]
F --> H[Fix, rotate, update, or remove]
G --> H
H --> I[Validate with tests and scanning]
I --> J[Close alert or confirm auto-closure]
J --> K[Document lessons and prevent recurrence]
Alert Handling Checklist
Confirm the alert type: code, secret, dependency, or workflow-related.
Identify severity and potential impact.
Identify affected branch, repository, package, file, or workflow.
Identify code owner or service owner.
Determine whether the issue is exploitable or exposed.
Prioritize based on severity, exposure, asset criticality, and fix availability.
Choose the right remediation action.
Validate the fix with tests and rescanning.
Avoid dismissing alerts only because they are hard to fix.
Record accurate dismissal reasons when dismissal is appropriate.
Look for repeated patterns that require training, policy, or automation changes.
Remediation Action Map
Alert type
Common remediation
Common mistake
Hardcoded secret
Revoke or rotate, remove from code, investigate misuse
Only deleting the file or commit
Vulnerable dependency
Upgrade, patch, replace, or mitigate
Ignoring transitive dependencies
CodeQL vulnerability
Fix source, sink, validation, sanitization, or unsafe API usage
Make a short list of features you confuse and drill the differences.
4 to 2 Days Before
Practice scenario questions that ask “what should you do next?”
Practice identifying the right feature from a short problem statement.
Review common misconfigurations in workflows and scanning setup.
Review how alerts are triaged, assigned, fixed, dismissed, and validated.
Practice explaining tradeoffs: coverage versus noise, automation versus review, prevention versus detection.
Review repository, organization, and enterprise-level governance concepts.
Avoid memorizing unsupported exact limits or dates; focus on decisions and workflows.
Final 24 Hours
Review the feature map table.
Review the remediation action map.
Review secret exposure response steps.
Review dependency alert triage steps.
Review CodeQL workflow stages.
Review Actions security traps.
Sleep and avoid last-minute deep dives into unrelated tooling.
Practical Next Step
Turn this checklist into practice tasks: for each unchecked item, create one scenario question and answer it in your own words. Prioritize areas where you cannot explain the decision path, not just areas where you forgot a term. For GH-500 readiness, the goal is to choose and justify the right GitHub Advanced Security action in realistic repository, organization, and workflow situations.