GH-500 — GitHub Advanced Security Study Plan

Last revised: June 18, 2026

A practical GitHub Advanced Security (GH-500) study plan with 7-day, 14-day, 30-day, and 60/90-day preparation paths.

Study plan orientation

This Study Plan is for candidates preparing for the GitHub Advanced Security (GH-500) exam, exam code GH-500, from GitHub.

Use it to turn your available calendar time into a realistic preparation schedule. The plan assumes you need to understand GitHub Advanced Security features in practical scenarios: how security features are enabled, how alerts are generated and triaged, how repositories and organizations are governed, and how teams use code scanning, secret scanning, and dependency security workflows.

This is an independent study planning guide. Use the current GitHub exam guide and GitHub documentation as your source of truth for the exact objectives.

What to study for GH-500

Organize your study around practical GHAS tasks, not only terminology.

Study areaWhat you should be able to explainWhat you should practice
GitHub Advanced Security setup and governanceWhere GHAS features are enabled, how repository, organization, and enterprise settings interact, and how permissions affect security administrationTrace who can configure features, dismiss alerts, view security data, and manage repository security settings
Code scanningDefault setup vs. advanced setup, CodeQL workflow concepts, third-party tool/SARIF results, alert states, and remediation flowRead a CodeQL workflow, identify why scans run or fail, interpret an alert, and choose an appropriate remediation path
CodeQL conceptsQuery suites, language/build considerations, custom queries at a conceptual level, and how CodeQL analysis fits into CIMatch a scanning scenario to a setup approach and recognize when build configuration matters
Secret scanningSecret scanning alerts, push protection concepts, custom or partner patterns at a high level, bypass handling, and remediation workflowDecide what should happen when a secret is detected in a commit, pull request, or existing repository history
Dependency securityDependency graph, Dependabot alerts, Dependabot security updates, dependency review, vulnerable dependency triage, and supply-chain riskDistinguish security updates from general version updates and decide how to respond to vulnerable dependency alerts
Alert triage and remediationAlert severity, status, dismissal reasons, ownership, fix validation, and recurring alert patternsReview missed scenarios and explain why an alert should be fixed, dismissed, assigned, or escalated
Repository and organization security postureSecurity overview, repository risk prioritization, policies, security configurations, and reporting viewsUse scenario questions to decide which setting or report helps a security team find risk fastest
Secure development workflowPull request security checks, branch and workflow controls, least-privilege automation, and developer remediation behaviorAnalyze a CI/CD security scenario and identify the safest GHAS-supported workflow

Which plan should you use?

Your situationUse this pathTypical study timeMain goal
Exam is in 7 days and you have already studied7-day final review1.5 to 3 hours/dayFind weak areas, drill alerts and workflows, take timed practice
Exam is in 7 days and you are starting from scratch7-day emergency path2.5 to 4 hours/dayCover only high-yield objectives and consider rescheduling if practice results are unstable
Exam is in 2 weeks14-day focused plan1.5 to 2.5 hours/dayBuild exam coverage quickly and leave time for two timed reviews
Exam is in about 1 month30-day balanced plan60 to 120 minutes/dayLearn, practice, review, and improve without cramming
Exam is 2 to 3 months away60/90-day full path4 to 7 hours/weekBuild durable hands-on skill and finish with timed exam readiness
You work with GitHub daily but not GHAS14-day or 30-day planDepends on gapsConvert GitHub familiarity into GHAS-specific exam readiness
You are new to GitHub security features60/90-day path5 to 8 hours/weekLearn concepts, practice workflows, then move into timed practice

Start with a diagnostic

Do this before you spend days reading.

  1. Take a short diagnostic practice set or timed quiz.
  2. Mark every missed or guessed question by objective area.
  3. Separate knowledge gaps from wording mistakes.
  4. Build your schedule around the top three weak areas.
  5. Retest those areas within 48 hours.
Diagnostic resultWhat it meansWhat to do next
Strong on GitHub basics, weak on GHAS featuresYou need feature-specific reviewPrioritize code scanning, secret scanning, dependency security, and security overview
Strong on definitions, weak on scenariosYou are memorizing but not applyingUse scenario drills and explain why each wrong option is wrong
Weak on permissions and settingsYou may confuse repo, org, and enterprise scopeCreate a scope map and review governance scenarios daily
Weak on CodeQL/code scanningYou need workflow and alert-lifecycle practiceReview setup modes, workflow anatomy, alert states, and remediation paths
Weak on dependency and secret workflowsYou need triage practiceDrill “what happens next?” questions for alerts, push protection, and Dependabot

Daily practice rhythm

Use this rhythm on most study days. Adjust the time blocks, but keep the sequence.

Time blockActionOutput
5 minutesReview yesterday’s missed-question logPick 2 to 3 items to retest
20 to 30 minutesStudy one focused GH-500 objectiveNotes in your own words
20 to 40 minutesDo hands-on or scenario reviewOne concrete workflow, setting, or alert lifecycle understood
20 to 30 minutesAnswer practice questionsMark missed, guessed, and slow questions
10 to 20 minutesReview explanations deeplyAdd corrections to your log
5 minutesWrite a closing summary“I can now explain…” and “I still confuse…”

If you only have 30 minutes

Use this compressed version:

  1. 5 minutes: review yesterday’s misses.
  2. 15 minutes: study one narrow objective.
  3. 10 minutes: answer and review 5 to 10 targeted questions.

Do not spend the whole session passively reading.

GH-500 hands-on practice map

You do not need a production environment to study effectively. If you use a sandbox repository or organization, avoid real secrets, real customer data, and real production workflows.

DrillWhat to practiceWhat to be ready to explain
Code scanning setup reviewCompare default setup and workflow-based setupWhen each setup is appropriate and what can cause scan coverage gaps
CodeQL workflow readingIdentify trigger, permissions, initialization, build, and analysis stepsWhy a workflow runs, what it analyzes, and where results appear
Alert lifecycleFollow a code scanning alert from detection to remediation or dismissalSeverity, status, ownership, fix validation, and dismissal reasoning
Secret scanning scenarioWalk through a detected secret in a repository or pushWhat the developer and security team should do next
Push protection scenarioDecide how to respond to a blocked push or bypass requestWhen bypass may be reviewed, rejected, or followed by remediation
Dependency alert triageReview a vulnerable dependency scenarioDifference between dependency alert, security update, and general version update
Dependency reviewAnalyze a pull request that introduces dependency riskHow dependency changes are surfaced before merge
Organization security postureReview security overview-style prioritizationHow to identify risky repositories and recurring alert patterns
Permissions and rolesMap who can view, configure, dismiss, or manage alertsWhy scope matters: repository vs. organization vs. enterprise
Secure automationReview least-privilege workflow behaviorHow Actions permissions and repository controls affect security posture

7-day final review plan

Use this if your exam is one week away. This is best for candidates who have already completed at least one pass through the material. If you are starting from zero, treat this as an emergency plan and focus on the highest-yield GHAS workflows.

DayFocusStudy actionsOutput
1Diagnostic and triageTake a timed or semi-timed diagnostic. Build a missed-question log by area.Ranked weak-area list
2Code scanning and CodeQLReview setup types, workflow anatomy, CodeQL concepts, SARIF results, and alert lifecycle. Do targeted questions.Code scanning decision notes
3Secret scanning and dependency securityReview secret alerts, push protection, Dependabot alerts, security updates, dependency review, and remediation flow.Secret/dependency triage notes
4Governance, permissions, and security postureReview repository, organization, and enterprise scope. Drill security overview and policy scenarios.Scope and permissions map
5Full timed mock or large timed setTake a timed mock. Spend at least the same amount of time reviewing. Stop broad new material after review.Final weak-area sprint list
6Weak-area sprintRework missed questions, reread only targeted docs, and explain key workflows aloud.One-page final review sheet
7Light final reviewReview notes, alert lifecycles, and common confusions. Avoid heavy new content.Calm, focused exam readiness

7-day priorities if time is very limited

If you have less than 90 minutes per day, prioritize in this order:

  1. Code scanning and CodeQL setup scenarios.
  2. Secret scanning and push protection workflows.
  3. Dependabot alerts, security updates, and dependency review.
  4. Repository, organization, and enterprise scope.
  5. Alert triage, dismissal, remediation, and reporting.

14-day focused plan

Use this if you have two weeks and can study most days.

DayFocusPrimary work
1Baseline diagnosticTake a diagnostic set, review every miss, and tag weak areas
2GHAS overview and enablementReview where features are configured and how scope affects behavior
3Permissions and governanceStudy roles, ownership, alert management, policies, and security posture views
4Code scanning setupReview default setup, advanced setup, workflow structure, and CI triggers
5Code scanning alertsStudy alert states, remediation, dismissal, CodeQL concepts, and SARIF-based results
6Secret scanningReview secret detection, alert handling, push protection, and safe remediation
7Dependency securityReview dependency graph, Dependabot alerts, security updates, and dependency review
8Timed checkpointTake a timed mixed set. Review misses by objective area
9Repository and organization scenariosDrill “where should this be configured?” and “who can do this?” questions
10Remediation workflowsPractice alert triage, assignment, dismissal, reopening, and fix validation scenarios
11CI/CD and workflow securityReview Actions permissions, secure automation behavior, and scanning integration
12Full timed mockTake a full-length or large timed practice exam. Review deeply
13Final weak-area repairRework missed topics. Build a one-page final sheet
14Light reviewReview lifecycles, decision rules, and common traps. Do not cram new topics

30-day balanced plan

Use this if you want a realistic plan with enough time to learn, practice, and correct mistakes.

DaysFocusActions
1 to 2Orientation and diagnosticRead the current exam objectives. Take a diagnostic. Create your tracking sheet.
3 to 6GHAS foundationsStudy feature scope, enablement, repository settings, organization settings, enterprise considerations, and security roles.
7Review checkpointDo a mixed quiz. Rewrite confusing scope and permission rules.
8 to 12Code scanning coreStudy setup modes, CodeQL workflow structure, language/build considerations, alert lifecycle, and remediation.
13 to 14Code scanning practiceDrill scenario questions and review any hands-on workflow examples.
15Midpoint timed setTake a timed mixed set. Review every miss before moving on.
16 to 18Secret scanningStudy secret alerts, push protection, bypass concepts, custom/partner pattern concepts, and remediation.
19 to 21Dependency securityStudy dependency graph, Dependabot alerts, security updates, dependency review, and vulnerable dependency triage.
22 to 23Security posture and reportingReview security overview, prioritization, ownership, and alert management scenarios.
24Full timed mockTake a full or large timed practice exam. Identify recurring weaknesses.
25 to 27Weak-area repairRelearn the top weak areas. Redo missed questions without looking at explanations first.
28Final timed checkpointTake a final timed mixed set. Confirm pacing and scenario accuracy.
29Final review sheetReview decision rules, alert lifecycles, and scope maps. Stop adding new broad material.
30Light review and readinessDo a short confidence check, then rest.

30-day weekly checkpoints

WeekYou should be able to do by the end of the week
Week 1Explain where GHAS features are enabled and how permissions affect security management
Week 2Interpret code scanning scenarios and identify appropriate CodeQL setup choices
Week 3Triage secret scanning and dependency security scenarios
Week 4Complete timed practice with stable pacing and no repeated major weak area

60/90-day full preparation path

Use this path if you are starting early, are new to GHAS, or want deeper hands-on confidence.

Phase60-day calendar90-day calendarFocus
Phase 1Days 1 to 5Days 1 to 7Exam objective review, diagnostic, study environment setup, tracking sheet
Phase 2Days 6 to 14Days 8 to 21GHAS foundations, governance, permissions, repository and organization scope
Phase 3Days 15 to 32Days 22 to 49Code scanning, CodeQL concepts, workflow setup, SARIF, alert lifecycle
Phase 4Days 33 to 44Days 50 to 66Secret scanning, push protection, dependency security, Dependabot workflows
Phase 5Days 45 to 55Days 67 to 82Security posture, reporting, remediation scenarios, mixed timed practice
Phase 6Days 56 to 60Days 83 to 90Final mocks, weak-area repair, final review, exam readiness

60-day weekly structure

WeekMain focusRequired practice
1Baseline and GHAS mapDiagnostic plus objective checklist
2Scope, settings, and permissionsRepository vs. organization vs. enterprise scenarios
3Code scanning setupDefault setup, advanced setup, workflow anatomy
4CodeQL and alert operationsAlert interpretation, remediation, dismissal, SARIF concepts
5Secret scanningSecret alerts, push protection, remediation decisions
6Dependency securityDependabot alerts, security updates, dependency review
7Security posture and remediationSecurity overview, prioritization, ownership, reporting
8Timed exam readinessFull timed mock, weak-area sprint, final review

How to use the extra time in a 90-day plan

Do not simply stretch passive reading. Use the extra time for:

  • More hands-on review of repository and organization settings.
  • More scenario drills on permissions and scope.
  • Repeated code scanning workflow interpretation.
  • More practice explaining why wrong answers are wrong.
  • Weekly mixed quizzes so older topics do not decay.
  • One additional timed mock before the final two weeks.

Timed mock exam strategy

Timed practice should measure readiness, not replace learning.

WhenWhat to takeWhat to do after
Start of planShort diagnosticIdentify weak areas and avoid studying blindly
Middle of planTimed mixed setTest recall across topics and update your study schedule
Final 10 to 14 daysFull or large timed mockPractice pacing and scenario interpretation
Final 3 to 5 daysLast major timed setConfirm readiness and identify final review topics
Final 24 hoursNo heavy mock unless necessaryLight review only; avoid creating fatigue

Mock review rules

After every timed set:

  1. Review missed questions first.
  2. Review guessed questions second, even if correct.
  3. Identify the objective area for each miss.
  4. Write the rule or concept you should have used.
  5. Redo the missed questions later without the explanation.
  6. Look for repeated patterns, not isolated trivia.

A mock is useful only if the review changes what you do next.

Missed-question review method

Use a missed-question log throughout your plan. Keep it short enough that you will actually maintain it.

FieldWhat to record
DateWhen you missed it
TopicCode scanning, secret scanning, dependency security, permissions, governance, reporting, or workflow security
Error typeKnowledge gap, scope confusion, wording mistake, rushed answer, or weak scenario reasoning
Correct ruleThe decision rule you should have applied
Retest dateWhen you will answer a similar question again
StatusOpen, retested, or mastered

Error types and fixes

Error typeExample patternFix
Scope confusionMixing repository, organization, and enterprise settingsCreate a three-column scope map and review it daily
Feature confusionMixing secret scanning, dependency review, and code scanningWrite the input, output, and alert type for each feature
Alert lifecycle gapNot knowing what happens after dismissal or remediationDraw the lifecycle from detection to closure
CodeQL workflow gapMisreading when or how analysis runsReview workflow triggers, permissions, init, build, and analyze steps
Permission gapChoosing an action for the wrong role or access levelReview who can configure, view, dismiss, or manage each feature
Scenario overthinkingChoosing a complex answer when a direct GHAS feature appliesIdentify the exact problem before selecting the tool

Final-week rules

Use these rules during the last week, regardless of which plan you followed.

RuleWhy it matters
Stop broad new material 2 to 3 days before the examNew topics can reduce confidence without improving score
Keep reviewing missed questionsYour log shows the highest-return work
Prioritize workflows over definitionsGH-500 scenarios often require choosing the right security action
Review scope dailyMany mistakes come from confusing repository, organization, and enterprise behavior
Do not run experimental labs the night beforeLast-minute configuration surprises can create confusion
Practice pacing once, then stopYou need timing confidence, not exhaustion
Sleep and logistics countA tired candidate misreads scenario questions

Exam-readiness checks

You are closer to ready when you can do the following without notes.

Readiness checkCan you do it?
Explain the main GHAS features and what risk each one addressesYes / No
Distinguish code scanning, secret scanning, dependency alerts, and dependency reviewYes / No
Choose between code scanning setup approaches for a scenarioYes / No
Read a CodeQL workflow conceptually and identify what each major step doesYes / No
Explain how a code scanning alert is triaged, fixed, dismissed, or reopenedYes / No
Respond correctly to a secret scanning or push protection scenarioYes / No
Explain the difference between Dependabot alerts, security updates, and general dependency updatesYes / No
Identify whether a setting or action belongs at repository, organization, or enterprise scopeYes / No
Interpret security posture and prioritization scenariosYes / No
Finish timed practice without rushing the final questionsYes / No
Explain why wrong answer choices are wrongYes / No

If several answers are “No,” do not add more random study material. Return to your missed-question log and repair the highest-frequency weak areas.

High-yield final review checklist

Use this list during the last few days.

  • Code scanning setup options and when each is appropriate.
  • CodeQL workflow structure and common reasons scanning may not behave as expected.
  • Alert lifecycle: open, fixed, dismissed, reopened, assigned, and reviewed.
  • Secret scanning detection, push protection, bypass handling, and remediation.
  • Dependency graph, Dependabot alerts, Dependabot security updates, and dependency review.
  • Repository vs. organization vs. enterprise scope.
  • Permissions and ownership for viewing, configuring, and managing security alerts.
  • Security overview and risk prioritization scenarios.
  • CI/CD security basics related to GitHub Actions and least-privilege automation.
  • Common wording traps from your own missed-question log.

Practical next step

Choose the schedule that matches your exam date, then take a diagnostic practice set before doing more reading. Build your missed-question log on day one, use it to drive each study session, and finish your preparation with timed GH-500 practice plus focused review of your weakest GitHub Advanced Security workflows.

Quick Review
Exam Blueprint
Browse Certification Practice Tests by Exam Family