GHAS Certification Exam Prep: Part Four - Managing Your GitHub Securely #139526
Replies: 23 comments 15 replies
-
I believe these are the answers for this week: Question One: How can you manage GitHub Advanced Security alerts? Question Two: What can you do to ensure that everyone in your organization is using GitHub Advanced Security? Question Three: Which GitHub Advanced Security feature isn't available on public repositories? Question Four: Which tool helps identify and block secrets from being pushed into repositories? Question Five: How can security policies be managed within GitHub? Question Six: Which of the following is NOT a step in setting security policies within GitHub? Question Seven: How can you ensure compliance with industry standards when managing sensitive data in GitHub? Thank you very much for the new course content this week. Overall, thank you very much for this course. It has been a fantastic learning resource. And thank you very much for your comments and your kindness, @queenofcorgis, @gitstua. |
Beta Was this translation helpful? Give feedback.
-
Thanks again for the awesome list of resources, especially the Microsoft Learn paths! As for the answers, Q1. A |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Question 1: How can you manage GitHub Advanced Security alerts? Answer: A. By using the GitHub Advanced Security API endpoints. ExplanationThe GitHub Advanced Security API endpoints allow you to programmatically manage security alerts across your repositories. This includes retrieving, dismissing, and resolving alerts, which can help automate and streamline your security management processes.Question 2: What can you do to ensure that everyone in your organization is using GitHub Advanced Security? Answer: C. Set a security policy at the organization level. ExplanationSetting a security policy at the organization level ensures that all repositories within the organization adhere to the same security standards. This helps in maintaining consistency and compliance across the board.Question 3: Which GitHub Advanced Security feature isn’t available on public repositories? Answer: B. Security Overview. ExplanationThe Security Overview feature, which provides a high-level view of security alerts and vulnerabilities across multiple repositories, is not available for public repositories. This feature is designed for private repositories to help organizations manage their security posture.Question 4: Which tool helps identify and block secrets from being pushed into repositories? Answer: B. Secret scanning. ExplanationSecret scanning is a feature that scans your repositories for sensitive data such as API keys, tokens, and passwords. It helps prevent these secrets from being accidentally committed to your codebase, thereby reducing the risk of security breaches.Question 5: How can security policies be managed within GitHub? Answer: D. All of the above. ExplanationManaging security policies within GitHub involves creating documentation that details security guidelines, setting permissions and rules to control access, and automating processes to prevent security breaches. These combined efforts help ensure a robust security posture.Question 6: Which of the following is NOT a step in setting security policies within GitHub? Answer: D. Allowing unrestricted access to all users. ExplanationAllowing unrestricted access to all users is not a step in setting security policies. Instead, security policies should focus on creating documentation, setting permissions and rules, and automating processes to enhance security.Question 7: How can you ensure compliance with industry standards when managing sensitive data in GitHub? Answer: B. By using GitHub’s basic security tools like secret scanning and code scanning. ExplanationUsing GitHub’s basic security tools such as secret scanning and code scanning helps ensure compliance with industry standards by identifying and mitigating potential security risks in your codebase. |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Question One: How can you manage GitHub Advanced Security alerts? Question Two: What can you do to ensure that everyone in your organization is using GitHub Advanced Security? Question Three: Which GitHub Advanced Security feature isn't available on public repositories? Question Four: Which tool helps identify and block secrets from being pushed into repositories? Question Five: How can security policies be managed within GitHub? Question Six: Which of the following is NOT a step in setting security policies within GitHub? Question Seven: How can you ensure compliance with industry standards when managing sensitive data in GitHub? |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Posting the Answers for the questions here, covering @queenofcorgis AnswersQuestion One: How can you manage GitHub Advanced Security alerts?A) By using the GitHub Advanced Security API endpoints Question Two: What can you do to ensure that everyone in your organization is using GitHub Advanced Security?C) Set a security policy at the organization level. Question Three: Which GitHub Advanced Security feature isn't available on public repositories?B) Security Overview. The Security Overview is only available on private repositories with GitHub Advanced Security. Question Four: Which tool helps identify and block secrets from being pushed into repositories?B) Secret scanning Question Five: How can security policies be managed within GitHub?D) All of the above Question Six: Which of the following is NOT a step in setting security policies within GitHub?D) Allowing unrestricted access to all users Question Seven: How can you ensure compliance with industry standards when managing sensitive data in GitHub?B) By using GitHub's basic security tools like secret scanning and code scanning |
Beta Was this translation helpful? Give feedback.
-
Hello guys 🌟👋 For this last week I just want to say I'm gonna miss you all 🥹 It was very fun to come each week studing the prep materials and creating study breakdowns to share with you (it really motivates me!). I'm grateful for the materials, the questions, the contributions, and all. And thank you @queenofcorgis, you're an excellent moderator 😊. Here's my last breakdown for GitHub Advanced Security: Domain 7: Configure GitHub Advanced Security tools in GitHub EnterpriseGitHub Advanced Security AdministrationExplain how GitHub Advanced Security features are enabled on GitHub Enterprise Server:Before enabling GHAS for GitHub Enterprise Server, first you need to enable the Advanced Security for the GH Server instance (and your license must support Advanced security). You can do that either in the interface or the CLI, but it's important to notice you have to enable each feature of Advanced Security (and you'll be billed for them, so take care) . After you do that, you can reload your server instance, navigate to the Settings tab -> Code security and analysis of your organizations and configure how you want to enable the GHAS for the organizations and repositories. Explain how GitHub Advanced Security features are enabled for an organization:To enable GHAS features in the organization level, you need to go to your organization's Settings tab -> Code security and analysis. You can choose to enable all the features, or only the features that you want, like dependabot. You can also check to automatically enable the features for new repositories. Set security policies for a repository:The security policies for a repository are informations displayed in the security tab of the repo (for those who don't have access to alerts) that tells how to report vulnerabilities, what are the supported versions of the application, and other useful stuff. To configure them, you just need to create the security.md markdown file in the .github/ folder, docs/ folder or in the root of the repository. Set security policies for an organization:The security policy in the organization level is a little more powerful. In the enterprise settings, you can create policies to allow all your organizations or only selected ones to enable GHAS features in their repositories (that's smart, because it can become very expensive if uncontrolled). Describe how permissions are interpreted throughout security workflow:The permissions in a security workflow are, by default, evaluated using a GITHUB_TOKEN. It will grant read and/or write permissions depending on the scope (actions, issues, PRs, etc). You can also define your own custom permissions overriding the GITHUB_TOKEN using the permissions key in workflow yaml files. It can be applied to the entire workflow or only for specific jobs. Locate API endpoints for GHAS features, like secret scanning, code scanning, and dependabot:GitHub also has different API endpoints for each Advanced Security feature, that can be useful in the development lifecycle. Each API has different purposes, but in general, they allow users to enable/disable the security feature and retrieve security alerts. The code scanning API also allows you to update SARIF files from external scanning tools. For more information, you can check the documentation in: List stakeholders that need to be involved in the security workflows enabled by GHAS, including their role in the workflow:With GHAS, I understand the security workflow affects the entire development lifecycle, so this list should include from developers to product owners. The developers are responsible for fixing security vulnerabilities, tech leaders are responsible for managing the technology stack and helping the developers in the solutions, the security managers who create the security policies, the devops engineers who create the pipelines and orchestrate the security workflows and the product owners who manage the timelines and decide what is the standard level of security the product needs. Configure code scanning within a repository or organization using the default CodeQL workflow:Go to Settings tab > Code security and analysis, scroll down to code scanning section. In the set up drop-down you select "default". You'll be prompted some basic configurations and GitHub will do the rest for you (creating a hidden workflow file that you don't have access to). After you finish the setup, you can enable code scanning and it will run the first scan for the repository. Identify the custom build steps necessary in a CodeQL workflow:The initial steps are similar to the default workflow, but in the code scanning section you'll select "advanced". With this setup you will have a codeql.yml workflow file to work on. There you can configure custom build commands for your application, custom codeQL queries, file exclusions and other useful configuration. You can do it directly in the workflow file or you can reference a configuration file, like codeql-config.yml. Prep questionsAnswers:
Hey @profile-palash, you really inspired people with the |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
I missed this week. Hopefully it is not too late. |
Beta Was this translation helpful? Give feedback.
-
Hi everyone
I would like to know if the certification voucher was already delivered?
Congratulations who wins this amazing benefits just in case
Have a nice week
…On Wed, Oct 2, 2024, 9:27 AM MD Palash Hossain ***@***.***> wrote:
@queenofcorgis <https://github.com/queenofcorgis> Haha absolutely, the
fun and learning never stop 😊 I’m looking forward to being active in the
community...
—
Reply to this email directly, view it on GitHub
<#139526 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A2C63CIQVWTA4ZLPVVUUHRLZZP7ELAVCNFSM6AAAAABOWUKPQWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAOBSGE2TMNQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
Congratulations - we've completed the GHAS Certification Exam prep course. Share feedback and see if you were a voucher winner in this Discussion. |
Beta Was this translation helpful? Give feedback.
-
Congratulations |
Beta Was this translation helpful? Give feedback.
This comment has been minimized.
This comment has been minimized.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Q1. A |
Beta Was this translation helpful? Give feedback.
-
👋 Hello everyone! We know how much you enjoyed the GHAS certification prep, so we’re thrilled to take things up a notch with the GitHub Copilot 🤖 certification prep! 🎉 Kicking off on November 18, this four-week journey is packed with key exam topics, interactive discussions, and hands-on exercises to set you up for success. 💚 ⭐ And here’s the cherry 🍒 on top: top participants will have a chance to win certification vouchers. 👀 Subscribe to the discussion to stay on top on what's next. 🚀 |
Beta Was this translation helpful? Give feedback.
-
This discussion and some of its comments have been edited and modified from its original format to enable evergreen learning
This is our last part of GHAS certification exam prep materials, if you missed Part One’s Discussion, Part Two’s Discussion, and/or, Part Three’s Discussion don’t worry feel free to get started and join us when you are caught up. The final installment covers Admin Essentials.
Plus, prep materials and test questions to continue on studying.
Step One: Prep 📚
Use these materials to study before answering this week’s prep questions.
Step Two: Test Your Knowledge ⚡
Question One: How can you manage GitHub Advanced Security alerts?
A) By using the GitHub Advanced Security API endpoints
B) By manually checking each repository
C) By using a third-party tool
D) By disabling security features
Question Two: What can you do to ensure that everyone in your organization is using GitHub Advanced Security?
A) Give access to security alerts to users and teams with write permission on their repositories.
B) Add a SECURITY.md file to the root, docs, or .github folder of your organization's repositories.
C) Set a security policy at the organization level.
Question Three: Which GitHub Advanced Security feature isn't available on public repositories?
A) Secret scanning.
B) Security Overview.
C) Code scanning.
Question Four: Which tool helps identify and block secrets from being pushed into repositories?
A) Code scanning
B) Secret scanning
C) Dependency management
D) Issue tracking
Question Five: How can security policies be managed within GitHub?
A) By creating documentation that details security guidelines
B) By setting permissions and rules
C) By automating processes to prevent security breaches
D) All of the above
Question Six: Which of the following is NOT a step in setting security policies within GitHub?
A) Creating documentation that details security guidelines
B) Setting permissions and rules
C) Automating processes to prevent security breaches
D) Allowing unrestricted access to all users
Question Seven: How can you ensure compliance with industry standards when managing sensitive data in GitHub?
A) By ignoring security alerts
B) By using GitHub's basic security tools like secret scanning and code scanning
C) By disabling security features
D) By allowing bulk export of sensitive data
View the answers in this comment 🧠
Use the discussion below to share additional study resources and respond to our prep questions
Beta Was this translation helpful? Give feedback.
All reactions