Master Microsoft GH-500 Exam with Reliable Practice Questions
Upgrade to Premium-- [Configure and Use Dependency Management]
Which of the following workflow events would trigger a dependency review? (Each answer presents a complete solution. Choose two.)
Correct : A, B
Comprehensive and Detailed Explanation:
Dependency review is triggered by specific events in GitHub workflows:
pull_request: When a pull request is opened, synchronized, or reopened, GitHub can analyze the changes in dependencies and provide a dependency review.
workflow_dispatch: This manual trigger allows users to initiate workflows, including those that perform dependency reviews.
The trigger and commit options are not recognized GitHub Actions events and would not initiate a dependency review.
Start a Discussions
-- [Configure and Use Dependency Management]
Which of the following is the most complete method for Dependabot to find vulnerabilities in third-party dependencies?
Correct : C
Dependabot builds a dependency graph by analyzing package manifests and lockfiles in your repository. This graph includes both direct and transitive dependencies. It then compares this graph against the GitHub Advisory Database, which includes curated, security-reviewed advisories.
This method provides a comprehensive and automated way to discover all known vulnerabilities across your dependency tree.
Start a Discussions
-- [Configure and Use Secret Scanning]
What filter or sort settings can be used to prioritize the secret scanning alerts that present the most risk?
Correct : C
The best way to prioritize secret scanning alerts is to filter by active secrets --- these are secrets GitHub has confirmed are still valid and could be exploited. This allows security teams to focus on high-risk exposures that require immediate attention.
Sorting by time or filtering by custom patterns won't help with risk prioritization directly.
Start a Discussions
-- [Configure GitHub Advanced Security Tools in GitHub Enterprise]
Which of the following Watch settings could you use to get Dependabot alert notifications? (Each answer presents part of the solution. Choose two.)
Correct : A, C
Comprehensive and Detailed Explanation:
To receive Dependabot alert notifications for a repository, you can utilize the following Watch settings:
Custom setting: Allows you to tailor your notifications, enabling you to subscribe specifically to security alerts, including those from Dependabot.
All Activity setting: Subscribes you to all notifications for the repository, encompassing issues, pull requests, and security alerts like those from Dependabot.
The Participating and @mentions setting limits notifications to conversations you're directly involved in or mentioned, which may not include security alerts. The Ignore setting unsubscribes you from all notifications, including critical security alerts.
GitHub Docs
+1
GitHub Docs
+1
Start a Discussions
-- [Configure and Use Secret Scanning]
Which patterns are secret scanning validity checks available to?
Correct : C
Validity checks --- where GitHub verifies if a secret is still active --- are available for partner patterns only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.
Custom patterns and high entropy patterns do not support automated validity checks.
Start a Discussions