If default code security settings have not been changed at the repository, organization, or enterprise level, which repositories receive Dependabot alerts?

A. Repositories owned by an enterprise account

B. Private repositories

C. None

D. Repositories owned by an organization

Assuming there is no custom Dependabot behavior configured, where possible, what does Dependabot do after sending an alert about a vulnerable dependency in a repository?

A. Creates a pull request to upgrade the vulnerable dependency to the minimum possible secure version

B. Scans repositories for vulnerable dependencies on a schedule and adds those files to a manifest

C. Constructs a graph of all the repository's dependencies and public dependents for the default branch

D. Scans any push to all branches and generates an alert for each vulnerable repository

Which of the following steps should you follow to integrate CodeQL into a third-party continuous integration system? (Each answer presents part of the solution. Choose three.)

A. Process alerts

B. Analyze code

C. Upload scan results

D. Install the CLI

E. Write queries

What is a prerequisite to define a custom pattern for a repository?

A. Change the repository visibility to Internal

B. Close other secret scanning alerts

C. Specify additional match criteria

D. Enable secret scanning

Which of the following information can be found in a repository's Security tab?

A. Number of alerts per GHAS feature

B. Two-factor authentication (2FA) options

C. Access management

D. GHAS settings

Which of the following statements best describes secret scanning push protection?

A. Commits that contain secrets are blocked before code is added to the repository.

B. Secret scanning alerts must be closed before a branch can be merged into the repository.

C. Buttons for sensitive actions in the GitHub UI are disabled.

D. Users need to reply to a 2FA challenge before any push events.

What does code scanning do?

A. It contacts maintainers to ask them to create security advisories if a vulnerability is found

B. It prevents code pushes with vulnerabilities as a pre-receive hook

C. It analyzes a GitHub repository to find security vulnerabilities

D. It scans your entire Git history on branches present in your GitHub repository for any secrets

Which security feature shows a vulnerable dependency in a pull request?

A. Dependency graph

B. Dependency review

C. Dependabot alert

D. The repository's Security tab

What step is required to run a SARIF-compatible (Static Analysis Results Interchange Format) tool on GitHub Actions?

A. Update the workflow to include a final step that uploads the results.

B. By default, the CodeQL runner automatically uploads results to GitHub on completion.

C. The CodeQL action uploads the SARIF file automatically when it completes analysis

D. Use the CLI to upload results to GitHub.

After investigating a code scanning alert related to injection, you determine that the input is properly sanitized using custom logic. What should be your next step?

A. Draft a pull request to update the open-source query.

B. Ignore the alert.

C. Open an issue in the CodeQL repository.

D. Dismiss the alert with the reason "false positive."

Which of the following formats are used to describe a Dependabot alert? (Each answer presents a complete solution. Choose two.)

A. Common Weakness Enumeration (CWE)

B. Exploit Prediction Scoring System (EPSS)

C. Common Vulnerabilities and Exposures (CVE)

D. Vulnerability Exploitability exchange (VEX)

How would you build your code within the CodeQL analysis workflow? (Each answer presents a complete solution. Choose two.)

A. Upload compiled binaries.

B. Use CodeQL's init action.

C. Ignore paths.

D. Implement custom build steps

E. Use jobs.analyze.runs-on.

F. Use CodeQL's autobuild action.