Pass the Microsoft GitHub Administrator GH-500 Questions and answers with CertsForce

Validity checks — where GitHub verifies if a secret is still active — are available for partner patterns only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.

Custom patterns and high entropy patterns do not support automated validity checks.

The Security tab in a GitHub repository provides a central location for viewing security-related information, especially when GitHub Advanced Security is enabled. The following can be accessed:

Number of alerts related to:

Code scanning

Secret scanning

Dependency (Dependabot) alerts

Summary and visibility into open, closed, and dismissed security issues.

It does not show 2FA options, access control settings, or configuration panels for GHAS itself. Those belong to account or organization-level settings.

The best proactive control is push protection. It scans for secrets during a git push and blocks the commit before it enters the repository.

Other options (like CODEOWNERS or security managers) help with oversight but do not prevent secret leaks.

Making a repo public would increase the risk, not reduce it.

In a repository's Security tab, you can view:

Secret scanning alerts: Exposed credentials or tokens

Dependabot alerts: Vulnerable dependencies from the advisory database

Code scanning alerts: Vulnerabilities in code detected via static analysis (e.g., CodeQL)

You won’t see general "security status alerts" (not a formal category) or permission-related alerts here.

Secret validation checks whether a secret found in your repository is still valid and active with the issuing provider (e.g., AWS, GitHub, Stripe). If a secret is confirmed to be active, the alert is marked as verified, which means it's considered a high-priority issue because it presents an immediate security risk.

This helps teams respond faster to valid, exploitable secrets rather than wasting time on expired or fake tokens.

Using the Custom setting allows you to subscribe to specific event types, such as Dependabot alerts or vulnerability notifications, without being overwhelmed by all repository activity. This is essential for repository maintainers who need fine-grained control over what kinds of events trigger notifications.

This setting is configurable per repository and allows users to stay aware of critical issues while minimizing notification noise.

To ensure you're notified whenever a vulnerability is detected via Dependabot, you must enable alerts for Dependabot in your personal notification settings. This applies to both new and existing repositories. It ensures you get timely alerts about security vulnerabilities.

The dependency graph must be enabled for scanning, but does not send alerts itself.

Comprehensive and Detailed Explanation:

To generate a dependency graph for a private repository, GitHub requires:​

Dependency graph enabled: The repository must have the dependency graph feature enabled. This can be configured at the organization level to apply to all new private repositories.​

Access to manifest and lock files: GitHub needs read-only access to the repository's dependency manifest and lock files (e.g., package.json, requirements.txt) to identify and map dependencies.​

The best way to prioritize secret scanning alerts is to filter by active secrets — these are secrets GitHub has confirmed are still valid and could be exploited. This allows security teams to focus on high-risk exposures that require immediate attention.

Sorting by time or filtering by custom patterns won’t help with risk prioritization directly.

The dependency graph in a repository is built by parsing manifest and lock files (like package.json, pom.xml, requirements.txt). It helps GitHub detect dependencies and cross-reference them with known vulnerability databases for alerting.

It is specific to each repository and does not show org-wide or cross-repo summaries.