This repository is a production-quality, hands-on study guide for the GH-500: GitHub Advanced Security certification exam. It covers all five official exam domains with structured documentation, annotated configuration files, intentionally vulnerable code for scanning practice, automation scripts, and real GitHub Actions workflows. Content is mapped directly to the official exam objectives and weighted accordingly — Domain 3 (Dependabot / Dependency Review, 35%) and Domain 4 (Code Scanning / CodeQL, 25%) receive the deepest treatment. If you have experience with software development and want a focused, practitioner-level resource to prepare for GHAS certification, this is it.
To read the study materials, nothing is required beyond a browser or text editor.
To run the hands-on demos and scripts, you need:
| Requirement | Why | Install |
|---|---|---|
| GitHub account | Required for all GHAS features | github.com |
| GHAS-enabled repository | Private repos need GHAS license; use a public repo for free access | Fork this repo (public = free GHAS) |
gh CLI |
All scripts and API demos use it | brew install gh · cli.github.com |
jq |
JSON parsing in scripts | brew install jq · stedolan.github.io/jq |
GH_TOKEN env var |
API authentication for scripts | export GH_TOKEN=$(gh auth token) |
Tip
Fastest path to a live GHAS environment: Fork this repo — it's public, so secret scanning and code scanning are free immediately. Enable Dependabot in the fork's Settings > Code security and analysis.
# 1. Clone (or fork first, then clone your fork)
git clone https://github.com/your-org/gh-500-cert-prep.git
cd gh-500-cert-prep
# 2. Set up CLI auth
gh auth login
export GH_TOKEN=$(gh auth token)
# 3. Read the exam objectives and domain weights
open exam-metadata/gh-500-exam-objectives.md
open exam-metadata/domain-weights.md
# 4. Work through the docs in domain order
open docs/01-ghas-overview.md
# 5. Run the hands-on demos (start with enable-ghas, then follow the numbered sequence)
open demos/01-enable-ghas/README.md
# 6. Use the cheat sheet for final review
open QUICK-REFERENCE.md| # | Domain | Weight | Doc Link |
|---|---|---|---|
| 1 | Describe GHAS Security Features & Functionality | 15% | docs/01-ghas-overview.md |
| 2 | Configure and Use Secret Scanning | 15% | docs/02-secret-scanning.md |
| 3 | Configure and Use Dependabot and Dependency Review | 35% | docs/03-dependabot.md · docs/03-dependency-review.md |
| 4 | Configure and Use Code Scanning with CodeQL | 25% | docs/04-code-scanning.md · docs/04-codeql-deep-dive.md |
| 5 | GHAS Best Practices, Results & Corrective Measures | 10% | docs/05-best-practices.md |
Important
Domain 3 (Dependabot + Dependency Review) accounts for 35% of the exam. Spend proportional study time here. Know dependabot.yml options cold — especially groups, ignore, and auto-dismiss-stale-prs.
| Feature | Secret Scanning | Code Scanning (CodeQL) | Dependabot |
|---|---|---|---|
| What it finds | Exposed secrets, tokens, credentials | Code vulnerabilities (SQL injection, XSS, etc.) | Vulnerable dependencies |
| When it runs | On push, in PRs (push protection), and historically | On push, PR, or schedule (via Actions) | On push to dependabot.yml, on schedule |
| Alert type | Secret scanning alert | Code scanning alert (SARIF) | Dependabot alert |
| Auto-remediation | No (notify + block with push protection) | No (alerts only) | Yes (Dependabot security updates PRs) |
| GHAS required? | Yes (private repos); free on public | Yes (private repos); free on public | Alerts: free. Security updates: free. Dependency review: GHAS |
| Config location | Repo/org settings UI or API | .github/workflows/codeql.yml |
.github/dependabot.yml |
| Alert location | Security > Secret scanning alerts | Security > Code scanning alerts | Security > Dependabot alerts |
| Feature | GitHub Enterprise Cloud (GHEC) | GitHub Enterprise Server (GHES) |
|---|---|---|
| Secret scanning | ✅ | ✅ (3.1+) |
| Push protection | ✅ | ✅ (3.4+) |
| Custom secret patterns | ✅ | ✅ (3.2+) |
| Secret validity checks | ✅ | ❌ |
| Dependabot alerts | ✅ | ✅ (3.0+) |
| Dependabot security updates | ✅ | ✅ (3.3+) |
| Dependabot version updates | ✅ | ✅ (3.3+) |
| Dependency review | ✅ | ✅ (3.6+) |
| Code scanning (CodeQL) | ✅ | ✅ (3.0+) |
| Security overview | ✅ (org level) | ✅ (3.5+) |
| Auto-triage rules | ✅ | ✅ (3.9+) |
| Capability | Dependabot Alerts | Dependabot Security Updates | Dependency Review |
|---|---|---|---|
| Trigger | New CVE in Advisory DB | Dependabot alert created | Pull request opened |
| Output | Alert in Security tab | Pull request with fix | PR check (pass/fail) |
| Action | None — informational | Auto-opens PR to bump version | Blocks PR if vulnerable dep added |
| Requires GHAS? | No (all repos) | No (all repos) | Yes (or public repo) |
| Config file | Repo settings | Repo settings + dependabot.yml |
.github/workflows/dependency-review.yml |
| Method | GitHub Actions (CodeQL) | Advanced Setup (3rd-party CI) | SARIF Upload |
|---|---|---|---|
| Where CodeQL runs | GitHub-hosted runner | Your CI system | Your CI system |
| Config | codeql.yml workflow |
CodeQL CLI + database analyze |
Any SARIF-producing tool |
| Language support | All supported languages | All supported languages | Any language (tool-dependent) |
| GitHub manages query updates? | Yes | No (you pin the version) | N/A |
| GHAS required? | Yes (private repos) | Yes (private repos) | Yes (private repos) |
| Results location | Security > Code scanning | Security > Code scanning | Security > Code scanning |
gh-500-cert-prep/
├── README.md # This file
├── QUICK-REFERENCE.md # Printable cheat sheet
├── CLAUDE.md # AI assistant context
├── CONTRIBUTING.md
├── LICENSE
├── .gitignore
├── .editorconfig
│
├── exam-metadata/
│ ├── gh-500-exam-objectives.md # Full domain/objective breakdown
│ ├── domain-weights.md # Visual weight table + study time guide
│ └── key-terms-glossary.md # 40+ GHAS terms defined
│
├── docs/
│ ├── 01-ghas-overview.md # Domain 1 (15%)
│ ├── 02-secret-scanning.md # Domain 2 (15%)
│ ├── 03-dependabot.md # Domain 3 – Dependabot (35%)
│ ├── 03-dependency-review.md # Domain 3 – Dependency Review (35%)
│ ├── 04-code-scanning.md # Domain 4 – Code Scanning (25%)
│ ├── 04-codeql-deep-dive.md # Domain 4 – CodeQL deep dive (25%)
│ └── 05-best-practices.md # Domain 5 (10%)
│
├── demos/
│ ├── 01-enable-ghas/README.md
│ ├── 02-secret-scanning/{README,sample-secrets,custom-pattern}.md
│ ├── 03-dependabot/{README,dependabot.yml,package.json,requirements.txt}
│ ├── 04-dependency-review/{README,dependency-review.yml}
│ ├── 05-code-scanning/{README,codeql-analysis.yml,vulnerable-app/,sarif-upload.yml}
│ └── 06-security-at-scale/{README,enforce-codeql-ruleset}.md
│
├── .github/
│ ├── workflows/
│ │ ├── codeql.yml
│ │ ├── dependency-review.yml
│ │ └── secret-scan-check.yml
│ ├── SECURITY.md
│ └── dependabot.yml
│
└── scripts/
├── enable-ghas-org.sh
├── list-secret-alerts.sh
├── list-code-alerts.sh
└── generate-sbom.sh
Four ready-to-run Bash scripts in scripts/ for working with the GitHub API. All require GH_TOKEN and gh CLI.
| Script | What it does | Key env vars |
|---|---|---|
enable-ghas-org.sh |
Enables GHAS (secret scanning, push protection, Dependabot) across every non-archived private repo in an org | GH_ORG, DRY_RUN=true to preview |
list-secret-alerts.sh |
Lists secret scanning alerts for a repo or org; outputs table, CSV, or JSON | GH_REPO or GH_ORG, STATE, FORMAT |
list-code-alerts.sh |
Lists code scanning alerts with severity breakdown; filterable by state, severity, and tool | GH_REPO or GH_ORG, SEVERITY, TOOL |
generate-sbom.sh |
Exports an SBOM (SPDX 2.3) from the dependency graph and prints a license/package summary | GH_REPO, OUTPUT_FILE |
# Example: dry-run GHAS enablement across an org
GH_ORG=my-org DRY_RUN=true ./scripts/enable-ghas-org.sh
# Example: export SBOM for a repo
GH_REPO=owner/repo ./scripts/generate-sbom.sh
# Example: list critical code scanning alerts as CSV
GH_REPO=owner/repo SEVERITY=critical FORMAT=csv ./scripts/list-code-alerts.sh| Resource | URL |
|---|---|
| GH-500 Official Exam Page | https://examregistration.github.com/certification/GHAS |
| GitHub Advanced Security Docs | https://docs.github.com/en/enterprise-cloud@latest/code-security |
| CodeQL Documentation | https://codeql.github.com/docs/ |
| CodeQL Query Suites | https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites |
| GitHub Advisory Database | https://github.com/advisories |
| Dependabot Configuration Options | https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file |
| Dependency Review Action | https://github.com/actions/dependency-review-action |
| Secret Scanning Partners | https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns |
| SARIF Specification | https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html |
| Microsoft Learn – GHAS Path | https://learn.microsoft.com/en-us/training/paths/configure-use-secret-scanning-github/ |
Note
These tips are weighted toward Domain 3 (35%) and Domain 4 (25%) because together they account for 60% of the exam.
-
Know
dependabot.ymloptions cold. The exam testspackage-ecosystemvalues,schedule.interval,groups,ignorepatterns, andopen-pull-requests-limit. Memorize the valid ecosystem names (npm,pip,maven,nuget,docker, etc.). -
Understand the difference between Dependabot Alerts and Dependabot Security Updates. Alerts are informational. Security Updates are automated PRs. They require separate enablement and can be configured independently.
-
Know CodeQL's default vs extended query suites. Default (
code-scanning) focuses on precision. Extended (security-extended) adds lower-confidence queries. Security-and-quality adds maintainability queries. The exam tests when each suite is appropriate. -
SARIF is the lingua franca of code scanning. Know the SARIF schema:
runs[].results[].locations,ruleId,level(error/warning/note). Know that GitHub accepts SARIF 2.1.0. -
Push protection is distinct from secret scanning alerts. Push protection blocks commits before they reach GitHub. Secret scanning alerts are post-push notifications. Both can be enabled independently.
-
Dependency Review Action is a separate workflow from Dependabot. It runs in PR workflows and can block merges. Dependabot runs on a schedule and opens PRs. Know both config files.
-
GHAS is licensed per-committer on private repos. On public repos, secret scanning and code scanning are free. On private GHES/GHEC repos, GHAS license is required.
-
Security Overview is org-level, not repo-level. It aggregates alerts across all repos. It requires organization owner or security manager role.
-
CodeQL supports compiled languages differently. For C/C++, C#, Java/Kotlin, and Swift, CodeQL requires a build step (
autobuildor manual). For Python, JavaScript, Go, and Ruby, no build is needed. -
Custom secret patterns use Hyperscan-compatible regex, not PCRE. There are subtle differences (e.g., no lookaheads). Test patterns with the dry-run feature before enabling.