Supplemental study resources to get you GitHub Certified

GitHub Advanced Security is one of 5 available GitHub Certifications

Introduction

The GitHub Advanced Security (GH-500) certification tests your knowledge and skills in securing software development workflows using GitHub’s advanced security tools.

I’ve taken GitHub exams in the past and felt relatively confident, given my background in DevOps platforms and tools. GitHub’s security platform, however, was quite new to me, making this one of the exams for which I was most nervous. Thankfully I passed on my first try, and in this post, I’ll share some of resources that helped me prepare for GH-500, as well as some tips to get you GitHub Certified.

The Basics

GitHub Advanced Security can be categorized into 3 main products:

1. Code Security

Code Security helps identify and resolve security issues in the code you write. This includes static code analysis via GitHub or 3rd party tools that generate SARIF (Static Analysis Results Interchange Format) files integrated into your workflow, as well as CodeQL, a language + tool that turns your code into a database that can be queried to identify problems.

2. Secret Protection

Secret Protection is concerned with detecting sensitive credentials that may get included in your code. It includes Push Protection to prevent secrets being added to a commit in the first place, as well as scanning, custom patterns, and partner provider support to accelerate invalidating credentials that do make it into the codebase.

3. Dependabot

Dependabot regularly scans your code to identify dependencies like third-party libraries and packages and react to vulnerabilities discovered in those dependencies. By using alerts and pull requests to update your dependency files, teams get proactive and reactive support to ensuring the libraries they use stay up-to-date and secure.

Tips

  1. The exam includes 70 questions and provides 2+ hours to complete. Take your time, read through each question carefully, and take breaks when needed.

  2. You can mark questions for review, allowing you to return to them for a second look and preventing wasting time on a single item. Try not to mark too many, though; when I mark more than 10 questions, I tend to be too tired by the end of the test to review all of them.

  3. CodeQL knowledge is not a must, but understanding how CodeQL databases are built, basic query syntax, and integrating code scanning in a GitHub Action is very helpful.

  4. Familiarize yourself with GHAS role requirements! Several Advanced Security features are enabled by default in public repositories, and configuration of each feature has various role requirements. Have a good understanding of what settings are available to modify, and the minimum permissions you need to do so.

  5. You won’t need to enumerate or describe references like CVE and CWE, but you should at least know what they are and to which features they apply.

Microsoft Learn

Self-paced learning site that covers almost all of Microsoft’s extensive catalog of products and services. Many of the courses here provide virtual sandboxes or lab guides to get hands-on experience with a new product; for GitHub, exercises are performed in live GitHub repositories that let you perform the tasks in a real environment!

Study guide for GH-500: GitHub Advanced Security - Read through the skills measured and how you can mentally allot your study time/capacity.

Learning Path: GitHub Advanced Security Part 1 of 2 - Covers the foundations of Secret Scanning, Code Scanning, and Dependabot.

Learning Path: GitHub Advanced Security Part 2 of 2 - Goes deeper into setting up and using CodeQL, as well as administering GitHub Advanced Security

aka.ms/practicetest

Have this one bookmarked, because it contains assessments for almost every Microsoft exam.

Practice Assessment for GH-500: GitHub Advanced Security - 30 multiple choice questions that simulate the format you’ll see on the test.

Note: I found some of the questions to be a bit repetitive and simple, so this particular assessment has room to improve

GH Certified community tests

This is not an official Microsoft tool, but an open source repository of sample questions from GitHub enthusiasts around the world.

GitHub Advanced Security Practice Test - This was really useful, as the questions here most closely reflected what I saw on the test. You can configure the number of questions to take, and the GHAS one has up to 116. Take this if you like testing marathons!

Conclusion

Schedule your online exam through Pearson Vue when you feel ready and give it your best shot!

Thanks for reading, and Happy Building!

Happy Building