GitHub Administrator GH-500 Book

The best proactive control is push protection. It scans for secrets during a git push and blocks the commit before it enters the repository.

Other options (like CODEOWNERS or security managers) help with oversight but do not prevent secret leaks.

Making a repo public would increase the risk, not reduce it.

Validity checks — where GitHub verifies if a secret is still active — are available for partner patterns only. These are secrets issued by GitHub's trusted partners (like AWS, Slack, etc.) and have APIs for GitHub to validate token activity status.

Custom patterns and high entropy patterns do not support automated validity checks.

Query suite definitions in CodeQL are stored using the .qls file extension. A query suite defines a collection of queries to be run during an analysis and allows for grouping them based on categories like language, security relevance, or custom filters.

In contrast:

.ql files are individual queries.

.qll files are libraries used by .ql queries.

.yml is used for workflows, not query suites.

Comprehensive and Detailed Explanation:

Dependency review is triggered by specific events in GitHub workflows:​

pull_request: When a pull request is opened, synchronized, or reopened, GitHub can analyze the changes in dependencies and provide a dependency review.​

workflow_dispatch: This manual trigger allows users to initiate workflows, including those that perform dependency reviews.​

The trigger and commit options are not recognized GitHub Actions events and would not initiate a dependency review.​