GitHub GitHub Certification GitHub-Advanced-Security New Questions

In a workflow: GitHub Actions workflows are the most common place for CodeQL code scanning. The codeql-analysis.yml defines how the analysis runs and when it triggers.

In an external CI system: GitHub allows you to run CodeQL analysis outside of GitHub Actions. Once complete, the results can be uploaded using the upload-sarif action to make alerts visible in the repository.

You cannot run or trigger analysis from third-party repositories directly, and theFiles changed tabin pull requests only shows diff — not analysis results.

After generating an alert for a vulnerable dependency, Dependabot automatically attempts to create a pull request to upgrade that dependency to theminimum required secure version—if a fix is available and compatible with your project.

This automated PR helps teams fix vulnerabilities quickly with minimal manual intervention. You can also configure update behaviors using dependabot.yml, but in the default state, PR creation is automatic.

Secret scanning is a feature provided by GitHub that scans the contents of your GitHub repositories for known types of secrets, such as API keys and tokens. It operates within the GitHub environment and does not scan external systems, services, or repositories outside of GitHub. Its primary function is to prevent the accidental exposure of sensitive information within your GitHub-hosted code.​

Code scanningis a static analysis feature that examines your source code to identifysecurityvulnerabilitiesandcoding errors. It runs either on every push, pull request, or a scheduled time depending on the workflow configuration.

It doesnotautomatically contact maintainers, scan full Git history, or block pushes unless explicitly configured to do so.