GitHub Enterprise Administrator (GH-100) · Domain 3 · 29% of exam

Implement secure software development and compliance

Drill 20 practice questions focused entirely on Implement secure software development and compliance for the GitHub GH-100 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

An enterprise administrator receives complaints that a custom internal integration, which uses a GitHub App to bulk-create issues across hundreds of repositories, intermittently fails with HTTP 403 responses containing a 'You have exceeded a secondary rate limit' message. The primary hourly rate limit budget for the installation token is far from exhausted. The administrator is asked to recommend the most effective way to reduce these failures without requesting a special limit increase from GitHub. What should the administrator recommend?

Reviewed for accuracy · Report an issue
Question 2 of 20

Your compliance team requires that all enterprise audit log events on GitHub Enterprise Cloud be retained for seven years in a tamper-resistant store that your SIEM can query, well beyond GitHub's default retention window. The team also wants near-real-time delivery so security analysts can alert on suspicious events. As the enterprise owner, what is the most appropriate way to meet these requirements?

Reviewed for accuracy · Report an issue
Question 3 of 20

You administer a GitHub Enterprise Cloud organization. A development team needs CodeQL code scanning enabled on a JavaScript repository. They want the fastest possible way to get scanning running, but a separate legacy C/C++ repository requires a custom build command and a specific compiler toolchain before CodeQL can analyze it. Which configuration approach correctly satisfies both repositories?

Reviewed for accuracy · Report an issue
Question 4 of 20

A security engineer enables Dependabot alerts on a repository, but no alerts appear even though the team knows a direct dependency in their Python project has a published CVE. The repository contains a requirements.txt file, and the dependency graph feature shows as enabled in the repository's Settings. What is the most likely reason Dependabot is not generating an alert?

Reviewed for accuracy · Report an issue
Question 5 of 20

You administer a GitHub Enterprise Cloud organization with hundreds of repositories. The security team complains that Dependabot alerts are overwhelming: developers are inundated with low-severity notifications and are ignoring the truly critical ones. Leadership wants a way to focus response effort on the highest-risk vulnerabilities across the organization without disabling Dependabot alerts entirely. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 6 of 20

A platform team maintains a Node.js monorepo where Dependabot version updates are already enabled. Every week the team receives dozens of separate pull requests — one for each npm dependency that has a new release — which overwhelms reviewers and slows the merge queue. The team wants to keep receiving updates but consolidate related dependency bumps into a smaller number of pull requests per ecosystem. Which configuration change in dependabot.yml best achieves this?

Reviewed for accuracy · Report an issue
Question 7 of 20

A platform team at a fintech company wants Dependabot to automatically open pull requests for known security vulnerabilities in their npm dependencies as soon as advisories are published, but they explicitly do NOT want routine PRs opened just because a newer non-vulnerable version of a package is released. The repository already has the dependency graph enabled. Which configuration achieves exactly this behavior?

Reviewed for accuracy · Report an issue
Question 8 of 20

As an enterprise owner, you enable a policy in the enterprise security settings that turns on secret scanning for all organizations and disables the ability for organization owners to change it. A few weeks later, an organization owner opens a support request claiming they cannot disable secret scanning for a repository containing intentionally committed test fixtures with fake credentials. What is the correct explanation and resolution?

Reviewed for accuracy · Report an issue
Question 9 of 20

A developer needs to create a personal access token for a script that will only read issues and pull requests from three specific repositories in your organization. Your enterprise security policy requires that tokens grant the minimum access necessary and that token access to individual repositories can be explicitly limited. Which token approach best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 20

Your platform team is building an internal CI/CD integration that must act on behalf of the organization (not an individual developer), post commit statuses, read repository contents, and continue working reliably even after the engineer who set it up leaves the company. The integration will make a high volume of API calls across many repositories. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 11 of 20

You administer a GitHub Enterprise Server (GHES) instance and want to give your development teams visibility into which open-source dependencies used across your private repositories have known vulnerabilities, by leveraging the vulnerability data maintained in the GitHub Advisory Database on GitHub.com. Your instance currently has no connection to GitHub.com. Which action must you take first to enable this dependency and vulnerability insight capability?

Reviewed for accuracy · Report an issue
Question 12 of 20

You administer a GitHub Enterprise Cloud organization that must comply with a new supply-chain integrity policy. Auditors require that every commit merged into the default branch of all repositories be cryptographically verifiable, and that release tags matching 'v*' cannot be deleted or overwritten by anyone except a small release-engineering group. You want to enforce this consistently across all current and future repositories with the least ongoing maintenance. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 20

You are an organization owner for a GitHub Enterprise Cloud organization with GitHub Advanced Security licensed. Leadership requires that secret scanning be automatically enabled on every existing repository as well as any repository created in the future, without an administrator needing to configure each repo individually. What is the most efficient way to meet this requirement?

Reviewed for accuracy · Report an issue
Question 14 of 20

A developer at your company is trying to push a commit that contains a test configuration file. Push protection for secret scanning is enabled organization-wide. The push is blocked because GitHub detected what appears to be an AWS access key ID, but the developer insists it is a fabricated, non-functional value used only for unit tests. The developer needs to complete the push, and your security team requires that all such bypasses be reviewable after the fact. As the enterprise administrator, what is the correct guidance?

Reviewed for accuracy · Report an issue
Question 15 of 20

An enterprise security team wants to ensure that when developers create tokens to access organization repositories via the API, each token is scoped to only the specific repositories the developer needs, requires organization owner approval before gaining access, and can be given a mandatory maximum lifetime. Some developers currently use classic personal access tokens that automatically gain access to all organizations they belong to. Which action best meets these requirements?

Reviewed for accuracy · Report an issue
Question 16 of 20

Your company uses a GitHub Enterprise Cloud instance with Enterprise Managed Users (EMU). Security requires that developers cannot create personal access tokens (classic) that never expire, and that all programmatic access tokens are limited to organization-owned resources with a maximum lifetime. As the enterprise owner, which configuration best enforces this requirement across all organizations in the enterprise?

Reviewed for accuracy · Report an issue
Question 17 of 20

A security engineer at a financial services company wants to detect a proprietary internal API key format (e.g., FINX-<32 hex chars>) across all repositories in their GitHub Enterprise Cloud organization. They have written a custom secret scanning pattern but are concerned that a poorly written regular expression could generate thousands of false positives that overwhelm the security team. What should they do before publishing the pattern to all repositories?

Reviewed for accuracy · Report an issue
Question 18 of 20

An enterprise administrator has enabled secret scanning with push protection across all repositories in an organization. A developer reports that when they attempt to push a commit containing an AWS access key, the push is blocked. The security team wants to allow developers to proceed in genuine emergencies but requires that every such override be recorded for later review and that a reason be captured. Which configuration meets this requirement?

Reviewed for accuracy · Report an issue
Question 19 of 20

Your security team enables secret scanning across all organization repositories in GitHub Enterprise Cloud. They receive hundreds of alerts and want to focus first on credentials that are confirmed to still be usable by an attacker, rather than expired or revoked tokens. Which secret scanning capability should they enable to help them prioritize alerts this way?

Reviewed for accuracy · Report an issue
Question 20 of 20

A maintainer of a widely-used open source repository in your enterprise organization discovers a serious remote-code-execution vulnerability in the current release. They want to develop and test a fix privately with two external contributors before publicly disclosing anything, then release the patch and publish a CVE simultaneously. Which GitHub feature should they use to accomplish this coordinated disclosure workflow?

Reviewed for accuracy · Report an issue

More GH-100 practice

Keep going with the other GitHub Enterprise Administrator (GH-100) domains, or take a full timed mock exam.

← Back to GH-100 overview