Based on the certification objectives as of June 2025
This study guide is designed for security engineers, DevOps professionals, and developers preparing for the GH-500: GitHub Advanced Security certification. It covers planning, configuring, and managing GitHub Advanced Security features to secure code, automate vulnerability scanning, and enforce best practices across your repositories.
The GHAS (GH-500) exam measures proficiency across five domains with the following weightings. Click on each objective link below to find a detailed skills breakdown mapped to specific Microsoft Learn modules and relevant documentation links.
- Domain 1: Describe the GHAS security features and functionality (15%)
- Domain 2: Configure and use secret scanning (15%)
- Domain 3: Configure and use Dependabot and Dependency Review (35%)
- Domain 4: Configure and use Code Scanning with CodeQL (25%)
- Domain 5: Describe GitHub Advanced Security best practices, results, and how to take corrective measures (10%)
- Hands-on Practice: Enable GHAS on a sample repository and walk through code scanning setup, secret scanning, and dependency review alerts.
- Review Official Docs: Familiarize yourself with GitHub Advanced Security documentation and the exam skills outline.
- Understand Workflows: Know how to configure and customize GitHub Actions for scanning, triaging alerts, and integrating with issue trackers.
- Certification Page: GitHub Advanced Security Certification
- Browse GitHub Credentials: GitHub Certifications
- Official Training Course: GH-500T00: GitHub Advanced Security Workshop
- Official Microsoft Study Guide: Study Guide
Import the provided Anki deck (./anki/GitHub__Advanced Security (GHAS)__MGAS - Github advanced security - microsoft learn.apkg) for spaced-repetition of key terms, definitions, and code snippets. Includes all the questions contained in this repository in a single file.
Important
Check well because the anki deck will always include the most current questions and answers, even if there are questions elsewhere in the repository.
Test your knowledge with official practice assessments:
- Microsoft Learn Practice Assessment: Official GH-500 GitHub Advanced Security Practice Questions
Explore these interactive labs from the Securing Your Code with GitHub workshop:
| 🧪 Lab | Title | Description |
|---|---|---|
| Lab 1 | GitHub Advanced Security Feature Introduction | Get introduced to GHAS—enable features like CodeQL, Dependabot, Secret Scanning, and more on the Juice Shop sample repository |
| Lab 2 | Reviewing and Managing Security Alerts | Learn to triage and fix alerts generated during Lab 1 using GitHub’s security interface |
| Lab 3 | Hands-on with Code Scanning | Inject bad code, set up a ruleset to block it, and use Copilot Autofix to remediate issues |
| Lab 4 | Hands-on with Dependency Review | Use the Dependency Review workflow and ruleset enforcement to prevent vulnerable package additions |
| Lab 5 | Hands-on with Secret Scanning | Test secret scanning and push protection—try committing a secret and observe how GitHub blocks it |
| Lab 6 | Hands-on with Security Overview | Explore the Security Overview dashboard to understand alerts and coverage at an organization level |
| EC Lab 1 | Extra Credit: Advanced CodeQL Setup | Dive deeper by switching to advanced CodeQL configurations for more flexible scanning |
| EC Lab 2 | Extra Credit: Custom Patterns for Secret Scanning | Create and test custom secret-scanning rules to catch non-standard secrets |
OWASP Practice repository: https://github.com/juice-shop/juice-shop