GitHub Advanced Security (GH-500) Practice Test

The GH-500 exam targets system administrators, software developers, application administrators, and IT professionals who work with GitHub Enterprise Cloud (GHEC) or GitHub Enterprise Server (GHES) and are responsible for securing codebases at scale. Ideal candidates include DevSecOps engineers integrating security gates into CI/CD pipelines, application security specialists managing organizational vulnerability programs, and GitHub administrators enforcing repository and organization-level security policies.

Candidates should have hands-on experience enabling and configuring GHAS features across repositories and organizations, familiarity with GitHub Actions workflows, and an understanding of software supply chain security concepts including dependency graphs, SBOMs, and CVE/CWE classification. The intermediate difficulty level assumes prior GitHub platform experience; this is not an entry-level credential.

Microsoft does not list formal prerequisites for GH-500, but the official audience profile specifies intermediate-level experience with GitHub Enterprise Administration. Candidates are expected to understand GitHub's repository, organization, and enterprise permission model before attempting the exam, as access control questions appear across multiple domains.

Recommended preparation includes practical experience enabling GHAS features on private repositories, working knowledge of GitHub Actions (creating and modifying workflow YAML files), familiarity with CodeQL query suites and SARIF output formats, and experience interpreting Dependabot alerts and dependency graphs. Completing the official Microsoft Learn training course GH-500T00-A: GitHub Advanced Security provides structured coverage of all exam objectives and is the primary recommended prerequisite resource.

The GH-500 exam is delivered through Pearson VUE and includes a 100-minute time limit. The exam is proctored and may include interactive lab components in addition to standard multiple-choice and scenario-based questions. Candidates can experience the question interface in advance via the official exam sandbox at GHCertDemo.starttest.com before scheduling.

The exam is available in English, Spanish, Portuguese (Brazil), Korean, and Japanese. Pricing is approximately $99 USD, varying by country or region of testing. No official passing score is published on the Microsoft Learn certification page; third-party sources cite 700/1000 as a commonly reported threshold, but this should be verified against official communications at time of registration. If a candidate fails, a retake is permitted 24 hours after the first attempt; subsequent retake wait times vary per Microsoft's standard retake policy. A free practice assessment is available on Microsoft Learn (assessment ID 590484996).

• 1.Domain 1: Describe the GHAS security features and functionality (10%) — Differentiating security features available for open-source projects versus those requiring GHAS paired with GHEC or GHES; understanding Security Overview; contrasting secret scanning, code scanning, and Dependabot; explaining alert access management by role; identifying where GHAS features integrate into the SDLC.
• 2.Domain 2: Configure and use secret scanning (10%) — Enabling secret scanning for private repositories; configuring push protection and validity checks; customizing alert recipients; excluding files from scans; enabling custom secret patterns; determining alert generation for specific secrets and service providers.
• 3.Domain 3: Configure and use dependency management (15%) — Defining the dependency graph and SBOM (CycloneDX format); describing Dependabot alerts and security updates versus Dependency Review; enabling alerts for private repos and organizations; creating Dependabot configuration files and auto-dismiss rules; building Dependency Review GitHub Actions workflows with license checks and severity thresholds.
• 4.Domain 4: Configure and use code scanning (15%) — Enabling code scanning with default and third-party tools; contrasting CodeQL versus third-party SARIF integration; choosing workflow trigger events (pull request, scheduled); editing default Actions workflow templates; uploading third-party SARIF results via the API endpoint.
• 5.Domain 5: Use code scanning with CodeQL (20%) — Configuring CodeQL analysis in GitHub Actions and third-party CI systems; viewing and troubleshooting CodeQL scan results; using the show-paths experience to trace data flow; dismissing alerts with documented rationale; understanding compiled versus interpreted language analysis differences; defining SARIF categories.
• 6.Domain 6: Describe GitHub Advanced Security best practices (20%) — Using CVE and CWE classifications to describe and remediate alerts; documenting dismissal decisions; understanding default CodeQL query suites; enforcing CodeQL and Dependency Review workflows with Repository Rulesets; configuring severity thresholds for pull request status checks; shifting detection left via push protection and PR-triggered scans.
• 7.Domain 7: Configure GitHub Advanced Security tools in GitHub Enterprise (10%) — Administering GHAS at the enterprise and organization level; managing policy enforcement across repositories; configuring organization-wide Dependabot, secret scanning, and code scanning settings; understanding the differences in feature availability between GHEC and GHES deployments.

• Work through the official Microsoft Learn training course GH-500T00-A: GitHub Advanced Security, which is structured directly around the seven exam domains. Do not skip the hands-on exercises — the exam includes interactive components that require practical configuration skills, not just conceptual recall.
• Enable GHAS features on a real GitHub repository (a free personal account with a public repo works for secret scanning and code scanning). Practice enabling Dependabot alerts, writing a dependabot.yml configuration file, creating a Dependency Review Actions workflow, and triggering CodeQL scans on pull requests to build procedural muscle memory.
• Study the official GH-500 study guide at aka.ms/GH500-StudyGuide carefully. Each bullet point in the study guide is a testable objective. Pay particular attention to Domain 3 (Dependabot and Dependency Review, 15% weight on cert page but historically the most detailed domain), Domain 5 (CodeQL, 20%), and Domain 6 (best practices, 20%) — together these account for over half the exam.
• Take the free Microsoft Learn practice assessment (accessible from the official certification page) at least twice: once early to identify knowledge gaps, and again after studying to gauge readiness. Review every incorrect answer against the official GitHub documentation, not third-party sources, to ensure accuracy.
• Master the distinction between Dependabot alerts, Dependabot security updates, and Dependency Review — these three features are frequently confused and the exam tests precise knowledge of when each applies, the permissions required to view or enable them, and how they differ in pull request versus repository contexts.
• Learn how to read and modify CodeQL GitHub Actions workflow YAML files. Know the difference between the default and extended CodeQL query suites, how to add custom queries, and how to configure scan triggers (on: push, pull_request, schedule). Understand why CodeQL handles compiled languages differently from interpreted ones.
• Review how Repository Rulesets can enforce CodeQL and Dependency Review workflows as required status checks. Understanding enforcement mechanisms at the repository, organization, and enterprise level is tested in Domain 7 and referenced in Domain 6's best practices objectives.

Professionals holding the GH-500 certification are positioned for roles such as DevSecOps engineer, application security engineer, GitHub Enterprise administrator, and security-focused software developer. As software supply chain security has become a regulatory and enterprise priority — driven by executive orders, frameworks like SLSA, and incidents targeting dependency ecosystems — the ability to operationalize GHAS tools within existing GitHub workflows is a differentiated and in-demand skill. The certification is relevant across both enterprise cloud environments (GitHub Enterprise Cloud) and self-hosted deployments (GitHub Enterprise Server), broadening its applicability across industries.

Because the credential is issued by GitHub (administered via Microsoft) rather than a generic cloud provider, it signals specific platform expertise to employers already standardized on GitHub for source control and CI/CD. It complements adjacent certifications such as GitHub Actions (GH-200), GitHub Administration (GH-700), and Microsoft's AZ-500 (Azure Security Engineer) for professionals building a security specialization. The two-year validity period requires periodic renewal, keeping certified professionals current with an actively evolving product.