Microsoft · GH-500
Validates expertise in configuring, managing, and operating GitHub Advanced Security tools including code scanning, secret scanning, and dependency management to secure software development workflows.
Questions
299
Duration
100 minutes
Passing Score
Not publicly disclosed
Difficulty
IntermediateLast Updated
Jan 2025
Use this GH-500 practice exam to prepare for GitHub Advanced Security (GH-500) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 299 questions for Microsoft GH-500, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as GHAS Security Features, Secret Scanning, Dependabot & Dependency Review, Code Scanning with CodeQL, and Security Best Practices. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The GitHub Advanced Security (GH-500) certification validates proficiency in configuring, managing, and operationalizing the full suite of GitHub Advanced Security (GHAS) tools to secure modern software development workflows. Candidates demonstrate mastery across three core security pillars: secret scanning (including push protection and custom patterns), dependency management via Dependabot and Dependency Review, and automated code analysis using CodeQL and third-party SARIF-compatible tools. The exam also covers Security Overview, alert management, and enforcement of security policies through Repository Rulesets and GitHub Actions workflows.
The certification is maintained by GitHub and administered through Microsoft's Pearson VUE testing infrastructure. It was updated in 2025 to reflect a revised seven-domain structure, expanding coverage of GitHub Enterprise configuration and sharpening the weight given to best practices and corrective measures. Holding this credential demonstrates the ability to shift security left—embedding automated vulnerability detection directly into the development lifecycle rather than treating it as a post-deployment concern. The certification is valid for two years from the date of achievement.
The GH-500 exam targets system administrators, software developers, application administrators, and IT professionals who work with GitHub Enterprise Cloud (GHEC) or GitHub Enterprise Server (GHES) and are responsible for securing codebases at scale. Ideal candidates include DevSecOps engineers integrating security gates into CI/CD pipelines, application security specialists managing organizational vulnerability programs, and GitHub administrators enforcing repository and organization-level security policies.
Candidates should have hands-on experience enabling and configuring GHAS features across repositories and organizations, familiarity with GitHub Actions workflows, and an understanding of software supply chain security concepts including dependency graphs, SBOMs, and CVE/CWE classification. The intermediate difficulty level assumes prior GitHub platform experience; this is not an entry-level credential.
Microsoft does not list formal prerequisites for GH-500, but the official audience profile specifies intermediate-level experience with GitHub Enterprise Administration. Candidates are expected to understand GitHub's repository, organization, and enterprise permission model before attempting the exam, as access control questions appear across multiple domains.
Recommended preparation includes practical experience enabling GHAS features on private repositories, working knowledge of GitHub Actions (creating and modifying workflow YAML files), familiarity with CodeQL query suites and SARIF output formats, and experience interpreting Dependabot alerts and dependency graphs. Completing the official Microsoft Learn training course GH-500T00-A: GitHub Advanced Security provides structured coverage of all exam objectives and is the primary recommended prerequisite resource.
The GH-500 exam is delivered through Pearson VUE and includes a 100-minute time limit. The exam is proctored and may include interactive lab components in addition to standard multiple-choice and scenario-based questions. Candidates can experience the question interface in advance via the official exam sandbox at GHCertDemo.starttest.com before scheduling.
The exam is available in English, Spanish, Portuguese (Brazil), Korean, and Japanese. Pricing is approximately $99 USD, varying by country or region of testing. No official passing score is published on the Microsoft Learn certification page; third-party sources cite 700/1000 as a commonly reported threshold, but this should be verified against official communications at time of registration. If a candidate fails, a retake is permitted 24 hours after the first attempt; subsequent retake wait times vary per Microsoft's standard retake policy. A free practice assessment is available on Microsoft Learn (assessment ID 590484996).
Professionals holding the GH-500 certification are positioned for roles such as DevSecOps engineer, application security engineer, GitHub Enterprise administrator, and security-focused software developer. As software supply chain security has become a regulatory and enterprise priority — driven by executive orders, frameworks like SLSA, and incidents targeting dependency ecosystems — the ability to operationalize GHAS tools within existing GitHub workflows is a differentiated and in-demand skill. The certification is relevant across both enterprise cloud environments (GitHub Enterprise Cloud) and self-hosted deployments (GitHub Enterprise Server), broadening its applicability across industries.
Because the credential is issued by GitHub (administered via Microsoft) rather than a generic cloud provider, it signals specific platform expertise to employers already standardized on GitHub for source control and CI/CD. It complements adjacent certifications such as GitHub Actions (GH-200), GitHub Administration (GH-700), and Microsoft's AZ-500 (Azure Security Engineer) for professionals building a security specialization. The two-year validity period requires periodic renewal, keeping certified professionals current with an actively evolving product.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 299 questions.
Preview — answers shown1. TechGuard Enterprises has enabled secret scanning and discovered several exposed GitHub personal access tokens in their repositories. The security team needs to understand the appropriate response procedures for different types of exposed credentials. They want to establish standardized incident response procedures for various secret types. What should be their response procedure for exposed GitHub personal access tokens?
Explanation
TechGuard should immediately delete the compromised GitHub personal access token, create a new token, and update any services that use the old token. This is GitHub's recommended response procedure for exposed GitHub personal access tokens. Once a token has been committed to a repository, it should be considered compromised regardless of repository visibility, as multiple parties may have access to the repository or its history. The response must include revoking the exposed credential to prevent unauthorized access, generating a replacement token, and updating all systems and services that depend on the credential. This complete remediation process ensures that the exposed credential cannot be used maliciously while maintaining necessary functionality through the replacement token.
2. CloudArchitect Solutions is implementing CodeQL for their microservices platform and needs to understand when to use the --no-run-unnecessary-builds parameter in their database creation process. For which programming languages should they apply this parameter to optimize their build process?
Explanation
CloudArchitect Solutions should use the --no-run-unnecessary-builds parameter for Python and JavaScript/TypeScript because these interpreted languages don't require CodeQL to monitor the build process. This parameter suppresses the build command for languages where the CodeQL CLI doesn't need to monitor compilation, improving performance and avoiding unnecessary build steps. For compiled languages like C++, C#, and Java, CodeQL needs to monitor the build process to capture compilation details, so this parameter shouldn't be used. The parameter is specifically designed to optimize the analysis process for interpreted languages while maintaining proper analysis for compiled languages.
3. TechFlow Corp has a multi-language repository with Java, Python, and JavaScript code. They want to optimize their CodeQL analysis by understanding how database creation works for different languages. The development team needs to know when to use the --command option during database creation. In which scenario is the --command option required?
Explanation
The --command option is required when creating CodeQL databases for compiled languages that need specific build commands. For compiled languages like Java or C++, CodeQL needs to monitor the build process to extract accurate information about how the compiler processes source files. The --command option specifies the build command that CodeQL should monitor during database creation. For interpreted languages like Python and JavaScript, the extractor runs directly on source code without requiring build commands, so --command is not needed. Database clustering and result uploading are separate operations that don't use the --command option.
4. TechCorp wants to understand the different levels of control they can implement for their GitHub security policies. They operate in a regulated industry and need to balance security requirements with developer productivity. For organizations with strict compliance requirements like SOC 2 and ISO 27001, what security control level should they implement?
Explanation
Organizations with strict compliance requirements like SOC 2 and ISO 27001 should implement high control security policies. This includes enforcing SAML SSO and 2FA for strong authentication, restricting repository visibility and forking to protect intellectual property, requiring mandatory PR approvals for code review, preventing force pushes to maintain audit trails, and implementing CI/CD security checks for automated compliance validation. While this level of control may impact developer productivity, it ensures that TechCorp meets regulatory requirements and maintains the security posture necessary for compliance certifications in regulated industries.
5. DataCorp's development team received a Dependabot alert for a critical vulnerability in their web application's authentication library. The alert indicates the vulnerability could allow unauthorized access. What should be the developer's immediate response to this security alert?
Explanation
When developers discover a security alert, especially for critical vulnerabilities affecting authentication, they should immediately assess the vulnerability's impact on their specific application and create a remediation plan. This includes understanding how the vulnerable component is used, whether the vulnerability affects their code paths, and determining the urgency of the fix. The developer should then coordinate with the security team if needed and prioritize updating or replacing the vulnerable dependency. Ignoring alerts or disabling security features increases risk and violates security best practices.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam