Week Two: Managing Securely [GitHub Administration Certification Prep Course]

[queenofcorgis]

Welcome to week two of the GitHub Administration Exam prep! Great job on completing Week One! And don’t worry, if you haven’t done it yet, you can always start at the beginning and catch up with us. Remember that you can always ask questions and chat with your fellow certification study group here.

As a thank you for participating in these discussions, we’ll be awarding 15 GitHub Certification exam vouchers to members who engage with us during the course.

Step One: Prep 📚

We’ve assembled some materials for this first section.

• Microsoft Learn Modules
  • Maintain a secure repository by using GitHub best practices
  • Manage sensitive data and security policies within GitHub
• Further reading and resources:
  • Repository rulesets best practices
  • Custom properties best practices
• Video
  • Managing your enterprise, organization and repos on GitHub
• Hands on learning
  • GitHub Skills: Secure your repository's supply chain

Step Two: Test Your Knowledge ⚡

Question One: What GitHub feature scans code for secrets such as API keys or passwords and alerts administrators when they are detected?
A) Dependabot
B) Code scanning
C) Secret scanning
D) Issue templates

Question Two: What is the primary purpose of enabling branch protection rules in a repository?
A) To allow anyone to push changes to the default branch
B) To enforce code review and prevent unauthorized changes
C) To automatically delete inactive branches
D) To increase repository visibility in the organization

Question Three: What does Dependabot automatically do in a repository to help maintain security?
A) Deletes unused branches to prevent confusion
B) Schedules code reviews to ensure code is meeting policy standards
C) Creates pull requests to update dependencies with security vulnerabilities
D) Manages organization billing on actions

Question Four: What should an administrator do when a security automation tool finds a secret (such as an API key) in a repository?

A) Remove the secret from the repository and rotate it
B) Share the secret with team members
C) Ignore the alert
D) Make the repository internal

Question Five: What is a recommended best practice for the contents of a SECURITY.md file?
A) Include instructions for reporting security vulnerabilities
B) List all organization members who are a security risk
C) Describe recent security breaches
D) Provide passwords, SSH keys, and other login/authentication information

Question Six: After removing sensitive data from the repository history, what must be done to prevent others from accessing the previous data?
A) Archive the repository and start over
B) Notify GitHub Support and share your logs with them
C) Enable branch protection rules and advise all contributors to re-clone the repository
D) Force-push the rewritten history and advise all contributors to re-clone the repository

Question Seven: What is a key benefit of using GitHub’s audit log features in an enterprise environment?
A) It increases repository storage limits and Dependabot capabilities
B) It provides a record of important events for security and compliance monitoring
C) It automates code reviews for Enterprise Admins
D) It enables automatic pull request approvals

Jump to the comments to view the answers when you are ready.

Use the discussion below to share additional study resources, ask questions, and respond to our prep questions.

*No Purchase Necessary. Open only to Github community members 18+. Game ends 11/1/25. For details, see Official Rules.

[paulsuv9]

✅ Week Two Knowledge Check – GitHub Admin Prep (With Rationale)

Posting my answers for Week Two, along with brief reasoning:

1. C) Secret scanning
   → GitHub’s native feature for detecting exposed secrets like API keys and alerting admins.

2. B) To enforce code review and prevent unauthorized changes
   → Branch protection rules ensure governance and code integrity.

3. C) Creates pull requests to update dependencies with security vulnerabilities
   → Dependabot automates patching of vulnerable packages via PRs.

4. A) Remove the secret from the repository and rotate it
   → Immediate remediation is key—removal plus rotation prevents exploitation.

5. A) Include instructions for reporting security vulnerabilities
   → SECURITY.md guides responsible disclosure, not breach documentation.

6. D) Force-push the rewritten history and advise all contributors to re-clone the repository
   → Ensures sensitive data is purged and contributors sync to the clean state.

7. B) It provides a record of important events for security and compliance monitoring
   → Audit logs are essential for traceability in enterprise environments.

Looking forward to building on this in Week Three and seeing how others are approaching repo lifecycle and policy enforcement.

[fradel]

C) Secret scanning
B) To enforce code review and prevent unauthorized changes
C) Creates pull requests to update dependencies with security vulnerabilities
A) Remove the secret from the repository and rotate it
A) Include instructions for reporting security vulnerabilities
D) Force-push the rewritten history and advise all contributors to re-clone the repository
B) It provides a record of important events for security and compliance monitoring

[anukalp2804]

Question One: What GitHub feature scans code for secrets such as API keys or passwords and alerts administrators?
Answer: C) Secret scanning

Question Two: What is the primary purpose of enabling branch protection rules in a repository?
Answer: B) To enforce code review and prevent unauthorized changes

Question Three: What does Dependabot automatically do in a repository to help maintain security?
Answer: C) Creates pull requests to update dependencies with security vulnerabilities

Question Four: What should an administrator do when a security automation tool finds a secret in a repository?
Answer: A) Remove the secret from the repository and rotate it

Question Five: What is a recommended best practice for the contents of a SECURITY.md file?
Answer: A) Include instructions for reporting security vulnerabilities

Question Six: After removing sensitive data from the repository history, what must be done to prevent others from accessing the previous data?
Answer: D) Force-push the rewritten history and advise all contributors to re-clone the repository

Question Seven: What is a key benefit of using GitHub’s audit log features in an enterprise environment?
Answer: B) It provides a record of important events for security and compliance monitoring

[jccampanero]

Thank you very much for these new week course materials.

Wow! I was unaware of the well-architected site in Github! Awesome stuff! Thank you very much for sharing.

These are my answers:

Question One: What GitHub feature scans code for secrets such as API keys or passwords and alerts administrators when they are detected?
A) Dependabot
B) Code scanning
C) Secret scanning
D) Issue templates

Question Two: What is the primary purpose of enabling branch protection rules in a repository?
A) To allow anyone to push changes to the default branch
B) To enforce code review and prevent unauthorized changes
C) To automatically delete inactive branches
D) To increase repository visibility in the organization

Question Three: What does Dependabot automatically do in a repository to help maintain security?
A) Deletes unused branches to prevent confusion
B) Schedules code reviews to ensure code is meeting policy standards
C) Creates pull requests to update dependencies with security vulnerabilities
D) Manages organization billing on actions

Question Four: What should an administrator do when a security automation tool finds a secret (such as an API key) in a repository?
A) Remove the secret from the repository and rotate it
B) Share the secret with team members
C) Ignore the alert
D) Make the repository internal

Question Five: What is a recommended best practice for the contents of a SECURITY.md file?
A) Include instructions for reporting security vulnerabilities
B) List all organization members who are a security risk
C) Describe recent security breaches
D) Provide passwords, SSH keys, and other login/authentication information

Question Six: After removing sensitive data from the repository history, what must be done to prevent others from accessing the previous data?
A) Archive the repository and start over
B) Notify GitHub Support and share your logs with them
C) Enable branch protection rules and advise all contributors to re-clone the repository
D) Force-push the rewritten history and advise all contributors to re-clone the repository

Question Seven: What is a key benefit of using GitHub’s audit log features in an enterprise environment?
A) It increases repository storage limits and Dependabot capabilities
B) It provides a record of important events for security and compliance monitoring
C) It automates code reviews for Enterprise Admins
D) It enables automatic pull request approvals

I must recognize that the GHAS course we previously took has been of great help this week...

I look forward to the next week's contents.

[paulsuv9]

Great to see your answers, @jccampanero—and totally agree on the GHAS course. It really helped frame the security automation concepts this week. Curious to hear how you’re planning to approach repo lifecycle and policy enforcement in Week Three.

[mvark]

My answers with links to the GitHub documentation -

1 C) GitHub's Secret scanning feature is designed to scan code for secrets such as API keys, passwords, or other sensitive information. When it detects such secrets, it alerts administrators so they can take appropriate action to secure their repositories.

2 B) Branch Protection Rules help maintain code quality and security by enforcing certain rules and restrictions on how changes can be made to important branches (typically main/master branch). By default, the restrictions of a branch protection rule don't apply to people with admin permissions to the repository or custom roles with the "bypass branch protections" permission.

3 C) Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates. Make sure to review and test the pull requests created by Dependabot before merging them, as updating dependencies can sometimes break your code.

4 A) When a security automation tool finds a secret, such as an API key, in a repository, it's a serious security vulnerability. Revoke and/or rotate that secret.

5 A) A SECURITY.md file is a standard markdown file used to provide security-related guidance for a project. The primary purpose is to create a clear, accessible process for responsible security vulnerability disclosure.

6 D) After removing sensitive data from the repository history, force-push the rewritten history and advise all contributors to re-clone the repository

7 B) GitHub's audit log is a crucial security and compliance feature for enterprise environments that records and tracks important actions and changes across an organization.

[paulsuv9]

Thanks for the detailed breakdown and links, @mvark—really appreciate the clarity. Your explanation around audit logs and branch protection rules helped reinforce some of the enterprise-level implications I’ve been tracking. Looking forward to your take on Week Three!

[salahtidur]

my answers are:

1. C) Secret scanning

2. B) To enforce code review and prevent unauthorized changes

3. C) Creates pull requests to update dependencies with security vulnerabilities

4. A) Remove the secret from the repository and rotate it

5. A) Include instructions for reporting security vulnerabilities

6. D) Force-push the rewritten history and advise all contributors to re-clone the repository

7. B) It provides a record of important events for security and compliance monitoring

[paulsuv9]

Nice work on the answers, @salahtidur—looks like you’ve got a solid handle on the Week Two material. Looking forward to seeing how you approach the next module!

[johnnieng]

Here are my answers:

Question 1
What GitHub feature scans code for secrets such as API keys or passwords and alerts administrators?

A) Dependabot
Monitors for vulnerable dependencies, not hardcoded secrets.

B) Code scanning
Analyzes code for security vulnerabilities using static analysis.

C) Secret scanning
Correct. GitHub’s Secret scanning feature automatically detects and alerts on sensitive data such as API keys, tokens, and passwords in repositories.​

D) Issue templates
Used for issue reporting, not security scanning.

Answer: C – Secret scanning is the dedicated feature for detecting hardcoded secrets.​
https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/introduction

Question 2
What is the primary purpose of enabling branch protection rules?

A) To allow anyone to push changes to the default branch
Opposite of the intended effect.

B) To enforce code review and prevent unauthorized changes
Correct. Branch protection rules enforce workflows such as requiring pull request reviews, status checks, and preventing force pushes or direct commits to critical branches.​

C) To automatically delete inactive branches
Not a function of branch protection.

D) To increase repository visibility
Unrelated.

Answer: B – Branch protection ensures changes are reviewed and prevents unauthorized modifications.​
https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches

Question 3
What does Dependabot automatically do to help maintain security?

A) Deletes unused branches
Beyond Dependabot’s scope.

B) Schedules code reviews
Not automated by Dependabot.

C) Creates pull requests to update dependencies with security vulnerabilities
Correct. When Dependabot detects a vulnerable dependency, it automatically opens pull requests to update it.​

D) Manages organization billing
Not related.

Answer: C – Dependabot creates pull requests to fix vulnerable dependencies.​
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

Question 4
What should an administrator do when a security tool finds a secret in a repository?

A) Remove the secret from the repository and rotate it
Correct. Best practice is to:

• Rotate the credential (invalidate and generate a new one)

• Remove the secret from the code and history if possible.​

B) Share the secret with team members
Increases risk of exposure.

C) Ignore the alert
Leaves security vulnerability unaddressed.

D) Make the repository internal
Does not fix the exposure—secret is still present.

Answer: A – Remove and rotate the secret to mitigate exposure.​
https://docs.github.com/en/code-security/secret-scanning/introduction/about-secret-scanning

Question 5
What is a recommended best practice for the contents of a SECURITY.md file?

A) Include instructions for reporting security vulnerabilities
Correct. SECURITY.md should clearly define how to report issues, including contact details (e.g., [email protected]) and disclosure policies.​

B) List members who are a security risk
Not appropriate or secure.

C) Describe recent security breaches
Better handled in public incident reports.

D) Provide passwords or keys
Violates security principles.

Answer: A – SECURITY.md should guide users on securely reporting vulnerabilities.​
https://blogs.eclipse.org/post/marta-rybczynska/securitymd-should-i-have-it

Question 6
After removing sensitive data from history, what must be done to secure the repository?

A) Archive the repository and start over
Not required.

B) Notify GitHub Support and share logs
Support may assist in removing cached views, but not the primary action.

C) Enable branch protection and re-clone
Branch protection doesn’t retroactively fix history.

D) Force-push the rewritten history and advise all contributors to re-clone
Correct. After rewriting history (e.g., using git filter-repo), you must force-push the changes and notify all collaborators to re-clone, as their local clones still contain the old data.​

Answer: D – Force-push and re-clone are essential to prevent continued access to old history.​
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository

Question 7
What is a key benefit of using GitHub’s audit log in an enterprise?

A) Increases storage limits
Audit logs do not affect storage.

B) Provides a record for security and compliance monitoring
Correct. Audit logs track administrative and security events, enabling compliance audits, threat detection, and accountability.​

C) Automates code reviews
Not a function of audit logs.

D) Enables automatic pull request approvals
Contradicts security best practices.

Answer: B – Audit logs support compliance and real-time monitoring.​
https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization

[paulsuv9]

Appreciate the detailed rationale and links, @johnnieng—especially the breakdown around SECURITY.md and audit logs. Your framing helped reinforce some of the compliance angles I’ve been tracking. Looking forward to your take on Week Three!

[Misunhwang]

1. C
2. B
3. C
4. A
5. A
6. D
7. B

[queenofcorgis]

The answers are... click details to reveal them! Don't worry if you haven't had a chance to study yet, after you post your answers, check them against the ones below.

Question One: What GitHub feature scans code for secrets such as API keys or passwords and alerts administrators when they are detected?
C) Secret scanning

Question Two: What is the primary purpose of enabling branch protection rules in a repository?
B) To enforce code review and prevent unauthorized changes

Question Three: What does Dependabot automatically do in a repository to help maintain security?
C) Creates pull requests to update dependencies with security vulnerabilities

Question Four: What should an administrator do when a security automation tool finds a secret (such as an API key) in a repository?

A) Remove the secret from the repository and rotate it

Question Five: What is a recommended best practice for the contents of a SECURITY.md file?
A) Include instructions for reporting security vulnerabilities

Question Six: After removing sensitive data from the repository history, what must be done to prevent others from accessing the previous data?
D) Force-push the rewritten history and advise all contributors to re-clone the repository

Question Seven: What is a key benefit of using GitHub’s audit log features in an enterprise environment?
B) It provides a record of important events for security and compliance monitoring

[Apexq]

1-)C
2-)B
3-)C
4-)A
5-)A
6-)D
7-)B

[niikwade]

Knowledge check for week 2 below.

Question One: What GitHub feature scans code for secrets such as API keys or passwords and alerts administrators when they are detected? **C) Secret scanning**

Question Two: What is the primary purpose of enabling branch protection rules in a repository?
B) To enforce code review and prevent unauthorized changes

Question Three: What does Dependabot automatically do in a repository to help maintain security?
C) Creates pull requests to update dependencies with security vulnerabilities

Question Four: What should an administrator do when a security automation tool finds a secret (such as an API key) in a repository?
A) Remove the secret from the repository and rotate it

Question Five: What is a recommended best practice for the contents of a SECURITY.md file?
A) Include instructions for reporting security vulnerabilities

Question Six: After removing sensitive data from the repository history, what must be done to prevent others from accessing the previous data?
D) Force-push the rewritten history and advise all contributors to re-clone the repository

Question Seven: What is a key benefit of using GitHub’s audit log features in an enterprise environment?
B) It provides a record of important events for security and compliance monitoring

[AICertGit]

C
B
C
A
A
D
B

thank you for new challenge

[AICertGit]

it is quite confusing when it comes into various scenarios and follow the same procedure for all team, even it technology is there, communication, understanding, coordination is still most important. revision is so confusing and risky

[AICertGit]

this is helpful to memorize for the action and this one has all the key cmmds

[git-cheat-sheet-education](https://education.github.com/git-cheat-sheet-education.pdf)https://[education.github.com/git-cheat-sheet-education.pdf](https://education.github.com/git-cheat-sheet-education.pdf)

[paulsuv9]

Thanks for sharing the cheat sheet, @AICertGit—really helpful for quick reference. Totally agree that coordination and communication are just as critical as the tools themselves. Looking forward to seeing how you approach Week Three!

[venusuni]

Question two: The main reason for enabling branch protection rules is to enforce code reviews and prevent unauthorized changes (b).

Question three:
Dependabot (c) helps keep repositories secure by automatically creating pull requests to update dependencies with known vulnerabilities.

Question four:
If a secret such as an API key is found in a repository, the administrator should remove it immediately and rotate the key (a).

Question five:
A security.md file should include clear instructions for reporting security vulnerabilities (a).

Question six:
After removing sensitive data from the repository’s history, you should force-push the cleaned history and tell all contributors to re-clone the repo (d).

Question seven:
A major benefit of GitHub’s audit log is that it keeps a record of important events for security and compliance monitoring (b).

[niikwade]

Unrelated question to week 2 study, but would love your thoughts on it nonetheless.

Would you advice someone who has recently completed a MSc IT, who aspires to be a security engineer, unemployed at the moment but studying and obtaining a number of certifications in cybersecurity, to get the GitHub Administration Certificate? I am studying to take the AZ-500 (having already taken the AZ-900, AI-900 and DP-900) and I think the GitHub Administration Certificate would completement the AZ-500. I am however wondering if the GitHub Administration Certificate isn't more suited for people who are already employed and use GitHub in their organization.

Thanks

[queenofcorgis]

@niikwade this signals practical security knowledge for a widely used platform and complements cloud security, but contextual experience is helpful for certain concepts. If you have the time and resources especially if you want to specialize in DevSecOps, AppSec, or cloud-native security then I say go for it.

I am not a security engineer, so I welcome those with more real world application to weigh in here!

[paulsuv9]

Great question, @niikwade. I’ve found the GitHub Admin cert valuable for reinforcing governance and automation patterns that complement cloud security tracks like AZ-500. If you’re aiming for DevSecOps or AppSec roles, this adds practical depth—especially around repo lifecycle and policy enforcement.

[niikwade]

Thanks for the reply @queenofcorgis - @paulsuv9 I appreciate you sharing your thoughts. Looks like I'll be getting it then 😊

[queenofcorgis]

We're halfway through the prep course - just a couple more modules until we reach the finish line! Join us in the Week Three discussion for more practice and prep!