After the GitHub Actions certification, I decided to continue my GitHub certification journey with the GitHub Advanced Security exam. This certification was a way for me to learn more about the different features that GitHub offers to improve the quality and security of code.
At the time of writing, GitHub certifications are only available to GitHub Employees, Microsoft Employees, GitHub Channel & Services Partners, and select Microsoft Partners. Because of this, there are only a few information and resources available online to help you prepare and gather information about the exam.
In this post, I will share my experience with the exam and provide some resources and tips that I found useful while preparing for the exam.
Exam details
Most of the information about GitHub certification exams is available on the GitHub Certification Program FAQs page.
Here is a summary:
- The exam is 120 minutes long.
- The exam consists of around 73 multiple-choice questions, of which only 60 are scored and contribute to your final score.
- The exam can be taken online (proctored, available through PSI) or in person (available at select testing centers).
- An official passing score is not provided.
- You can reschedule or cancel your exam up to 48 hours before your scheduled exam time.
- If you fail the exam, you must wait 24 hours before attempting the first retake. After that, you must wait 14 days between each consecutive retake. There is a limit of 5 total attempts.
Passing the exam will grant you the GitHub Advanced Security certification, and a badge and a certificate from Credly. The certification is valid for 3 years.
A results report will be available immediately after completing the exam. It includes an overall score that shows you how many answers you got right, and a breakdown of your score by topic, to help you identify the areas where you need to improve.
Like my previous GitHub Actions exam, I took the exam online with PSI and did not encounter any issues during the exam and check-in process. The check-in procedure is similar to that of other proctored certification exams: you will need to provide a valid identification document, and then the proctor will ask you to use the webcam of your PC to show them the room where you will be taking the exam. To learn more about the requirements for taking the exam online and the check-in process, check out the PSI website.
What is the exam about?
The GitHub Advanced Security certification exam tests your knowledge of the various features of GitHub Advanced Security (GHAS), like code scanning and CodeQL, secret scanning, Dependabot, and more.
Specifically, the exam topics are organized in the following domains:
- Describe the GitHub Advanced Security features and functionality (10% - around 7 questions)
- Configure and use secret scanning (10% - around 7 questions)
- Configure and use dependency management (15% - around 11 questions)
- Configure and use code scanning (15% - around 11 questions)
- Use code scanning with CodeQL (20% - around 15 questions)
- Describe GitHub Advanced Security best practices, results, and how to take corrective measures (20% - around 15 questions)
- Configure GitHub Advanced Security tools in GitHub Enterprise (10% - around 7 questions)
The official exam guide provides a more detailed breakdown of the topics covered in the exam. You can find the exam guide linked on the exam page.
The description of the exam states:
This exam measures your ability to accomplish the following technical tasks: configure and use secret scanning, dependency management, and code scanning; use code scanning with CodeQL; describe GitHub Advanced Security best practices, results, and how to take corrective measures; and configure GitHub Advanced Security tools in GitHub Enterprise.
The exam seems to focus more on administrative tasks (e.g., enabling and configuring features, setting up policies, understanding the roles and permissions required to use the features, managing alerts, etc.) than on development aspects. For example, you should know how to configure code scanning in a workflow, but you’re not required to write custom CodeQL queries.
Based on the exam description and the modules of the Microsoft Learn path dedicated to the certification, before taking the exam you should be familiar with topics like:
- Describing the different features of GHAS and the purpose of each feature.
- Enabling and configuring GHAS features for individual repositories or across organizations, and knowing under which sections of the GitHub UI you can do that.
- The main security best practices that GHAS helps you enforce (e.g., shifting left, keeping dependencies up to date, setting up security policies, etc.).
- The permissions required to enable and interact with GHAS features (e.g., who can view and manage code scanning alerts, who receives Dependabot alerts notifications, etc.).
- Remember the default settings and default file names used by GHAS for public and private repositories.
- What code scanning and CodeQL are, what different file extensions are used by CodeQL, and how to configure CodeQL in CI/CD workflows.
- Configuring and interacting with Dependabot (e.g., configuring version updates, using Dependabot commands on pull requests, etc.).
Hands-on experience with GHAS is not required, but it is recommended.
What are the prerequisites?
The exam expects you to have a general understanding of GitHub Actions, which are required to set up code-scanning workflows. You should know the structure of a workflow, how to configure triggers, what matrix strategies are, and how to use actions from the marketplace. You don’t need to be an expert but should be familiar with the basic concepts and syntax. You don’t need to know how to write custom actions.
Resources
There are some resources available online, but only a few are targeted specifically at the GitHub Advanced Security certification exam.
The main resource for preparing for the exam is the Microsoft Learn path. It’s the official learning path provided by GitHub, and it covers all the exam topics. This collection consists of several modules, each containing multiple web pages exploring a specific topic. Each module also contains a set of review questions that you can use to test your knowledge, and also a hands-on exercise that you can try out on your GitHub account.
Another important resource is the GitHub documentation. The documentation is not specifically targeted at the exam, but it is the ultimate source of information about everything related to GitHub. It contains sections dedicated to security, code scanning, Dependabot, secret scanning, and other GitHub Advanced Security features. The documentation is also a great resource for learning about the different features of GitHub Actions, which are required to set up code-scanning workflows.
If you like to study using video courses, some videos on YouTube provide a high-level overview of GitHub Advanced Security, for example:
- Achieving DevSecOps with GitHub Advanced Security
- Github Advanced Security
- GitHub Advanced Security implemented in 30 minutes #DemoDays
- Find bugs in your code with CodeQL
While not strictly required for the exam, learning how to write CodeQL queries can give you a better understanding of how code scanning and CodeQL work. Here are some recorded sessions of workshops provided by GitHub:
- Finding security vulnerabilities in JavaScript with CodeQL - GitHub Satellite 2020
- Finding security vulnerabilities in Java with CodeQL - GitHub Satellite 2020
Finally, on GitHub Skills you can find more hands-on exercises related to security that you can try on your GitHub account.
Strategies for preparing for the exam
Here are some strategies that I found helpful while preparing for the exam.
Follow the Microsoft Learn path
The Microsoft Learn path dedicated to the GitHub Advanced Security certification exam is the most important resource for preparing for the exam, and it covers all the exam topics. It’s the official learning path provided by GitHub, and it’s the best place to start. You can also review it before taking the exam, to refresh your memory and check if there are any topics that you missed.
Get hands-on practice
The exam consists only of multiple-choice questions, and there are no practical tasks or coding exercises. However, getting hands-on practice is fundamental for consolidating your knowledge and understanding of the different features of GHAS. Being able to remember how I used the different features in my repositories helped me a lot during the exam.
The best way to get hands-on practice is to try out the different features of GitHub Advanced Security on one of your repositories. Most of the features are available for free on public repositories, so you can start by creating a new public repository and enabling the features that you want to try out.
The Microsoft Learn path modules also contain some hands-on activities that you can try out on your GitHub account. You can find additional exercises related to security from GitHub on GitHub Skills.
Practice your test-taking skills
Practicing your test-taking skills is important for the GitHub Advanced Security certification exam, as it is with many other certification exams. The exam is 120 minutes long and consists of around 73 multiple-choice questions. This means you will have less than two minutes to answer each question. If you learn to manage your time effectively, you should have no problem completing the exam with plenty of time to spare. Additionally, practicing your test-taking skills will help you identify keywords in the text of the questions more quickly, which will help you answer the questions more accurately.
You can improve your test-taking skills by practicing reading and identifying keywords in the text of the questions. If you have taken other certification exams before, you should already be familiar with some of the strategies for improving your test-taking skills.
Unfortunately, at the time of writing, no practice tests are available for this exam. As an alternative, I highly recommend checking out the GitHub Certified website created by Aleksander Fidelus. It’s a community website dedicated to helping people prepare for all the GitHub certification exams. It contains a set of (unofficial) practice questions for the GitHub Advanced Security exam, which can help you get a better understanding of the topics covered in the exam and improve your test-taking skills. You can also find a list of study resources. The website code is also open-source, so everyone can help improve the questions or add new ones by contributing to the GitHub repository.
Try to answer by elimination
All the exam questions are multiple-choice, so you won’t find other types of questions, such as fill-in-the-blank, drag-and-drop questions, or hands-on exercises.
With this type of question, one strategy you can use is to try to answer the questions by elimination. If you aren’t sure about the answer to a question, try to eliminate the wrong answers first. This will help you narrow down the possible options and increase your chances of getting the right answer.
There is no penalty for wrong answers, so you should always try to answer all the questions.
Schedule the exam as soon as possible
Try to schedule the exam as soon as possible. Setting a deadline will help you stay motivated and focused on your study plan!
Conclusion
In conclusion, taking the GitHub Advanced Security exam was a rewarding experience for me. It helped me learn new things about GHAS features and consolidate my knowledge of the different features and best practices.
The exam is not very difficult, as it covers a limited number of topics. However, it is crucial to gain practical experience with the various GHAS features and improve your test-taking skills before attempting the exam.
I hope you found this article helpful, and good luck with your exam! 🤞
If you have any questions or feedback, feel free to contact me!
