🃏 GHAS Flashcards

Q: What is CodeQL?

A: GitHub's semantic code analysis engine. Treats code as data, uses queries (QL language) to find vulnerabilities and code patterns.

Q: What is push protection?

A: Blocks git push if it contains a detected secret. Prevents secrets from entering the repository. Part of secret scanning.

Q: What is the dependency graph?

A: Automatically maps all dependencies in a repository based on manifest files (package.json, requirements.txt, etc.).

Q: What is SARIF?

A: Static Analysis Results Interchange Format — standard JSON format for static analysis tool output. GitHub supports SARIF uploads.

Q: What is the difference between Dependabot alerts and security updates?

A: Alerts: notifications about vulnerabilities. Security updates: automatic PRs to fix vulnerable dependencies.

Q: What is a custom secret scanning pattern?

A: User-defined regex patterns to detect organization-specific secrets not covered by built-in patterns.

Q: What is the security overview?

A: Org-level dashboard showing code scanning, secret scanning, and Dependabot alert status across all repositories.

Q: What is dependency review?

A: A GitHub Actions workflow that checks PRs for newly introduced vulnerable dependencies and can block merge.

Q: What is an SBOM?

A: Software Bill of Materials — inventory of all components/dependencies in software. GitHub can export via dependency graph.

Q: How does CodeQL default setup work?

A: Automatically configures code scanning for supported languages. No workflow file needed. Uses GitHub-hosted analysis.