A financial services company is implementing GitHub Advanced Security for their new Go-based microservices application. The security team requires that any new dependency added to a pull request must be checked against a list of pre-approved licenses. If a non-approved license is detected, the pull request must be blocked from merging. Which GitHub feature and configuration should be used to enforce this policy?
A DevOps team manages a large monorepo containing multiple microservices, each in its own directory with a different package ecosystem (e.g., `/app-a` uses npm, `/app-b` uses Maven, `/app-c` uses pip). The team wants to enable Dependabot security updates but is concerned about being overwhelmed by pull requests. They want to group all npm updates and all Maven updates into separate, single weekly pull requests. How should the `dependabot.yml` file be configured to achieve this? (Select TWO)
A security engineer is troubleshooting a CodeQL workflow for a compiled language (Java) that runs successfully on pushes to the `main` branch but fails consistently on pull requests from feature branches. The error occurs during the `Initialize CodeQL` step. The workflow is triggered by `on: [push, pull_request]`. What is the most probable reason for this discrepancy?
True or False: When secret scanning push protection is enabled for a repository, a user with admin permissions can push a commit containing a detected secret without bypassing the protection.
An organization wants to enforce a policy where all pull requests targeting the `main` branch must have a successful CodeQL analysis and a successful Dependency Review check before they can be merged. No administrator should be able to override this requirement. What is the most effective way to implement this strict enforcement?
A developer working on a public open-source project receives a Dependabot alert for a high-severity vulnerability in a transitive dependency. However, there is no direct patch available for the vulnerable package yet. What is the most appropriate first step for the developer to take?
A company uses a proprietary, internally-developed static analysis tool that generates security reports in a custom JSON format. They want to integrate these results into the GitHub Security tab alongside findings from CodeQL. What is the correct sequence of steps to achieve this?
What is the primary difference between how CodeQL analyzes a compiled language like C# and an interpreted language like Python?
The Security Overview dashboard provides a high-level view of an organization's security posture. Which information is available on this dashboard?
A security team is reviewing a recent surge of secret scanning alerts. They notice many alerts are for secrets that have already been revoked. To improve their response efficiency, they want to prioritize alerts for secrets that are confirmed to be active. Which feature should they use?