Scenario-based practice for the GitHub Advanced Security (GH-500) exam domain 4.0 Security administration and permissions (15% of the exam), and the newer Domain 6 - Security Administration.
Part of Certy - practical, hands-on certification preparation. This repository belongs to the CertyPro org and pairs with certy-ghas-course-content.
Most learners preparing for GH-500 do not have access to a GitHub Enterprise account with GitHub Advanced Security (GHAS) enabled, an organisation owner role, or the ability to change org-wide security policy. That makes the Security administration and permissions domain hard to practise in a real environment.
This repository takes a decision and scenario based approach instead. You do not
need any special access. You fork the repository, read a realistic situation, then
write your recommendation as a Markdown file in your own answers/ folder. Each
scenario maps directly to one or more skills the exam tests.
- Fork this repository to your own account.
- Read a scenario in
scenarios/. - Create an
answers/folder in your fork (it is git-ignored here so you start clean). - Write your recommendation as
answers/<scenario-id>.md, for exampleanswers/01-org-security-rollout.md. Use the templates inanswer-templates/to structure your response. - Compare your answer against the reusable reference frameworks in
policies/and the worked example inanswer-templates/01-org-security-rollout-worked-example.md.
There is no automated grading. The value is in reasoning through the decision the way a security administrator would, then checking your reasoning against the frameworks.
The GH-500 objective domain 4.0 Security administration and permissions covers the following skills. Each row points to the scenarios that exercise it.
| Objective area | What it tests | Scenarios |
|---|---|---|
| Configure organisation-level security settings | Enabling GHAS features across many repos, default settings for new repos | 01, 07, 08 |
| Manage repository access and permissions | Read, triage, write, maintain, admin roles; least privilege | 02 |
| Manage team-based access and code ownership | Teams, nested teams, CODEOWNERS, required reviewers | 03 |
| Use the security manager role | What the role can and cannot do, when to assign it | 04 |
| Protect branches with rulesets and branch protection | Rulesets versus classic branch protection, required status checks | 05, 06 |
| Require code scanning before merge | Code scanning as a required status check, merge gating | 06 |
| Enforce secret scanning and push protection | Org-level secret protection policy, push protection, bypass controls | 07 |
| Configure Dependabot at org scale | Dependabot alerts, security updates, version updates defaults | 08 |
| Monitor security at scale | Security overview, alert trends, coverage and enablement views | 09 |
| # | Scenario | Focus |
|---|---|---|
| 01 | Org security rollout | Roll GHAS out to 30 repositories with sensible sequencing |
| 02 | Repository permissions review | Right-size read / triage / write / maintain / admin against least privilege |
| 03 | Team-based access | Teams, nested teams and CODEOWNERS for review and access |
| 04 | Security manager role | What the security manager role can and cannot do |
| 05 | Branch protection and rulesets | Rulesets versus classic branch protection |
| 06 | Required code scanning | Require code scanning results before a merge |
| 07 | Secret protection policy | Org-wide secret scanning and push protection enforcement |
| 08 | Dependabot policy | Org Dependabot alerts and security updates defaults |
| 09 | Enterprise security dashboard | Security overview, alert trends and coverage |
policies/- reusable reference frameworks you can adapt for real work: an org security baseline, a repository security baseline, a GHAS rollout plan and an alert triage SLA.answer-templates/- templates to copy into youranswers/folder, plus a fully worked example for scenario 01.labs/README.md- an index tying each scenario to its deliverable.
All under github.com/CertyPro:
- certy-ghas-course-content - the course notes behind these scenarios
- ghas-vulnerable-app-lab
- ghas-secret-protection-lab
- ghas-codeql-lab
- ghas-supply-chain-security-lab
- ghas-security-operations-scenarios
- ghas-remediation-playbook
The scenarios describe real GitHub Advanced Security behaviour as of mid 2026: the security manager role, organisation rulesets, required status checks for code scanning, organisation-level secret scanning and push protection, Dependabot defaults and the security overview dashboard. GitHub evolves quickly, so always confirm exact menu paths against the current GitHub documentation before relying on them in production.
See LICENSE. Content is provided for educational use.