The System for Cross-domain Identity Management (SCIM) protocol automates the user identity lifecycle between an identity provider (IdP) and a service provider like GitHub. When a user is added to the IdP, SCIM provisions them in the GitHub organization (D). If a user's attributes (e.g., name, email) are updated in the IdP, SCIM synchronizes these changes to their GitHub profile (A). When a user is removed from the IdP, SCIM de-provisions them by deactivating their GitHub account and removing them from the organization, ensuring access is revoked promptly (B). This automates user onboarding, updates, and offboarding.

C. SCIM manages user identities and their access, not organizational assets like repositories. Deleting repositories is a separate administrative action unrelated to user provisioning.

E. SCIM is a protocol for identity management (provisioning/de-provisioning), not for generating authentication tokens for API access. Authentication is handled by other protocols like SAML or OAuth.

F. While SCIM can manage team membership, which indirectly affects permissions, it does not directly configure granular repository-level permissions (e.g., read, write, admin).

1. GitHub Docs

"About SCIM": "With SCIM

you can automate the exchange of user identity information between systems... For example

you can automatically provision a new employee's account and grant them access to various tools like GitHub." This supports option D. The document also states

"When an employee leaves the company and you deprovision their account

this change can automatically propagate to the connected systems

deactivating the user's account." This supports option B.

2. GitHub Docs

"Provisioning users and groups with SCIM": "When you update a user's information on your IdP

the IdP will automatically update the user's account on GitHub.com." This directly supports option A.

3. GitHub Docs

"Provisioning users and groups with SCIM": The document outlines the supported SCIM features

which include provisioning users

updating user attributes (name

email)

and de-provisioning users. It makes no mention of managing repositories (C)

generating API tokens (E)

or setting repository-level permissions (F).

CodeQL's primary differentiator is its unique approach to static analysis. It treats source code as data by building a relational database that captures the code's structure, syntax, and semantics. This database can then be interrogated using a powerful, object-oriented query language called QL. This allows security researchers and developers to write custom queries to find complex, variant vulnerabilities with high precision, going beyond the capabilities of many traditional static analysis tools that rely on predefined, pattern-based checks.

A. CodeQL is an analysis engine that identifies vulnerabilities; it does not automatically remove or remediate insecure code.

C. CodeQL is a core feature of GitHub Advanced Security, which is available for private repositories on GitHub Enterprise, not just open-source projects.

D. CodeQL is a proactive static analysis tool designed to find vulnerabilities before code is deployed, to prevent security breaches, not after one has occurred.

1. GitHub Docs

"About code scanning with CodeQL." In the section "About CodeQL

" it states

"In CodeQL

code is treated as data

allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers. ... You write a CodeQL query to find all the code with that structure." This directly supports the concept of querying code as data.

2. GitHub Docs

"About CodeQL." This document explains

"CodeQL is the analysis engine used by developers to automate security checks... You analyze your code using CodeQL by running queries against a database extracted from the source code. ... You can query that database like you would any other database." This confirms the database-like language and querying mechanism.

3. De Moor

O.

Peyton-Jones

S.

& Visser

E. (2011). "Semmle QL: The Query Language for Source Code." This foundational academic paper on the technology behind CodeQL describes it as "an object-oriented query language for performing deep semantic analysis of software." (Section 1: Introduction). This validates the academic principle of using a query language for code analysis.

GitHub App installation access tokens are the recommended method for CI/CD and other automations. They are generated for a specific installation of a GitHub App on a repository or organization. This model provides significant security advantages because the app has its own identity, separate from any user account. Most importantly, GitHub Apps are designed with a fine-grained permission model, allowing administrators to grant only the precise permissions required for the app to perform its function (e.g., read-only access to code, write access to issues), adhering to the principle of least privilege.

A. Personal Access Tokens (PATs): While fine-grained PATs exist, they are tied to a user account. If the user leaves the organization or their permissions change, the automation breaks, making them less robust and not the recommended choice for organizational CI/CD.

C. Device Tokens: These are used for the device authorization flow, which is an interactive process for headless applications (like a CLI) to obtain an OAuth token on behalf of a user. They are not intended for non-interactive CI/CD automation.

D. OAuth tokens: Standard OAuth tokens are generated for a user authorizing an application. They are tied to the user's identity and permissions and typically use broad scopes, lacking the fine-grained control inherent to GitHub Apps.

1. GitHub Docs

"About creating GitHub Apps." This document explicitly states

"GitHub Apps are the officially recommended way to integrate with GitHub because they offer much more granular permissions to access data... For CI/CD

you can use a GitHub App to run workflows." It contrasts this with OAuth Apps and PATs. (Source: GitHub

Inc.

Official Documentation

Developers > Apps > Building GitHub Apps > About building GitHub Apps).

2. GitHub Docs

"Choosing an authentication method." This guide recommends GitHub Apps for system-to-system interactions

such as CI/CD. It highlights that "GitHub Apps have granular permissions and use short-lived tokens

which reduces the risk of leaked credentials." (Source: GitHub

Inc.

Official Documentation

Developers > Apps > Building apps > Choosing an authentication method).

3. GitHub Docs

"Managing your personal access tokens." In the section on choosing the right token

the documentation advises

"For automations that will interact with repositories in an organization

you should use a GitHub App. GitHub Apps have more granular permissions and are not associated with a user account." (Source: GitHub

Inc.

Official Documentation

Authentication > Keeping your account and data secure > Managing your personal access tokens).

An outside collaborator is a user who is not a member of the organization but is granted access to one or more specific repositories. This role is designed to allow external individuals, such as contractors or consultants, to contribute to specific projects without giving them the broader access and visibility that an organization member would have. Their permissions are scoped strictly to the repositories to which they have been explicitly invited.

B. Outside collaborators are not considered members and are generally exempt from organization-wide identity and access management policies like SAML single sign-on (SSO).

C. Access for outside collaborators is granted on a per-repository basis. They do not have default access to any repositories, let alone all private ones.

D. Outside collaborators are explicitly distinguished from organization members and are listed in a separate "Outside collaborators" list, not the main internal member list.

1. GitHub Docs

"Roles in an organization."

Section: "Permissions for organization roles

" Sub-section: "Outside collaborators." This section states

"An outside collaborator is a person who isn't a member of your organization

but has access to one or more of your organization's repositories." This directly supports the correct answer (A) and refutes (C).

2. GitHub Docs

"Adding outside collaborators to repositories in your organization."

Section: "About outside collaborators." This document clarifies

"You can give an outside collaborator access to a repository

and the outside collaborator will be included in your organization's list of people with access to the repository." This reinforces that access is repository-specific.

3. GitHub Docs

"Viewing people's roles in an organization."

Section: "Filtering the members and outside collaborators list." This page shows that the UI provides separate filters for "Members" and "Outside collaborators

" confirming they are not listed together in the internal member list

which refutes (D).

4. GitHub Docs

"About identity and access management with SAML single sign-on."

Section: "About SAML with outside collaborators and bots." The documentation states

"Outside collaborators are not members of your organization and will not be required to authenticate using SAML SSO to access repositories they have been invited to." This directly refutes (B).

A GitHub organization is a shared account designed for businesses and open-source projects to collaborate across multiple repositories. Its primary benefit is providing a distinct container that separates and centralizes management. This includes grouping related repositories and projects, managing user access through teams, consolidating billing for all organizational activities, and enforcing specific security and administrative policies. This clear separation ensures that resources, permissions, and financial responsibilities are managed independently from personal accounts or other organizations, which is crucial for governance and operational clarity.

A. Policies are configured at the individual organization level and are not automatically inherited from other organizations.

B. Creating and managing a new organization introduces an additional administrative layer, which typically increases, not reduces, overhead.

D. While organizations streamline collaboration within them, they create distinct boundaries that can add complexity to collaboration across different organizations.

1. GitHub Docs

"About organizations." This document states

"Organizations are shared accounts where businesses and open-source projects can collaborate across many projects at once. Owners and administrators can manage member access to the organization's data and projects with sophisticated security and administrative features." This supports the concept of separation and centralized management.

2. GitHub Docs

"Roles in an organization." This page details the granular permission levels (owner

member

billing manager) that allow for the separation of duties and access control

a core aspect of creating a distinct organizational unit.

3. GitHub Docs

"Managing security and analysis settings for your organization." This resource confirms that security policies

such as two-factor authentication requirements and repository permissions

are managed at the organization level

demonstrating the principle of policy separation.

4. GitHub Docs

"About billing for organizations." This section clarifies that "You can see an overview of your organization's usage and billing

" confirming that billing is a distinct

manageable aspect of an organization.

A user with "Write" permissions in a GitHub repository is an active contributor. This role grants the ability to push commits to any non-protected branch, manage pull requests, and manage issues and labels. It is the standard permission level for developers who need to contribute code directly to the repository but should not have administrative control over critical repository settings or its existence.

A. Managing repository settings like GitHub Pages requires "Admin" permissions, as it alters how the repository is published and presented.

C. Configuring branch protection rules is a critical administrative function to enforce workflows and prevent unwanted changes, requiring "Admin" permissions.

D. Deleting a repository is a destructive and irreversible action that is strictly limited to users with "Admin" permissions.

---

1. GitHub Docs. "Repository roles for an organization." Accessed October 2023.

Section: "Permissions for each role" table.

This official documentation explicitly states that the "Write" role includes the ability to "Push to unprotected branches." It also shows that managing repository settings (like GitHub Pages)

configuring branch protection rules

and deleting the repository are all restricted to the "Admin" role.

A single GitHub user account can be a member of multiple, distinct organizations. Each organization functions as a separate administrative boundary. Therefore, an administrator must manage a user's team memberships and repository access on a per-organization basis. Roles and permissions are not global; they are assigned within the context of each organization, resulting in different permission levels for the user across them. Similarly, security configurations like SAML single sign-on (SSO) are managed per-organization. A user must authenticate and authorize their credentials separately for each SAML-enabled organization they need to access, as authentication policies are not shared between them.

A. Roles are assigned independently within each organization; they are not automatically synchronized or inherited from one organization to another.

E. A user's core profile remains public. The user can choose to publicize or hide their membership in a specific organization, but this does not make their entire profile private.

F. A user's personal account and repositories are entirely separate from any organization they join. Organizational membership does not grant access to personal repositories.

1. GitHub Docs

"Roles in an organization": This document details the different roles (owner

member

billing manager) that are assigned within a specific organization. It states

"In an organization

you can assign different roles to members

" which confirms that roles are managed separately for each organization

supporting answers B and D and refuting A.

2. GitHub Docs

"About identity and access management with SAML single sign-on": This source explains that SAML SSO is configured at the organization level. It notes

"After you enable SAML SSO for your organization

you must create a linked identity for each member

" and "When a member accesses resources in an organization that uses SAML SSO

GitHub will redirect them to the organization's IdP to authenticate." This confirms that authentication is a separate process for each organization

supporting answer C.

3. GitHub Docs

"Managing your organization membership": This page clarifies the relationship between a user and an organization

including the ability to "Publicize or hide your organization membership." This shows that profile privacy is related to membership visibility

not the entire profile

refuting E. The entire concept of managing membership implies a separation that refutes F.

An Organization Owner in GitHub holds the highest level of administrative privileges. This role grants complete control over the organization's settings, members, and data. Owners are responsible for managing financial aspects, including billing information and payment methods. They have the authority to configure all organization-level settings, such as default repository permissions and security policies. Furthermore, owners possess the inherent ability to create, manage, and delete any repository within the organization without needing approval from other members or teams, reflecting their ultimate administrative authority.

D. Access repositories only if explicitly granted by a team maintainer.

This is incorrect. Organization owners have implicit administrative access to all repositories within the organization and do not require permission from any other role.

1. GitHub Docs

"Roles in an organization." This document outlines the different roles within a GitHub organization. It explicitly states that owners have "full administrative access to the organization

" which encompasses managing settings

billing

and repositories. It confirms that owners can "Manage billing settings" and "Manage organization settings."

Reference Location: Under the "Owners" section in the permissions table.

2. GitHub Docs

"Permission levels for an organization." This page details the capabilities of each role. It specifies that owners have "Complete administrative access to the organization and all of its data and settings." This administrative access inherently includes the ability to create repositories and contradicts the idea that an owner's access would be restricted by a team maintainer.

Reference Location: Section "Owner role."

3. GitHub Docs

"Managing billing for your organization." This resource confirms that only organization owners and designated billing managers can view and manage billing settings

such as payment methods and subscriptions.

Reference Location: Section "About billing for organizations."

For public repositories, when GitHub's secret scanning detects a credential from a partner service provider, it automatically forwards the secret to that provider. The service provider then validates the credential and can take immediate remediation steps, such as revoking the secret and notifying the account owner. This proactive measure is crucial for mitigating the high risk associated with exposed credentials in a public setting. GitHub also creates a security alert for repository administrators.

B. It immediately blocks the commit to protect the secret.

This describes push protection, a feature of GitHub Advanced Security that prevents secrets from being pushed, but it is not the default action for secrets already found in a public repository.

C. It deletes the secret from the repository automatically.

GitHub does not automatically alter or delete content from a user's repository history. The responsibility for removing the committed secret lies with the repository maintainers.

D. It notifies the admin via webhook.

While administrators are notified of alerts, and webhooks can be configured for this purpose, the primary and most critical action for public repositories is notifying the service provider to revoke the token.

---

1. GitHub Docs

"About secret scanning."

Section: "About secret scanning for public repositories"

Content: "When secret scanning detects a set of credentials in a public repository

GitHub notifies the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret

issue a new secret

or reach out to you directly..." This directly supports answer A.

2. GitHub Docs

"Protecting pushes with secret scanning."

Section: "About push protection for secret scanning"

Content: "Push protection for secret scanning is available on repositories with a GitHub Advanced Security license." This confirms that blocking pushes (Option B) is a distinct

non-default feature.

3. GitHub Docs

"Managing alerts from secret scanning."

Section: "About alerts for secret scanning"

Content: "When a secret is detected in a repository

GitHub generates a security alert... GitHub notifies the repository administrators and organization owners about security alerts by default." This shows that notification occurs

but the provider notification (Option A) is the unique

primary action for public repositories. It also clarifies that webhooks (Option D) are a method of notification

not the action itself.

GitHub Enterprise Managed Users (EMU) requires SAML 2.0 for authentication. When integrating with a partner identity provider (IdP) like Microsoft Entra ID or Okta, administrators can use a pre-configured gallery application. This application streamlines the setup by automating much of the configuration. In contrast, integrating with a non-partner IdP that is SAML 2.0 compliant requires a manual setup process. The administrator must manually copy and paste SAML configuration details, such as the Sign on URL (Assertion Consumer Service URL), Issuer (Entity ID), and the public signing certificate, between GitHub and the identity provider to establish the trust relationship.

A. Enterprise Managed Users exclusively uses the SAML 2.0 protocol for user authentication. OpenID Connect (OIDC) is not a supported authentication protocol for this specific GitHub offering.

C. Both partner and non-partner integrations for Enterprise Managed Users support the exact same authentication method: SAML 2.0 single sign-on. The integration type does not change this.

D. While the partner IdP vendor supports their platform, GitHub provides support for the integration itself. This statement is less precise than option B, which describes a fundamental technical difference in the configuration process.

1. GitHub Docs

"Configuring SAML single sign-on for Enterprise Managed Users": This document outlines the necessary steps for SAML configuration. It specifies the information required from any IdP: "To configure SAML SSO

you must provide GitHub with the details of your SAML IdP. GitHub requires the Sign on URL

Issuer

and Public certificate." This confirms the manual detail exchange for non-templated (non-partner) integrations.

2. GitHub Docs

"About Enterprise Managed Users": Under the "Authentication and user provisioning" section

it is explicitly stated

"With Enterprise Managed Users

your identity provider (IdP) controls user accounts and authentication... GitHub Enterprise Cloud uses SAML for authentication...". This reference invalidates option A

as it confirms SAML is the required protocol

not OIDC.

3. GitHub Docs

"Configuring SAML single sign-on and provisioning for Enterprise Managed Users with Azure AD": This guide for a partner IdP demonstrates a streamlined process using a gallery application ("GitHub Enterprise Managed User")

contrasting with the manual value entry required for a generic

non-partner SAML provider. This implicitly supports the correctness of option B.