GitHub Updated GitHub-Advanced-Security Exam Questions and Answers by damon

Whenmultiple instances of the same secret valueappear in a repository,only one alertis generated. Secret scanning works by identifying exposed credentials and token patterns, and it groups identical matches into asingle alertto reduce noise and avoid duplication.

This makes triaging easier and helps teams focus on remediating the actual exposed credential rather than reviewing multiple redundant alerts.

When you identify that a code scanning alert is a false positive—such as when your code uses a custom sanitization method not recognized by the analysis—you should dismiss the alert with the reason "false positive." This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.​

As per GitHub's documentation:​

"If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis."​

By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.

Comprehensive and Detailed Explanation:

A CodeQL database contains a representation of your codebase, including the build of the code and extracted data. This database is used to run CodeQL queries to analyze your code for potential vulnerabilities and errors.​

GitHub Docs

Thefirst stepwhen you receive a secret scanning alert is torevoke the secretif it is still valid. This ensures the secret can no longer be used maliciously. Only after revoking it should you proceed to remove it from the code history and apply other mitigation steps.

Simply deleting the secret from the code doesnotremove the risk if it hasn’t been revoked — especially since it may already be exposed in commit history.