Challenge your knowledge of repository security best practices, permissions, and common threats in the tools ecosystem. This quiz covers essential strategies and features to protect code repositories and maintain secure collaboration workflows.
Which access level should be granted to a user who needs to review code but must not push any changes to the repository?
Explanation: Read-only access allows users to view and review code without making any modifications, which is appropriate for reviewers. Admin rights include broad powers, such as changing settings, and are unnecessary for simple code reviews. Write access permits pushing changes, which exceeds the requirement. 'Review-only' is not a standard granular permission; it may be mistaken for read-only but is not typically an option.
If a developer accidentally commits an API key to a repository, what is the most secure immediate action to take?
Explanation: Rotating the exposed credentials ensures that the old key cannot be used maliciously, and purging history removes traces of the key from previous commits. Merely removing the key from the latest commit is not enough since it exists in the history. Deleting the entire repository is an extreme and impractical option. Notifying the team without further action leaves your system vulnerable.
Which repository feature helps prevent unauthorized or accidental changes to important branches like main or master?
Explanation: Branch protection rules offer controls such as preventing force pushes, requiring pull request reviews, and restricting direct commits to critical branches. Commit hooks are scripts run at certain events but do not enforce permanent protections. Repository mirroring relates to duplicating content, not branch safety. Tagging is used for marking points in history and does not prevent modifications.
Applying the principle of least privilege in a repository means which of the following actions?
Explanation: The principle of least privilege seeks to minimize risk by providing each user with only the necessary access rights. Granting all users admin access increases risk and breaks this principle. Allowing everyone to approve pull requests gives more permissions than needed. Disabling two-factor authentication reduces security and is unrelated to access granularity.
A developer includes a third-party dependency in the repository without reviewing it. What is the main security risk in this scenario?
Explanation: Unreviewed third-party dependencies may contain known or unknown security flaws, potentially introducing vulnerabilities into the project. Reduced commit frequency and slower cloning speeds do not directly relate to security. Branch name conflicts can cause confusion but are not a primary security hazard in this context.