Essential GitHub Security Best Practices Quiz Quiz

Evaluate your understanding of key GitHub security best practices. This quiz covers important measures and strategies for maintaining code repository security, access control, and incident prevention in collaborative development environments.

1. Securing Repository Access

   Which method is recommended to minimize unauthorized access to a private repository when inviting new collaborators?

   1. Grant only the minimum required permissions needed for their role
   2. Give all collaborators full owner access by default
   3. Allow anonymous read-only access for trial periods
   4. Share direct repository links through public channels

   Explanation: Limiting collaborator permissions to only what is necessary greatly reduces potential security risks, ensuring users cannot perform unintended actions. Granting full owner access gives excessive power and increases danger if accounts are compromised. Allowing anonymous read-only access even temporarily can expose sensitive information. Sharing repository links publicly can inadvertently invite breaches from untrusted individuals.

2. Protecting Sensitive Data in Code

   What is a best practice to prevent accidentally exposing secrets, such as API keys, in a public repository?

   1. Store secrets in a configuration file and add that file to .gitignore
   2. Commit secrets directly into source code for faster access
   3. Encrypt secrets and only document passwords in plain text
   4. Rely solely on strong passwords for repository protection

   Explanation: By keeping secrets in files excluded from version control, you avoid the risk of leaking them if the repository becomes public or shared. Committing secrets directly makes them immediately visible to all with access. Encrypting without proper key management or documenting passwords in plain text both pose major risks. Password protection alone does not prevent secrets in code from being exposed.

3. Dependency Vulnerability Management

   When a project uses several third-party dependencies, which practice best helps reduce the risk of including vulnerable components?

   1. Regularly update dependencies and review security advisories
   2. Lock dependency versions and never update them
   3. Only trust popular packages and ignore advisories
   4. Download dependencies from unofficial sources for convenience

   Explanation: Staying up to date ensures that any known security holes are patched quickly. Locking dependencies and neglecting updates leaves software vulnerable as threats emerge. Popularity does not guarantee security, and ignoring advisories can lead to undetected issues. Using unofficial sources increases risk as they can be tampered with or outdated.

4. Commit History and Sensitive Information

   If sensitive information is accidentally committed and pushed to a GitHub repository, which initial action should be taken?

   1. Remove the sensitive data from the commit history and force-push the cleaned repository
   2. Rename the file containing the sensitive information
   3. Create a new branch and continue development as normal
   4. Ignore the issue as only current code matters

   Explanation: Sensitive data needs to be removed not just from the current code but from all historical commits where it appeared. Simply renaming a file does not erase its history. Proceeding without remediation leaves information exposed. Ignoring the issue can seriously compromise security and data privacy.

5. Two-Factor Authentication

   Why is enabling two-factor authentication (2FA) for all contributors considered an effective security measure on collaborative development platforms?

   1. It adds an extra verification step, reducing the risk of unauthorized account access from compromised passwords
   2. It allows users to log in from multiple devices without additional checks
   3. It disables password requirements entirely for easier authentication
   4. It provides unlimited repository access to anyone with a code

   Explanation: 2FA requires users to provide a second factor, like a temporary code, in addition to their password, significantly increasing account security. Allowing multiple devices without checks weakens security. Disabling password requirements or granting unlimited access based on codes undermines identity protection and defeats the purpose of strong authentication.