GH-100 Questions and Answers

Enterprise policies let you define and enforce mandatory settings across all member organizations - organization‑level policies then operate within the options that the enterprise policy exposes.

Regularly auditing for inactive (dormant) users lets you suspend or remove accounts that aren’t consuming seats - freeing up licenses and directly lowering your per‑user subscription costs.

Revoke and/or rotate the exposed credentials immediately so they can no longer be used - this is the critical first step before you undertake any history‑rewriting or cleanup.

GitHub Discussions engagement isn’t a metered product and doesn’t appear in the “Product billing” list, so its usage isn’t included in the monthly metered billing report.

By defining the API key as an organization secret, you centralize management and can grant access only to the subset of repositories you choose - eliminating per‑repo duplication while enforcing the desired scope.

When secret scanning detects a supported credential in a public repository, GitHub notifies the issuing service provider so they can revoke or rotate the exposed secret.

GitHub Advanced Security equips developers with built‑in code scanning (CodeQL), secret scanning, dependency review, and other AppSec tools - helping them find, fix, and prevent security vulnerabilities while maintaining code quality.

The audit log records the token’s identifier (the hashed_token value), the source IP address of the request, and the actor (the user or app) associated with that token, allowing you to trace exactly who used it.

CodeQL differs from traditional static analysis tools by ingesting your code into a queryable database and letting you write QL queries - its own database‑style language - to express semantic checks and find patterns across the codebase.

Group SCIM lets you manage both user accounts and group memberships centrally in your identity provider - automatically provisioning, updating, and deprovisioning users and groups in GitHub - whereas Team Sync only mirrors IdP group membership into existing GitHub teams.

In the organization’s runner group settings, switch the access from “All repositories” to “Selected repositories” and then explicitly choose which repos may use those runners.

A security policy (the SECURITY.md file) lets maintainers of an open source repository provide clear, private instructions for collaborators and external researchers on how to report and disclose security vulnerabilities responsibly.

GitHub Actions billing for GitHub‑hosted runners is based on the number of minutes consumed and the operating system of the runner - Linux, Windows, and macOS each have different per‑minute rates.

Team maintainers can manage nested sub‑teams - requesting to add or change parent/child teams within the organization’s hierarchy.

Team maintainers have permission to add and remove members from their team, controlling day‑to‑day team membership.