GitHub Advanced Security (GHAS) is GitHub's premium application security suite — code scanning powered by CodeQL, secret scanning with push protection, and dependency review with Dependabot. The GitHub Advanced Security Certification (GH-500) is the credential validating your ability to deploy, tune, and remediate findings from those tools at enterprise scale.
Whether it's worth your time depends heavily on whether GHAS is part of your organisation's stack. This article gives an honest take.
Exam At a Glance
| Attribute | Value |
|---|---|
| Exam code | GH-500 |
| Cost (USD) | $99 |
| Format | Multiple choice + multiple-response |
| Number of questions | Approximately 75 |
| Duration | 120 minutes |
| Passing score | ~70% |
| Validity | 2 years |
| Recommended experience | 6+ months using GHAS features |
Exam Domains
| Domain | Weight |
|---|---|
| 1. Code Scanning & CodeQL | 40% |
| 2. Secret Scanning & Push Protection | 25% |
| 3. Dependency Review & Dependabot | 20% |
| 4. GHAS Configuration & Governance | 15% |
What the Exam Actually Tests
1. Code Scanning & CodeQL (40%)
- Enabling code scanning via default setup vs custom workflow
- Supported languages and the build-mode (autobuild vs manual)
- CodeQL query packs and customising the analysis
- Reading and triaging alerts in the Security tab
- Severity and security severity ratings
- Dismissing vs marking false positive vs fixed
- Writing basic custom CodeQL queries (recognition-level, not authoring depth)
- Multi-language repositories and matrix builds
2. Secret Scanning & Push Protection (25%)
- Default partner patterns vs custom patterns
- Push protection bypass workflow and audit log
- Validity checks (active/inactive tokens)
- Non-provider patterns (regexes for proprietary credentials)
- Secret scanning for self-hosted runners and forks
3. Dependency Review & Dependabot (20%)
- Dependency graph and supported package ecosystems
- Dependabot security updates vs version updates
dependabot.ymlconfiguration (schedule, groups, allow lists)- Dependency review action in pull-request workflows
- License compliance checks
4. GHAS Configuration & Governance (15%)
- Enabling GHAS at enterprise, org, or repo level
- Security overview dashboard
- Security campaigns and risk insights
- Custom security policies (SECURITY.md, repository rulesets)
- API endpoints for security alerts
The Licensing Reality
This is the elephant in the room: GHAS is only available on GitHub Enterprise Cloud or GitHub Enterprise Server with the GHAS add-on. Pricing is around $30 per active committer per month, which means a 50-developer organisation pays roughly $18,000/year on top of GitHub Enterprise.
If your organisation is on GitHub Free or Team, you cannot use most GHAS features. Some pieces — Dependabot version updates, dependency graph, basic secret scanning for public repos — are free, but the cert centers on the paid features.
Practical implication: take this cert if your employer pays for GHAS, or if you're applying to companies that do.
Who Benefits Most from GH-500?
- AppSec engineers at organisations on GitHub Enterprise + GHAS
- DevOps engineers integrating security into CI/CD on GitHub
- Security champions embedded in engineering teams
- GitHub services consultants deploying GHAS for clients
Who Should Skip It?
- Developers at small organisations on free/team plans
- Security engineers focused on cloud (AWS/Azure/GCP) security rather than code security
- SOC analysts and incident responders — GHAS is preventive, not detective
Salary Impact
GH-500 is too new to have direct salary data, but adjacent AppSec roles in the US (2026 medians):
| Role | Median salary (US) |
|---|---|
| Application Security Engineer | $148,000 |
| DevSecOps Engineer | $142,000 |
| Product Security Engineer | $165,000 |
The cert by itself doesn't move salary; what it does is signal credibility when interviewing at GHAS-using organisations.
GH-500 vs Other AppSec Credentials
| Cert | Vendor | Focus | Cost |
|---|---|---|---|
| GH-500 | GitHub | GHAS tooling and remediation | $99 |
| (ISC)² CSSLP | (ISC)² | Secure SDLC concepts (vendor-neutral) | $599 |
| Snyk Certified Developer | Snyk | Snyk platform usage | Free (training) |
| CompTIA Security+ | CompTIA | Broad security fundamentals | $404 |
| OWASP Top 10 training (various) | Various | App security fundamentals | $0–$500 |
GH-500 is the most product-specific of these. It's narrow, but if GHAS is part of your job, no other credential covers the same ground at the same depth.
4-Week Study Plan
| Week | Focus | Hands-on |
|---|---|---|
| 1 | Code scanning enabled, default vs custom setup | Enable code scanning on a vulnerable demo repo |
| 2 | CodeQL queries and triage | Triage 20 alerts; dismiss, fix, false-positive |
| 3 | Secret scanning, push protection, dependency review | Configure custom patterns, set up Dependabot groups |
| 4 | Governance + practice exams | Use security overview at org level; 2 timed practice tests |
Free / Cheap Practice Environment
- GitHub offers GHAS Trial for evaluation
- Use the open-source github/securitylab demo apps (e.g., the Java/Spring/C++ vulnerable apps) to generate real CodeQL alerts
- Forks of OWASP NodeGoat, Juice Shop, WebGoat as scan targets
Verdict
GH-500 is worth it for AppSec/DevSecOps engineers at GHAS-using companies. It's a narrow but deep cert that signals real proficiency with the leading GitHub-native security toolchain. For everyone else, GitHub Foundations + Security+ + GH-200 will go further than GH-500 alone.
If you're a developer at a company evaluating GHAS, taking GH-500 also positions you to lead the rollout — which is the path many DevSecOps careers actually start on.