1. A company uses GitHub Advanced Security (GHAS). A developer pushes a commit that inadvertently includes an AWS access key in a configuration file. Which GHAS feature will detect this exposure, and what is the immediate automated action GitHub takes by default?
- A. Code scanning detects the key using CodeQL analysis and opens a security advisory in the repository.
- B. Secret scanning detects the pattern matching an AWS access key and, for supported partners, automatically notifies the secret provider (AWS) to revoke the credential.✓ Correct
- C. Dependabot security alerts detect the key because AWS SDKs are a known vulnerable dependency.
- D. Secret scanning detects the key and automatically removes the commit from the repository's history.
Explanation
GitHub's secret scanning feature uses pattern matching to detect known secret formats — including AWS access keys — in commits. For AWS and other supported partner integrations, GitHub's 'push protection' and partner notification pipeline automatically alerts the secret provider (AWS) so the credential can be revoked before it is exploited. Code scanning / CodeQL (A) is designed to find code vulnerabilities and bugs, not credential strings. Dependabot security alerts (C) track known CVEs in dependencies — they have no mechanism for detecting hardcoded secrets. Secret scanning does NOT automatically rewrite or remove commits (D); history rewriting must be done manually by the repository owner using tools like git-filter-repo.