GH-100 Question #8: Real Exam Question with Answer & Explanation

Question

In a GitHub repository using Dependabot, which of the following best describes the purpose of the .github/dependabot.yml file?

Options

• AIt configures scheduling, package ecosystems, and target directories for update checks.
• BIt lists commit SHAs to exclude from automatic pull requests.
• CIt enables GitHub to scan for secrets in dependency files.
• DIt encrypts dependency versions before storing them in the repo.

Explanation

Option A is correct because dependabot.yml is a configuration file that tells Dependabot how and when to check for outdated dependencies - you specify which package ecosystems to monitor (npm, pip, Maven, etc.), which directories to scan, and how frequently to run checks (daily, weekly, etc.).

Why the distractors are wrong:

• B is wrong - Dependabot doesn't use a list of excluded commit SHAs; you control PR behavior through ignore rules on package names/versions, not commit hashes.
• C is wrong - secret scanning is a separate GitHub Advanced Security feature, entirely unrelated to Dependabot configuration.
• D is wrong - dependabot.yml is a plain YAML file with no encryption capability; encryption of secrets (like private registry credentials) is done through GitHub's encrypted secrets feature, not this file.

Memory tip: Think of dependabot.yml as a schedule + scope file - it answers "what packages, where, and how often?" just like a calendar invite defines what meeting, which room, and what recurrence.

No community discussion yet for this question.