GitHub Foundations Certification: GitHub's New Dev Cert

GitHub went from informal convention to a structured certification program in 2024.

For years, GitHub experience lived on résumés as a GitHub profile link, a green contribution graph, or a list of open-source projects. There was no formal credential that verified platform fluency in the same way AWS certifies cloud architects or CompTIA certifies security analysts. GitHub changed that in 2024 by launching a multi-tier certification program — five exams, from entry-level platform literacy to advanced security and enterprise administration. GitHub Foundations is the first rung: the credential that says you understand how the platform works, how teams collaborate on it, and how modern software development workflows are structured around it.

GitHub is now the default platform for the vast majority of open-source projects and an increasing share of enterprise source control. DevOps engineers, platform engineers, and developers who use GitHub daily but have never formalised that knowledge now have a pathway to demonstrate it. And for candidates pursuing cloud certifications (AWS DVA-C02, AZ-204) or Kubernetes credentials (CKA, CKAD) — where GitHub is assumed to be the CI/CD source of truth — GitHub Foundations provides the foundational context those exams take for granted.

What GitHub Foundations tests

Domain 1 — Introduction to Git and GitHub

The foundation of everything. The exam tests the conceptual model of distributed version control, the anatomy of a Git repository, and the relationship between a local repository and its remote counterpart.

Version control fundamentals: what a VCS is, why distributed version control differs from centralised systems (CVS, SVN), and what Git’s commit graph model means in practice.
Core Git objects: commit (snapshot + pointer to parent + author metadata), tree (directory structure at a point in time), blob (file content), and tag (named reference to a specific commit). The exam does not test plumbing commands, but understanding what these objects represent clarifies how branching and merging work.
The three states: working tree (files as you see them), staging area / index (changes marked for the next commit), and the repository (committed history). The flow: edit → git add → git commit.
Branching model: branches as lightweight pointers to commits, creating branches (git branch, git checkout -b, git switch -c), merging strategies (fast-forward vs three-way merge), rebase vs merge trade-offs, and resolving merge conflicts.
Remotes: origin as the conventional name for the primary remote, upstream for the fork’s parent, push vs pull vs fetch, and tracking branches.
GitHub as a Git hosting layer: GitHub adds collaboration features, access control, CI/CD, and a web UI on top of standard Git. The exam distinguishes between Git concepts (commits, branches) and GitHub features (pull requests, Actions).

Domain 2 — GitHub Repository Management and Collaboration

The core of daily GitHub work: how repositories are structured, how teams use Issues to manage work, and how pull requests drive code review and merging.

Repository anatomy: README.md (project documentation visible on the repo homepage), .gitignore (patterns for untracked files), LICENSE (open-source licensing terms), CONTRIBUTING.md (contribution guidelines), CODE_OF_CONDUCT.md, and SECURITY.md (vulnerability disclosure policy). Each of these has a defined purpose in the GitHub UI and the exam tests when to create each.
GitHub Issues: creating, labelling, assigning, milestoning, and closing issues. Issue templates for bug reports and feature requests. Issues vs GitHub Discussions: Issues are for actionable, trackable work items; Discussions are for open-ended community conversations that may or may not produce a formal issue.
Pull requests: opening a PR, writing a PR description, requesting reviewers, responding to review comments, and the three merge strategies: merge commit (preserves full history, shows the PR as a merge commit), squash and merge (collapses all PR commits into one, clean linear history), and rebase and merge (replays PR commits on top of the base, linear without a merge commit). The exam tests which strategy suits which team workflow.
Code review: CODEOWNERS file syntax (maps path patterns to GitHub users or teams who must review changes), required reviewers, and review states: Comment (feedback without approval), Approve, and Request changes.
Protected branches: branch protection rules — require pull requests before merging, require status checks to pass before merging, restrict who can push directly. Know the difference between allowing force pushes and disallowing them on protected branches.
GitHub Projects: kanban-style project boards linked to Issues and PRs, automation rules (auto-move items when PRs are merged), and the difference between organisation-level and repository-level projects.
Forks vs branches: fork creates an independent copy of the repository under a different owner (used in open-source contribution when you do not have write access); branch is a pointer within the same repository (used in team workflows with shared write access). The exam tests which pattern to recommend for which contributor relationship.

Domain 3 — Modern GitHub Collaboration Workflows

The exam does not test any single workflow as “correct” — it tests knowing which workflow suits which team context.

GitHub Flow: the simplest and most common workflow for teams deploying continuously. One main branch (main), feature branches for every change, pull request to review and merge, deploy from main. Suitable for: SaaS products, cloud-native teams, continuous delivery pipelines. The exam often recommends GitHub Flow when no long-running release branches exist.
GitFlow: a more structured workflow with permanent branches for main (production), develop (integration), plus time-limited feature/, release/, and hotfix/ branches. Suitable for: versioned software products (desktop apps, libraries, APIs with multiple live versions). The exam recommends GitFlow when the scenario involves scheduled releases and long-lived release branches.
Fork and pull model: the standard open-source contribution pattern. Contributor forks the upstream repository, creates a branch in their fork, commits changes, opens a PR from their fork back to the upstream. Maintainers review and merge without granting write access to the contributor. Used whenever contributors do not have write access to the canonical repository.
Draft pull requests: PRs marked as drafts signal that the branch is work-in-progress and not yet ready for review. Reviewers are notified but merging is blocked until the draft status is removed. Used for early feedback, CI visibility, and preventing premature merges.
Commit message conventions: Conventional Commits format (feat:, fix:, docs:, chore:) as a widely adopted standard. The exam tests awareness, not enforcement.

Domain 4 — GitHub Actions Fundamentals

GitHub Foundations covers Actions conceptually. The GitHub Actions certification covers deep YAML configuration, custom actions, composite actions, and reusable workflows — that depth is not expected here.

What GitHub Actions is: an event-driven CI/CD and automation platform built into every GitHub repository. Workflows run in response to repository events — no external CI service required.
Core vocabulary: Workflow (a YAML file in .github/workflows/ that defines the automation), Event (the trigger — push, pull_request, schedule, workflow_dispatch, and dozens more), Job (a set of steps that run on a runner), Step (a single command or action within a job), Runner (the virtual machine that executes the job — GitHub-hosted Ubuntu/Windows/macOS or self-hosted).
GitHub-hosted vs self-hosted runners: GitHub-hosted runners are ephemeral VMs managed by GitHub; self-hosted runners are machines you control, used for private network access, custom hardware, or cost optimisation at high run volumes.
Actions Marketplace: pre-built actions shared publicly. actions/checkout (checks out the repository), actions/setup-node (installs Node.js), actions/upload-artifact (stores build artefacts) are the most commonly tested examples.
Secrets and environment variables: sensitive values (API keys, tokens) stored as encrypted repository or organisation secrets, referenced as ${{ secrets.MY_SECRET }} in workflows. Environment variables set at workflow, job, or step level.
Deployment environments: GitHub Environments for staging/production gates — required reviewers, protection rules, and environment-scoped secrets. The exam tests the use of environments to add an approval step before production deployments.

Domain 5 — GitHub Security Basics

The security domain in GitHub Foundations is awareness-level. GitHub Advanced Security (GHAS) is a separate certification covering CodeQL, secret scanning policies, and security campaigns in depth.

Dependabot: automated dependency update pull requests and security alerts. Dependabot alerts notify repository owners when a dependency has a known CVE. Dependabot security updates auto-create PRs to fix vulnerable dependencies. Dependabot version updates (configured via dependabot.yml) keep dependencies current regardless of CVEs.
Secret scanning: GitHub scans repository history and new pushes for patterns matching API keys, tokens, and credentials from over 200 service providers. Detected secrets trigger alerts and, for supported providers, automatic revocation. The exam tests understanding the risk of committed secrets and how secret scanning mitigates it.
Code scanning: static analysis via CodeQL or third-party tools integrated through the GitHub Actions workflow. Identifies security vulnerabilities and coding errors in the codebase before they reach production. GitHub Foundations tests awareness; GitHub Advanced Security tests CodeQL query writing and custom configuration.
SECURITY.md: a file at the repository root that defines the vulnerability disclosure policy — how to report a security issue privately. GitHub displays a “Report a vulnerability” button in the Security tab when a SECURITY.md is present.
Authentication security: personal access tokens (PATs) vs GitHub Apps vs OAuth apps for programmatic GitHub access. Fine-grained PATs (introduced 2023) scope access to specific repositories and permissions, replacing the all-or-nothing classic PAT model. Two-factor authentication and required 2FA at the organisation level.

Domain 6 — GitHub Platform Features and Ecosystem

The final domain covers the broader GitHub platform at awareness level.

GitHub Packages: a package registry supporting npm, Docker, Maven, NuGet, RubyGems, and Gradle. Packages live alongside the code that produces them and are scoped to the same access controls as the repository. Used for publishing internal libraries without exposing them to public registries.
GitHub Codespaces: cloud-hosted development environments that spin up directly from a repository. A devcontainer.json file specifies the environment — runtime, extensions, ports, and setup commands. The exam tests what Codespaces is and when it’s useful (onboarding, consistent dev environments, working from devices without a local IDE), not devcontainer configuration depth.
GitHub Copilot: AI pair programmer that suggests code and completions inline in the IDE. Available as an individual or enterprise subscription. The exam tests awareness of what Copilot is; the GitHub Copilot certification covers prompting patterns and enterprise governance.
GitHub Pages: static site hosting from a repository branch or a docs/ folder. Used for project documentation, personal portfolios, and open-source project websites. Supports custom domains and HTTPS.
GitHub Mobile and GitHub Desktop: mobile apps for managing Issues, PRs, and notifications; desktop GUI client for Git operations without the command line. The exam tests what each product is and its primary use case.
GitHub Skills: free, in-browser interactive learning courses that run directly inside a GitHub repository using GitHub Actions to automate instruction and feedback. The primary free study resource for GitHub Foundations preparation.
GitHub Education: free GitHub Pro accounts for students and teachers, access to developer tools through the Student Developer Pack, and free GitHub Foundations exam vouchers for students. Organisations that join GitHub Campus Program get additional benefits.

The distinction the exam draws most sharply: fork vs branch. Fork when a contributor does not have write access to the repository (open-source contribution from an external contributor). Branch when the contributor is a team member with write access to the same repository (internal feature development). Confusing the two is the most common conceptual error on GitHub Foundations — and it shows up in scenario questions where the contributor relationship determines the correct answer.

The full GitHub certification stack

GitHub Foundations is the entry credential in a five-exam programme covering the full platform and DevSecOps lifecycle:

GitHub Certification Stack (2024–2026)

GitHub Foundations — Entry-level platform literacy: Git, repositories, pull requests, Actions basics, security awareness, and open-source workflows. ~75 questions, 120 min, $99 USD. The starting point for all other GitHub certs.
GitHub Actions — CI/CD and automation engineering: writing YAML workflows, creating custom actions (composite, Docker-based, JavaScript-based), reusable workflows, self-hosted runners, caching strategies, and deployment gates. The cert for DevOps engineers who build and maintain CI/CD pipelines.
GitHub Advanced Security (GHAS) — DevSecOps and supply chain security: CodeQL queries, secret scanning enterprise policies, Dependabot enterprise management, security campaigns, and integrating security tooling into pipelines. Requires GitHub Advanced Security licensing at the organisation level.
GitHub Copilot — AI-assisted development: prompt engineering for code generation, slash commands, Copilot Chat, enterprise data governance, and responsible AI use in software development workflows.
GitHub Administration — Enterprise platform management: organisation and enterprise settings, repository permissions, team hierarchies, SSO integration, audit logging, and GitHub Enterprise Server vs GitHub Enterprise Cloud management.

Where GitHub Foundations fits in the broader cert landscape

GitHub Foundations is a platform-fluency credential, not a job-title credential. It does not command a salary premium in isolation — but it provides a meaningful signal in combination with cloud or DevOps certifications. For engineers studying toward AWS DVA-C02 (Developer Associate) or Azure AZ-204 (Developer Associate), GitHub is assumed to be the source control platform. The exam prep path that makes sense: GitHub Foundations to validate platform literacy, then the cloud developer cert to validate service-level skills, then GitHub Actions to validate CI/CD pipeline engineering. This combination — particularly GitHub Actions + AZ-204 or GitHub Actions + AWS DVA-C02 — directly maps to Platform Engineer and DevOps Engineer job descriptions in 2026.

For candidates pursuing CKA/CKAD, the GitOps operational model (ArgoCD, Flux) assumes Git and GitHub as the system of record for cluster state. GitHub Actions is the CI layer that builds and pushes container images before GitOps picks them up. GitHub Foundations gives the conceptual grounding; GitHub Actions gives the hands-on CI skills that GitOps workflows depend on. Platform engineers combining CKA + GitHub Actions are positioned for the platform engineering roles now advertised at $130k–$165k in North American markets.

How to prepare for GitHub Foundations

The exam is not trick-heavy. It tests genuine platform familiarity built through practical use. The preparation strategy reflects that:

GitHub Skills (github.com/skills): free, in-browser interactive courses that run directly in a GitHub repository. Each course — “Introduction to GitHub”, “Communicate Using Markdown”, “GitHub Pages”, “Review Pull Requests”, “Resolve Merge Conflicts” — takes 30–60 minutes and teaches through doing, not reading. This is the primary official preparation resource and covers the majority of exam domains.
GitHub Docs: the official documentation covers every feature tested on the exam. The most exam-relevant sections: “Get started / Quickstart”, “Repositories”, “Pull requests”, “GitHub Actions / Understanding GitHub Actions”, and “Security advisories / About secret scanning”.
Microsoft Learn — GitHub learning paths: Microsoft Learn hosts GitHub-focused learning paths covering GitHub Actions deeply and GitHub collaboration fundamentals. Free, structured, and aligned with the GitHub certification objectives.
Hands-on practice: candidates with real GitHub usage (contributing to open-source projects, using GitHub Actions for personal projects, managing issues and PRs in team repos) consistently report needing one to two weeks of targeted domain review rather than weeks of study. The exam rewards experience over memorisation.

Why it matters for DevOps and cloud cert candidates

GitHub Foundations formalises knowledge most DevOps engineers already have but have never been tested on. For new entrants — career changers, bootcamp graduates, non-engineers moving into technical roles — it provides a structured platform literacy credential that signals GitHub fluency to hiring managers. For experienced engineers, the GitHub Actions certification (not Foundations) is the higher-value credential: CI/CD pipeline engineering is a core hiring criterion for platform engineers, DevOps engineers, and SREs in 2026. The natural path: Foundations to confirm the baseline, then GitHub Actions for the skill employers pay for. GitHub offers free exam vouchers through GitHub Education — students and educators should claim them before registering for a paid attempt.

Build your DevOps and cloud skills with CertQuests practice packs for AWS, Azure, Kubernetes, and more.

Browse Certification Packs →