A platform team wants Copilot CLI sessions to display policy guidance, log prompts for audit review, and block risky commands with a clear escalation reason. A reviewer checks the repository-scoped hook configuration and policy script.
{
"version": 1,
"hooks": {
"sessionStart": [
{
"type": "command",
"bash": "./scripts/session-banner.sh",
"powershell": "./scripts/session-banner.ps1",
"cwd": ".github/hooks",
"timeoutSec": 10
}
],
"userPromptSubmitted": [
{
"type": "command",
"bash": "./scripts/log-prompt.sh",
"powershell": "./scripts/log-prompt.ps1",
"cwd": ".github/hooks",
"timeoutSec": 10
}
],
"preToolUse": [
{
"type": "command",
"bash": "./scripts/pre-tool-policy.sh",
"powershell": "./scripts/pre-tool-policy.ps1",
"cwd": ".github/hooks",
"timeoutSec": 15
}
]
}
}
#!/bin/bash
set -euo pipefail
INPUT="$(cat)"
TOOL_NAME="$(echo "$INPUT" | jq -r '.toolName // empty')"
TOOL_ARGS_RAW="$(echo "$INPUT" | jq -r '.toolArgs // empty')"
if [ "$TOOL_NAME" != "bash" ]; then
exit 0
fi
COMMAND="$(echo "$TOOL_ARGS_RAW" | jq -r '.command // empty')"
if echo "$COMMAND" | grep -Eq "sudo|rm -rf|curl .*\| bash|terraform apply -auto-approve"; then
jq -n \
--arg r "High-risk command blocked. Open an escalation issue with the proposed command and justification
." \
'{permissionDecision:"deny", permissionDecisionReason:$r}'
exit 0
fi
exit 0
Evaluate the following statements.
1. The sessionStart hook can show developers the escalation policy.
2. The preToolUse script blocks every Copilot CLI tool call.
3. The deny response gives a human-readable escalation reason.Choose an answer
Tap an option to check your answer.
Correct answer: 1=Yes 2=No 3=Yes.
Why this is the answer
Statement 1 is correct because the sessionStart hook executes ./scripts/session-banner.sh at the beginning of each session. This script can be configured to display policy guidance, including the escalation policy, to the user. Statement 2 is incorrect. The preToolUse script explicitly checks if [ "$TOOLNAME" != "bash" ]; then exit 0; fi, meaning it only applies its blocking logic to bash commands. Other Copilot CLI tools are not blocked by this script. Statement 3 is correct. When a risky command is detected, the script outputs a JSON object including permissionDecisionReason with the value "High-risk command blocked. Open an escalation issue with the proposed command and justification.", which is a clear, human-readable reason for the denial.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed