AZ-400 · Question #129
Hotspot Question You have an Azure DevOps project that contains a build pipeline. The build pipeline uses approximately 50 open source libraries. You need to ensure that the project can be scanned for
The correct answer is Object to create:: A build task; Service to use:: WhiteSource Bolt. This question tests your knowledge of integrating open source vulnerability scanning into Azure DevOps pipelines using appropriate tools and configurations.
Question
Exhibit
Answer Area
- Object to create:A build taskA build taskA deployment taskAn artifacts repository
- Service to use:WhiteSource BoltWhiteSource BoltBambooCMakeChef
Explanation
This question tests your knowledge of integrating open source vulnerability scanning into Azure DevOps pipelines using appropriate tools and configurations.
Approach. To scan open source libraries for known security vulnerabilities in Azure DevOps, you should add the WhiteSource Bolt (now known as Mend) extension from the Azure DevOps Marketplace, which specializes in open source security and license compliance scanning. You then add the WhiteSource Bolt build task to the build pipeline so it automatically scans the ~50 open source libraries during each build. This integration checks dependencies against known CVE (Common Vulnerabilities and Exposures) databases and generates security reports directly within Azure DevOps. WhiteSource Bolt is a free tier offering that integrates natively with Azure DevOps pipelines and is specifically designed for open source component analysis (SCA - Software Composition Analysis).
Concept tested. Software Composition Analysis (SCA) in Azure DevOps - specifically using WhiteSource Bolt (Mend) to detect known security vulnerabilities (CVEs) in open source libraries integrated into a CI/CD build pipeline. This tests understanding of DevSecOps practices, Azure DevOps Marketplace extensions, and the distinction between SAST (static code analysis) tools versus SCA tools designed for open source dependency scanning.
Reference. https://docs.microsoft.com/en-us/azure/devops/pipelines/ecosystems/android?view=azure-devops - WhiteSource Bolt Azure DevOps extension documentation and Microsoft Learn: Implement open source software security with WhiteSource Bolt
Topics
Community Discussion
No community discussion yet for this question.
