nerdexam
Microsoft

AZ-400 · Question #255

Drag and Drop Question You have an Azure DevOps release pipeline as shown in the following exhibit. You need to complete the pipeline to configure OWASP ZAP for security testing. Which five Azure CLI

The correct answer is Call the Baseline Scan; Download the file; Convert Report Format; Publish Test Results; Destroy OWASP Container. The correct sequence follows the logical workflow of OWASP ZAP security testing in an Azure DevOps pipeline: first 'Call the Baseline Scan' to execute the OWASP ZAP scan against the target, then 'Download the file' to retrieve the generated XML report from the ZAP container, then

Submitted by suresh_in· Mar 6, 2026Implement continuous security validation using OWASP ZAP within Azure DevOps release pipelines as part of the 'Implement security and compliance in pipelines' domain (AZ-400 DevOps Engineer Expert certification)

Question

Drag and Drop Question You have an Azure DevOps release pipeline as shown in the following exhibit. You need to complete the pipeline to configure OWASP ZAP for security testing. Which five Azure CLI tasks should you add in sequence? To answer, move the tasks from the list of tasks to the answer area and arrange them in the correct order. Answer:

Exhibits

AZ-400 question #255 exhibit 1
AZ-400 question #255 exhibit 2

Answer Area

Drag items

Convert Report FormatBuild machine imagePublish Test ResultsDestroy OWASP ContainerCall the Baseline ScanDocker CLI installerDownload the file

Correct arrangement

  • Call the Baseline Scan
  • Download the file
  • Convert Report Format
  • Publish Test Results
  • Destroy OWASP Container

Explanation

The correct sequence follows the logical workflow of OWASP ZAP security testing in an Azure DevOps pipeline: first 'Call the Baseline Scan' to execute the OWASP ZAP scan against the target, then 'Download the file' to retrieve the generated XML report from the ZAP container, then 'Convert Report Format' to transform the ZAP XML output into NUnit or JUnit format that Azure DevOps can interpret, then 'Publish Test Results' to upload and display the converted results in the pipeline dashboard, and finally 'Destroy OWASP Container' to clean up the Docker container and free resources. This sequence ensures the scan runs, results are captured and made readable, published for visibility, and infrastructure is cleaned up afterward.

Topics

#OWASP ZAP#Azure DevOps Release Pipeline#Security Testing#DevSecOps

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice