nerdexam
Microsoft

AZ-400 · Question #349

Your company has an Azure DevOps project, which includes a build pipeline that makes use of roughly fifty open source libraries. You have been tasked with making sure that you are able to scan project

The correct answer is A. You should create a build task and use the WhiteSource Bolt service.. To scan open source libraries for security weaknesses, you should integrate WhiteSource Bolt as a build task in your Azure DevOps pipeline.

Submitted by amina.ke· Mar 6, 2026Develop a security and compliance plan

Question

Your company has an Azure DevOps project, which includes a build pipeline that makes use of roughly fifty open source libraries. You have been tasked with making sure that you are able to scan project for common security weaknesses in the open source libraries. Which of the following actions should you take?

Options

  • AYou should create a build task and use the WhiteSource Bolt service.
  • BYou should create a deployment task and use the WhiteSource Bolt service.
  • CYou should create a build task and use the Chef service.
  • DYou should create a deployment task and use the Chef service.

How the community answered

(61 responses)
  • A
    82% (50)
  • B
    2% (1)
  • C
    11% (7)
  • D
    5% (3)

Why each option

To scan open source libraries for security weaknesses, you should integrate WhiteSource Bolt as a build task in your Azure DevOps pipeline.

AYou should create a build task and use the WhiteSource Bolt service.Correct

WhiteSource Bolt (now Mend Bolt) is a Software Composition Analysis (SCA) tool specifically designed to identify known vulnerabilities and license compliance issues in open-source components. Integrating it as a build task ensures that these critical security checks are performed early in the CI/CD pipeline when dependencies are resolved and packaged.

BYou should create a deployment task and use the WhiteSource Bolt service.

While WhiteSource Bolt is the correct service, vulnerability scanning of open-source libraries should ideally be performed during the *build* phase, not the *deployment* phase, to detect and address issues before the software is packaged for release.

CYou should create a build task and use the Chef service.

Chef is a configuration management and infrastructure-as-code automation platform, not a service for scanning open-source libraries for security weaknesses.

DYou should create a deployment task and use the Chef service.

Chef is not suitable for scanning open-source libraries for vulnerabilities, and such scans are typically executed during the build stage, not deployment.

Concept tested: Software Composition Analysis (SCA) in Azure DevOps

Source: https://marketplace.visualstudio.com/items?itemName=whitesource.whitesource-bolt

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice