AZ-400 · Question #349
Your company has an Azure DevOps project, which includes a build pipeline that makes use of roughly fifty open source libraries. You have been tasked with making sure that you are able to scan project
The correct answer is A. You should create a build task and use the WhiteSource Bolt service.. To scan open source libraries for security weaknesses, you should integrate WhiteSource Bolt as a build task in your Azure DevOps pipeline.
Question
Options
- AYou should create a build task and use the WhiteSource Bolt service.
- BYou should create a deployment task and use the WhiteSource Bolt service.
- CYou should create a build task and use the Chef service.
- DYou should create a deployment task and use the Chef service.
How the community answered
(61 responses)- A82% (50)
- B2% (1)
- C11% (7)
- D5% (3)
Why each option
To scan open source libraries for security weaknesses, you should integrate WhiteSource Bolt as a build task in your Azure DevOps pipeline.
WhiteSource Bolt (now Mend Bolt) is a Software Composition Analysis (SCA) tool specifically designed to identify known vulnerabilities and license compliance issues in open-source components. Integrating it as a build task ensures that these critical security checks are performed early in the CI/CD pipeline when dependencies are resolved and packaged.
While WhiteSource Bolt is the correct service, vulnerability scanning of open-source libraries should ideally be performed during the *build* phase, not the *deployment* phase, to detect and address issues before the software is packaged for release.
Chef is a configuration management and infrastructure-as-code automation platform, not a service for scanning open-source libraries for security weaknesses.
Chef is not suitable for scanning open-source libraries for vulnerabilities, and such scans are typically executed during the build stage, not deployment.
Concept tested: Software Composition Analysis (SCA) in Azure DevOps
Source: https://marketplace.visualstudio.com/items?itemName=whitesource.whitesource-bolt
Community Discussion
No community discussion yet for this question.