nerdexam
Palo_Alto_Networks

PCCSE · Question #18

The development team wants to fail CI jobs where a specific CVE is contained within the image. How should the development team configure the pipeline or policy to produce this outcome?

The correct answer is B. Set the specific CVE exception in Console's CI policy.. To fail CI jobs for a specific CVE, the exception must be configured in the Console's CI policy, which centrally controls scan and build-failure behavior for that vulnerability identifier.

Container Security

Question

The development team wants to fail CI jobs where a specific CVE is contained within the image. How should the development team configure the pipeline or policy to produce this outcome?

Options

  • ASet the specific CVE exception as an option using the magic string in the Console.
  • BSet the specific CVE exception in Console's CI policy.
  • CSet the specific CVE exception as an option in Defender running the scan.
  • DSet the specific CVE exception as an option in Jenkins or twistcli.

How the community answered

(30 responses)
  • B
    90% (27)
  • C
    3% (1)
  • D
    7% (2)

Why each option

To fail CI jobs for a specific CVE, the exception must be configured in the Console's CI policy, which centrally controls scan and build-failure behavior for that vulnerability identifier.

ASet the specific CVE exception as an option using the magic string in the Console.

Magic strings in the Console are not a valid mechanism for setting CVE-specific exceptions in the CI scanning workflow.

BSet the specific CVE exception in Console's CI policy.Correct

The CI policy in Prisma Cloud Console is the authoritative location where CVE exceptions are defined - setting a specific CVE there controls whether that CVE causes a build failure or is exempted, ensuring the rule is applied consistently across all pipeline scans. This centralized approach means every Jenkins job or twistcli invocation respects the same exception configuration without requiring per-pipeline changes.

CSet the specific CVE exception as an option in Defender running the scan.

Defender executes the scan but does not own policy configuration - CVE exception logic is managed centrally in Console, not on the Defender performing the scan.

DSet the specific CVE exception as an option in Jenkins or twistcli.

Jenkins and twistcli are scan execution tools that invoke the policy defined in Console and do not independently manage CVE exception configuration.

Concept tested: Prisma Cloud CI policy CVE exception configuration

Source: https://docs.prismacloud.io/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/ci-cd-scanning

Topics

#Container Image Security#Vulnerability Management#CI/CD Security#Prisma Cloud Policy

Community Discussion

No community discussion yet for this question.

Full PCCSE Practice