PCCSE · Question #18
The development team wants to fail CI jobs where a specific CVE is contained within the image. How should the development team configure the pipeline or policy to produce this outcome?
The correct answer is B. Set the specific CVE exception in Console's CI policy.. To fail CI jobs for a specific CVE, the exception must be configured in the Console's CI policy, which centrally controls scan and build-failure behavior for that vulnerability identifier.
Question
The development team wants to fail CI jobs where a specific CVE is contained within the image. How should the development team configure the pipeline or policy to produce this outcome?
Options
- ASet the specific CVE exception as an option using the magic string in the Console.
- BSet the specific CVE exception in Console's CI policy.
- CSet the specific CVE exception as an option in Defender running the scan.
- DSet the specific CVE exception as an option in Jenkins or twistcli.
How the community answered
(30 responses)- B90% (27)
- C3% (1)
- D7% (2)
Why each option
To fail CI jobs for a specific CVE, the exception must be configured in the Console's CI policy, which centrally controls scan and build-failure behavior for that vulnerability identifier.
Magic strings in the Console are not a valid mechanism for setting CVE-specific exceptions in the CI scanning workflow.
The CI policy in Prisma Cloud Console is the authoritative location where CVE exceptions are defined - setting a specific CVE there controls whether that CVE causes a build failure or is exempted, ensuring the rule is applied consistently across all pipeline scans. This centralized approach means every Jenkins job or twistcli invocation respects the same exception configuration without requiring per-pipeline changes.
Defender executes the scan but does not own policy configuration - CVE exception logic is managed centrally in Console, not on the Defender performing the scan.
Jenkins and twistcli are scan execution tools that invoke the policy defined in Console and do not independently manage CVE exception configuration.
Concept tested: Prisma Cloud CI policy CVE exception configuration
Source: https://docs.prismacloud.io/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/ci-cd-scanning
Topics
Community Discussion
No community discussion yet for this question.