PROFESSIONAL-CLOUD-ARCHITECT · Question #290
PROFESSIONAL-CLOUD-ARCHITECT Question #290: Real Exam Question with Answer & Explanation
The correct answer is C: Use Cloud Build to build container images, push the images to Artifact Registry, and use Security. Option C is correct because Artifact Registry serves as the central hub that satisfies all three requirements: its native integration with Artifact Analysis automatically scans images for vulnerabilities, generates provenance metadata (verifiable build attestations for auditing/c
Question
Your company is building containerized applications as part of their CI/CD pipeline. To improve the security and maintainability of the build process, you need to: - Identify potential vulnerabilities within your container images. - Generate verifiable metadata about the builds for auditing and compliance. - Create a comprehensive inventory of your application's dependencies What should you do?
Options
- AUse Cloud Build to build container images, and then trigger Artifact Analysis on images pushed to
- BUse Cloud Build to build container images, trigger Binary Authorization, and use Cloud Asset
- CUse Cloud Build to build container images, push the images to Artifact Registry, and use Security
- DUse Cloud Build to build container images, trigger Binary Authorization, and use Security
Explanation
Option C is correct because Artifact Registry serves as the central hub that satisfies all three requirements: its native integration with Artifact Analysis automatically scans images for vulnerabilities, generates provenance metadata (verifiable build attestations for auditing/compliance), and produces Software Bill of Materials (SBOM) - a complete inventory of application dependencies. This single integrated workflow in Cloud Build → Artifact Registry → Security Command Center covers the full security lifecycle.
Why the distractors fail:
- A triggers Artifact Analysis after the push but misses the provenance/SBOM generation that comes from Artifact Registry's native integration - incomplete for compliance.
- B and D both include Binary Authorization, which is a deployment gate (enforcing policy on what can run in GKE), not a scanning or inventory tool - it doesn't identify vulnerabilities or generate dependency inventories.
- D compounds B's error by also dropping Artifact Registry, losing the scanning and SBOM capabilities entirely.
Memory tip: Think "Registry = Scan + Sign + SBOM" - Artifact Registry is the one Google service that bundles vulnerability scanning, build provenance signing, and dependency inventory into a single pipeline step. If a choice swaps Registry for Binary Authorization, it's solving enforcement, not discovery.
Topics
Community Discussion
No community discussion yet for this question.