PROFESSIONAL-CLOUD-DEVELOPER · Question #156
Your company's development teams want to use various open source operating systems in their Docker builds. When images are created in published containers in your company's environment, you need to sc
The correct answer is A. Enable the Vulnerability scanning setting in the Container Registry.. Enabling the Vulnerability Scanning setting in Container Registry (now Artifact Registry) is a fully managed, automatic solution that scans container images for CVEs as soon as they are pushed. This requires zero changes to the development workflow, preserving developer agility.
Question
Your company's development teams want to use various open source operating systems in their Docker builds. When images are created in published containers in your company's environment, you need to scan them for Common Vulnerabilities and Exposures (CVEs). The scanning process must not impact software development agility. You want to use managed services where possible. What should you do?
Options
- AEnable the Vulnerability scanning setting in the Container Registry.
- BCreate a Cloud Function that is triggered on a code check-in and scan the code for CVEs.
- CDisallow the use of non-commercially supported base images in your development environment.
- DUse Cloud Monitoring to review the output of Cloud Build to determine whether a vulnerable
How the community answered
(44 responses)- A75% (33)
- B16% (7)
- C2% (1)
- D7% (3)
Explanation
Enabling the Vulnerability Scanning setting in Container Registry (now Artifact Registry) is a fully managed, automatic solution that scans container images for CVEs as soon as they are pushed. This requires zero changes to the development workflow, preserving developer agility. Option B (Cloud Function on code check-in) scans source code, not the built container image, and misses vulnerabilities introduced by base images or dependencies installed during the Docker build. Option C (disallowing non-commercial base images) restricts open source use and does not scan for CVEs - it merely limits choices. Option D (Cloud Monitoring on Cloud Build output) does not perform vulnerability scanning; Cloud Monitoring observes metrics and logs, not CVE databases.
Topics
Community Discussion
No community discussion yet for this question.