nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #175

You are running a containerized application on Google Kubernetes Engine. Your container images are stored in Container Registry. Your team uses CI/CD practices. You need to prevent the deployment of c

The correct answer is D. - Enable the Container Scanning API to perform vulnerability scanning. The correct approach is to enable the Container Scanning API AND configure Binary Authorization to enforce deployment policies. Container Scanning API automatically scans images pushed to Container Registry for known vulnerabilities. Binary Authorization then acts as a gatekeeper

Implementing Application Security

Question

You are running a containerized application on Google Kubernetes Engine. Your container images are stored in Container Registry. Your team uses CI/CD practices. You need to prevent the deployment of containers with known critical vulnerabilities. What should you do?

Options

  • A
    • Use Web Security Scanner to automatically crawl your application
  • B
    • Use Web Security Scanner to automatically crawl your application
  • C
    • Enable the Container Scanning API to perform vulnerability scanning
  • D
    • Enable the Container Scanning API to perform vulnerability scanning

How the community answered

(57 responses)
  • A
    7% (4)
  • B
    12% (7)
  • C
    4% (2)
  • D
    77% (44)

Explanation

The correct approach is to enable the Container Scanning API AND configure Binary Authorization to enforce deployment policies. Container Scanning API automatically scans images pushed to Container Registry for known vulnerabilities. Binary Authorization then acts as a gatekeeper that can block images from being deployed to GKE unless they have been attested as compliant (i.e., passed the vulnerability scan). Option C enables scanning but lacks the enforcement mechanism - without Binary Authorization, vulnerable images can still be deployed. Web Security Scanner (A and B) is designed for crawling live web applications for XSS and injection vulnerabilities, not for container image scanning in a CI/CD pipeline.

Topics

#Container Security#Vulnerability Scanning#CI/CD Practices#Google Container Registry

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice