PROFESSIONAL-CLOUD-DEVELOPER · Question #175
You are running a containerized application on Google Kubernetes Engine. Your container images are stored in Container Registry. Your team uses CI/CD practices. You need to prevent the deployment of c
The correct answer is D. - Enable the Container Scanning API to perform vulnerability scanning. The correct approach is to enable the Container Scanning API AND configure Binary Authorization to enforce deployment policies. Container Scanning API automatically scans images pushed to Container Registry for known vulnerabilities. Binary Authorization then acts as a gatekeeper
Question
You are running a containerized application on Google Kubernetes Engine. Your container images are stored in Container Registry. Your team uses CI/CD practices. You need to prevent the deployment of containers with known critical vulnerabilities. What should you do?
Options
- A
- Use Web Security Scanner to automatically crawl your application
- B
- Use Web Security Scanner to automatically crawl your application
- C
- Enable the Container Scanning API to perform vulnerability scanning
- D
- Enable the Container Scanning API to perform vulnerability scanning
How the community answered
(57 responses)- A7% (4)
- B12% (7)
- C4% (2)
- D77% (44)
Explanation
The correct approach is to enable the Container Scanning API AND configure Binary Authorization to enforce deployment policies. Container Scanning API automatically scans images pushed to Container Registry for known vulnerabilities. Binary Authorization then acts as a gatekeeper that can block images from being deployed to GKE unless they have been attested as compliant (i.e., passed the vulnerability scan). Option C enables scanning but lacks the enforcement mechanism - without Binary Authorization, vulnerable images can still be deployed. Web Security Scanner (A and B) is designed for crawling live web applications for XSS and injection vulnerabilities, not for container image scanning in a CI/CD pipeline.
Topics
Community Discussion
No community discussion yet for this question.