PROFESSIONAL-CLOUD-DEVELOPER · Question #230
You are deploying a microservices application to Google Kubernetes Engine (GKE). The application will receive daily updates. You expect to deploy a large number of distinct containers that will run on
The correct answer is B. Enable Container Analysis, and upload new container images to Artifact Registry. Review the. The Google-recommended approach is to enable Container Analysis and push images to Artifact Registry. When Container Analysis is enabled, Artifact Registry automatically scans every newly pushed image for known OS-level CVEs (using vulnerability data from sources like the NVD and
Question
You are deploying a microservices application to Google Kubernetes Engine (GKE). The application will receive daily updates. You expect to deploy a large number of distinct containers that will run on the Linux operating system (OS). You want to be alerted to any known OS vulnerabilities in the new containers. You want to follow Google-recommended best practices. What should you do?
Options
- AUse the gcloud CLI to call Container Analysis to scan new container images. Review the
- BEnable Container Analysis, and upload new container images to Artifact Registry. Review the
- CEnable Container Analysis, and upload new container images to Artifact Registry. Review the
- DUse the Container Analysis REST API to call Container Analysis to scan new container images.
How the community answered
(58 responses)- A7% (4)
- B72% (42)
- C17% (10)
- D3% (2)
Explanation
The Google-recommended approach is to enable Container Analysis and push images to Artifact Registry. When Container Analysis is enabled, Artifact Registry automatically scans every newly pushed image for known OS-level CVEs (using vulnerability data from sources like the NVD and OS vendor advisories). The scan results appear as vulnerability occurrences in the Artifact Registry UI and through the Container Analysis API, and Security Command Center can surface them as findings. This is a fully managed, event-driven workflow requiring no custom scripting. Options A and D rely on manually invoking Container Analysis via gcloud CLI or REST API, adding operational overhead and missing the automatic, on-push trigger that is considered best practice. Option C is a distractor with different but also truncated wording - the key differentiator for B is the automatic scanning on push combined with review through the Artifact Registry console.
Topics
Community Discussion
No community discussion yet for this question.