nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #230

You are deploying a microservices application to Google Kubernetes Engine (GKE). The application will receive daily updates. You expect to deploy a large number of distinct containers that will run on

The correct answer is B. Enable Container Analysis, and upload new container images to Artifact Registry. Review the. The Google-recommended approach is to enable Container Analysis and push images to Artifact Registry. When Container Analysis is enabled, Artifact Registry automatically scans every newly pushed image for known OS-level CVEs (using vulnerability data from sources like the NVD and

Managing and securing cloud-native applications

Question

You are deploying a microservices application to Google Kubernetes Engine (GKE). The application will receive daily updates. You expect to deploy a large number of distinct containers that will run on the Linux operating system (OS). You want to be alerted to any known OS vulnerabilities in the new containers. You want to follow Google-recommended best practices. What should you do?

Options

  • AUse the gcloud CLI to call Container Analysis to scan new container images. Review the
  • BEnable Container Analysis, and upload new container images to Artifact Registry. Review the
  • CEnable Container Analysis, and upload new container images to Artifact Registry. Review the
  • DUse the Container Analysis REST API to call Container Analysis to scan new container images.

How the community answered

(58 responses)
  • A
    7% (4)
  • B
    72% (42)
  • C
    17% (10)
  • D
    3% (2)

Explanation

The Google-recommended approach is to enable Container Analysis and push images to Artifact Registry. When Container Analysis is enabled, Artifact Registry automatically scans every newly pushed image for known OS-level CVEs (using vulnerability data from sources like the NVD and OS vendor advisories). The scan results appear as vulnerability occurrences in the Artifact Registry UI and through the Container Analysis API, and Security Command Center can surface them as findings. This is a fully managed, event-driven workflow requiring no custom scripting. Options A and D rely on manually invoking Container Analysis via gcloud CLI or REST API, adding operational overhead and missing the automatic, on-push trigger that is considered best practice. Option C is a distractor with different but also truncated wording - the key differentiator for B is the automatic scanning on push combined with review through the Artifact Registry console.

Topics

#Container Security#Vulnerability Scanning#Artifact Registry#Container Analysis

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice