Google Cloud Professional Cloud Developer — Question 193

You are running a containerized application on Google Kubernetes Engine. Your container images are stored in Container Registry. Your team uses CI/CD practices. You need to prevent the deployment of containers with known critical vulnerabilities. What should you do?

Answer options

• A. • Use Web Security Scanner to automatically crawl your application • Review your application logs for scan results, and provide an attestation that the container is free of known critical vulnerabilities • Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed
• B. • Use Web Security Scanner to automatically crawl your application • Review the scan results in the scan details page in the Cloud Console, and provide an attestation that the container is free of known critical vulnerabilities • Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed
• C. • Enable the Container Scanning API to perform vulnerability scanning • Review vulnerability reporting in Container Registry in the Cloud Console, and provide an attestation that the container is free of known critical vulnerabilities • Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed
• D. • Enable the Container Scanning API to perform vulnerability scanning • Programmatically review vulnerability reporting through the Container Scanning API, and provide an attestation that the container is free of known critical vulnerabilities • Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed

Correct answer: D

Explanation

Option D is correct because it allows for programmatic review of vulnerability reporting through the Container Scanning API, ensuring that vulnerabilities can be systematically identified and addressed before deployment. Options A and B focus on using the Web Security Scanner, which is not the primary method for achieving the goal of programmatically preventing deployment based on critical vulnerabilities. Option C, while it mentions the Container Scanning API, does not include the programmatic aspect that is crucial for CI/CD practices.