Google Cloud Professional Cloud Security Engineer — Question 161

Your organization heavily utilizes serverless applications while prioritizing security best practices. You are responsible for enforcing image provenance and compliance with security standards before deployment. You leverage Cloud Build as your continuous integration and continuous deployment (CI/CD) tool for building container images. You must configure Binary Authorization to ensure that only images built by your Cloud Build pipeline are deployed and that the images pass security standard compliance checks. What should you do?

Answer options

• A. Create a Binary Authorization attestor that uses a scanner to assess source code management repositories. Deploy images only if the attestor validates results against a security policy.
• B. Create a Binary Authorization attestor that utilizes a scanner to evaluate container image build processes. Define a policy that requires deployment of images only if this attestation is present.
• C. Create a Binary Authorization attestor that retrieves the Cloud Build build ID of the container image. Configure a policy to allow deployment only if there's a matching build ID attestation.
• D. Utilize a custom Security Health Analytics module to create a policy. Enforce the policy through Binary Authorization to prevent deployment of images that do not meet predefined security standards.

Correct answer: B

Explanation

The correct answer is B because it directly aligns with the requirement to ensure that only images built through the Cloud Build pipeline are deployed, contingent upon passing security compliance checks. Option A focuses on source code management rather than container images, C centers on build IDs which do not guarantee security compliance, and D involves a custom module that does not specifically address the CI/CD process with Binary Authorization.