Google Cloud Professional Cloud Security Engineer — Question 177

Your organization is worried about recent news headlines regarding application vulnerabilities in production applications that have led to security breaches. You want to automatically scan your deployment pipeline for vulnerabilities and ensure only scanned and verified containers can run in the environment. What should you do?

Answer options

• A. Use Kubernetes role-based access control (RBAC) as the source of truth for cluster access by granting “container.clusters.get” to limited users. Restrict deployment access by allowing these users to generate a kubeconfig file containing the configuration access to the GKE cluster.
• B. Use gcloud artifacts docker images describe LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID@sha256:HASH --show-package-vulnerability in your CI/CD pipeline, and trigger a pipeline failure for critical vulnerabilities.
• C. Enforce the use of Cloud Code for development so users receive real-time security feedback on vulnerable libraries and dependencies before they check in their code.
• D. Enable Binary Authorization and create attestations of scans.

Correct answer: D

Explanation

The correct option, D, is appropriate because enabling Binary Authorization ensures that only containers that have been scanned and verified can be deployed, thereby enhancing security. Options A, B, and C, while related to security practices, do not specifically address the need for automated scanning and verification of containers before running in the environment.