Google Cloud Professional Cloud Security Engineer — Question 296

Your organization relies heavily on Cloud Run for its containerized applications. You utilize Cloud Build for image creation, Artifact Registry for image storage, and Cloud Run for deployment. You must ensure that containers with vulnerabilities rated above a common vulnerability scoring system (CVSS) score of "medium" are not deployed to production. What should you do?

Answer options

• A. Implement vulnerability scanning as part of the Cloud Build process. If any medium or higher vulnerabilities are detected, manually rebuild the image with updated components.
• B. Perform manual vulnerability checks post-build, but before Cloud Run deployment. Implement a manual security-engineer-driven remediation process.
• C. Configure Binary Authorization on Cloud Run to enforce image signatures. Create policies to allow deployment only for images passing a defined vulnerability threshold.
• D. Utilize a vulnerability scanner during the Cloud Build stage and set Artifact Registry permissions to block images containing vulnerabilities above "medium."

Correct answer: C

Explanation

The correct answer is C because configuring Binary Authorization allows you to enforce strict policies on which images can be deployed based on their vulnerability levels. Options A and B involve manual processes that are less efficient and could lead to security risks. Option D, while useful, does not provide the same level of enforcement as Binary Authorization does.