Answer-first summary for fast verification
Answer: Create a Binary Authorization attestor that retrieves the Cloud Build build ID of the container image. Configure a policy to allow deployment only if there's a matching build ID attestation.
The question requires configuring Binary Authorization to enforce two key requirements: (1) image provenance (only images built by Cloud Build pipeline) and (2) security compliance checks. Option C directly addresses both requirements by using the Cloud Build build ID as an attestation, which ensures only images from the trusted CI/CD pipeline are deployed. This approach allows integration of security checks (like vulnerability scanning) within the Cloud Build pipeline itself - if images fail security checks, the build process can be aborted, preventing non-compliant images from being created. The community discussion shows mixed opinions between B and C, but C has stronger reasoning: it directly links deployment to the specific build process and enables security checks within the pipeline. Option B focuses only on build process evaluation but doesn't guarantee the specific Cloud Build pipeline requirement. Option A addresses source code management rather than the build pipeline. Option D uses Security Health Analytics which isn't the optimal integration for this specific use case.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your organization prioritizes security and heavily uses serverless applications. You need to enforce image provenance and ensure compliance with security standards before deployment. Using Cloud Build as your CI/CD tool for building container images, how should you configure Binary Authorization to guarantee that only images built by your Cloud Build pipeline are deployed and that these images have passed security compliance checks?
A
Create a Binary Authorization attestor that uses a scanner to assess source code management repositories. Deploy images only if the attestor validates results against a security policy.
B
Create a Binary Authorization attestor that utilizes a scanner to evaluate container image build processes. Define a policy that requires deployment of images only if this attestation is present.
C
Create a Binary Authorization attestor that retrieves the Cloud Build build ID of the container image. Configure a policy to allow deployment only if there's a matching build ID attestation.
D
Utilize a custom Security Health Analytics module to create a policy. Enforce the policy through Binary Authorization to prevent deployment of images that do not meet predefined security standards.