Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue., In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

The question requires a cloud-native, cost-efficient solution with minimal operational overhead to prevent vulnerable containers from being deployed to GKE. Option A integrates vulnerability scanning directly into the CI/CD pipeline using Cloud Build and Container Analysis, which is cloud-native, automated, and reduces manual effort. Option E uses Binary Authorization with attestations to enforce that only scanned, vulnerability-free images are deployed, providing a security gate without additional infrastructure. Both options leverage managed Google Cloud services, aligning with cloud-native principles, cost-efficiency (no VM costs), and low operational overhead. Option B uses Cloud Functions triggered by logs, which is reactive rather than preventive and may incur delays. Option C relies on a cron job on Compute Engine, introducing VM management overhead and not being fully cloud-native. Option D uses Jenkins on GKE, which adds complexity and operational burden compared to native services like Cloud Build.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

You are deploying containerized applications to production Google Kubernetes Engine (GKE) clusters via a CI/CD pipeline and must prevent containers with known vulnerabilities from being deployed. Your solution must meet these requirements:

Be cloud-native.

Be cost-efficient.

Minimize operational overhead.

How should you accomplish this? (Choose two.)

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.