Exam DOP-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 252

A company needs to increase the security of the container images that run in its production environment. The company wants to integrate operating system scanning and programming language package vulnerability scanning for the containers in its CI/CD pipeline. The CI/CD pipeline is an AWS CodePipeline pipeline that includes an AWS CodeBuild build project, AWS CodeDeploy actions, and an Amazon Elastic Container Registry (Amazon ECR) repository.

A DevOps engineer needs to add an image scan to the CI/CD pipeline. The CI/CD pipeline must deploy only images without CRITICAL and HIGH findings into production.

Which combination of steps will meet these requirements? (Choose two.)

    Correct Answer: B, D

    To meet the requirement of integrating both operating system and programming language package vulnerability scanning, Amazon ECR enhanced scanning should be used as it provides deeper inspection powered by Amazon Inspector. Additionally, using an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed allows the pipeline to automatically consume the scan status and determine whether to submit an Approved or Rejected status to the CI/CD pipeline based on the vulnerability findings.

Discussion
tgvOptions: BD

---> B D As per documentation, basic scanning use CVEs from the open-source Clair project. Enhanced scanning is an integration with Amazon Inspector. This suggests both options use different database/scanners. https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic.html