Your company’s development teams want to use various open source operating systems in their Docker builds. When images are created in published containers in your company’s environment, you need to scan them for Common Vulnerabilities and Exposures (CVEs). The scanning process must not impact software development agility. You want to use managed services where possible. What should you do?
Enable the Vulnerability scanning setting in the Container Registry. This solution allows for automatic scanning of images for known vulnerabilities as they are pushed to the registry, seamlessly integrating into the development workflow without adding extra steps or impacting agility. Since it is a built-in feature of the Container Registry, it qualifies as a managed service, requiring minimal additional maintenance.
A. Enable the Vulnerability scanning setting in the Container Registry would be the best solution in this case. It would allow you to automatically scan images for known vulnerabilities and detect any issues as soon as they're pushed to the registry. This will help to identify vulnerabilities early in the development cycle, allowing the development teams to take action before images are deployed to production. This approach is automated, does not impact development agility and since it is a built-in feature of the Container Registry, it is a managed service and therefore, it does not require additional maintenance and management.
Option B, Create a Cloud Function that is triggered on a code check-in and scan the code for CVEs, would impact development agility as it would add an additional step to the development process which can slow down the development teams and impact the development process. Option C, Disallow the use of non-commercially supported base images in the development environment, would limit the flexibility of the development teams, and they may not be able to use the best tools for the job which can negatively impact the quality of the end-product. Option D, Use Cloud Monitoring to review the output of Cloud Build to determine whether a vulnerable version has been used, is a good practice to detect and alert on potential issues as soon as possible, but it is an additional step that needs to be set up and maintained. Additionally, it does not handle the vulnerability scanning on its own but rather acts as an additional layer of security.
A is the answer. https://cloud.google.com/container-analysis/docs/os-overview
https://docs.docker.com/engine/scan/ Answer A
A is a very straight forward option. One more choice would be using vulnerability scanning tools like Grype ( open source ) in the build step itself with cloud build.
A is correct.
A is the obvious choice