Microsoft DevOps Engineer Expert AZ-400 Practice Question

Your Azure DevOps YAML pipeline builds a Linux container image and is required to block any image that contains High or Critical vulnerabilities in its operating-system packages before the image is pushed to Azure Container Registry. You must meet the requirement without adding custom scripts or relying on post-push scanning in Microsoft Defender for Cloud. Which action should you take in the pipeline?

Enable Microsoft Defender for Cloud container registry scanning and query its alerts after the push to decide whether to fail the build.
Configure GitHub Advanced Security CodeQL analysis to run inside a container during the pipeline.
Add the Microsoft Security DevOps task and run it in container scan mode with a severity threshold set to fail the job.
Enable Dependabot alerts for the repository so that vulnerability data blocks the container push automatically.

Report Issue

Answer Description

The Microsoft Security DevOps (MSDO) extension for Azure DevOps includes a task that can analyse container images during the build stage. When the task runs with the container scan mode, it uses Microsoft-maintained vulnerability databases to inspect the image layers and can be configured to fail the job automatically if High or Critical issues are found.

Microsoft Defender for Cloud's registry scanning occurs after the image is pushed, so it cannot stop the push in the same pipeline stage. Dependabot is limited to dependency files in source code and does not evaluate container layers. CodeQL focuses on code scanning, not image vulnerability assessment. Therefore, inserting the Microsoft Security DevOps task is the only option that enforces the policy during the build.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.