Microsoft DevOps Engineer Expert AZ-400 Practice Question
Your organization hosts 150 private GitHub repositories that build and publish Docker images by using Azure Pipelines. You must meet the following security and compliance requirements:
Identify known vulnerabilities in the base image before the image is pushed to Azure Container Registry (ACR).
Block pull requests that introduce credentials, tokens, or other secrets.
Prevent packages that carry any GPL license from being added to the dependency graph.
Provide a single, centrally-managed solution that requires little or no per-repository maintenance and surfaces results directly in each pull request conversation.
Which strategy should you recommend?
Enable GitHub Advanced Security for the GitHub organization, require secret scanning, CodeQL, and dependency review status checks, and publish a reusable organization-level workflow that runs the azure/container-scan action during the build.
Apply an Azure Policy initiative that blocks pushes containing secrets, enable Qualys-based image scanning in ACR, and integrate a third-party Black Duck server for license compliance.
Install Microsoft Defender for Cloud DevOps Security, rely on its automated repository analysis, enable Dependabot alerts on each repository, and use ACR's image scan after the push completes.
Create an Azure DevOps pipeline template that runs OWASP Dependency-Check, Gitleaks, and Trivy in separate jobs; reference the template from every repository's pipeline definition.
Enabling GitHub Advanced Security (GHAS) at the organization level turns on secret scanning, dependency review, and CodeQL for every repository without additional per-repository configuration. Dependency review evaluates licenses on any new or updated package, and a required status check can block GPL-licensed packages. Adding a centrally-maintained reusable workflow that calls the public azure/container-scan action scans Dockerfiles and images with Trivy and uploads the SARIF report, so vulnerabilities appear as a code-scanning result in the same pull request. Because the workflow lives once in the organization's actions catalogue, repositories only need a one-line reference to consume it, satisfying the low-maintenance requirement. The other options either omit license blocking, lack pre-push image scanning, or require significant per-repository setup.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is GitHub Advanced Security (GHAS) and how does it improve security in repositories?
Open an interactive chat with Bash
What does the azure/container-scan action do in relation to Docker images?
Open an interactive chat with Bash
Why is a reusable organization-level workflow beneficial for security and compliance in multiple repositories?
Open an interactive chat with Bash
What is GitHub Advanced Security (GHAS)?
Open an interactive chat with Bash
How does the azure/container-scan action work with Trivy?
Open an interactive chat with Bash
Why is dependency review important for compliance in GitHub repositories?
Open an interactive chat with Bash
Microsoft DevOps Engineer Expert AZ-400
Develop a security and compliance plan
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .