ISC2 CISSP Practice Question

The correct answer is automated security testing integrated at multiple stages of the pipeline. This approach ensures that security testing is performed consistently and frequently throughout the development process, allowing potential security issues to be identified and addressed early. Automation enables these checks to be performed on every code change without slowing down development.

Implementing container image scanning and storing results in a tamper-evident database is a valuable security practice but focuses on only one aspect of CI/CD security. While container scanning helps identify vulnerabilities in container images, it doesn't address other security concerns such as insecure configurations, secrets management, or application-level vulnerabilities across the entire pipeline.

Enforcing code signing with hardware security modules before artifact deployment ensures code integrity but represents just one security aspect of the CI/CD pipeline. Code signing verifies that code hasn't been tampered with but doesn't identify inherent vulnerabilities or insecure coding practices that might exist in properly signed code.

Isolating the build environment with ephemeral VMs provides good security isolation but addresses only the build environment aspect of CI/CD security. While this approach helps prevent persistent compromises of build systems, it doesn't implement security checks throughout the pipeline to identify vulnerabilities in the code being built and deployed.