GCP Professional Cloud Architect Practice Question
Your company runs a secure software supply-chain pipeline on Google Cloud. Container images are built with Cloud Build and stored in a regional Artifact Registry Docker repository. The security team requires that any image containing a critical or high-severity CVE must cause the build to fail automatically, without relying on a separate deployment-time control such as Binary Authorization. Which approach should you take to meet this requirement while minimizing custom scripting?
Configure a Binary Authorization policy that blocks images without a vulnerability attestation for critical findings, and add the attestor to the project.
Move the pipeline to Container Registry and enable its automatic vulnerability scanning feature so that images with critical or high CVEs are rejected.
Enable continuous vulnerability scanning on the Artifact Registry repository and rely on the automatic scan that starts after the image is pushed.
Enable the Container Analysis API and add a Cloud Build step that runs gcloud artifacts docker images scan --format=json --severity=CRITICAL,HIGH $IMAGE_URI; configure the build to fail on a non-zero exit code.
Enable the Container Analysis API, which powers Artifact Registry vulnerability scanning. Add a Cloud Build step that invokes gcloud artifacts docker images scan --format=json --severity=CRITICAL,HIGH $IMAGE_URI. This on-demand scan runs synchronously during the build; if any critical or high-severity vulnerabilities are found, the command exits with a non-zero code, causing the Cloud Build to fail and preventing the vulnerable image from being pushed. Relying solely on continuous scanning would not block the build because it runs asynchronously after the push. Container Registry scanning is deprecated for new projects, and Binary Authorization is unnecessary per the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Container Analysis API?
Open an interactive chat with Bash
How does `gcloud artifacts docker images scan` work?
Open an interactive chat with Bash
Why is Artifact Registry preferred over Container Registry for new projects?
Open an interactive chat with Bash
What is the Container Analysis API, and how does it support vulnerability scanning?
Open an interactive chat with Bash
How does the `gcloud artifacts docker images scan` command work in this solution?
Open an interactive chat with Bash
Why is Binary Authorization not suitable for solving the problem described?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .