GCP Professional Cloud Security Engineer Practice Question
Your company builds container images with Cloud Build and stores them in Artifact Registry. Security Command Center (SCC) Premium is already enabled at the organization level. Compliance policy states that no image containing HIGH- or CRITICAL-severity CVEs may be deployed to any environment. DevOps teams need immediate pipeline feedback if an image violates the policy, while security analysts must review every vulnerability finding centrally in SCC. Which approach best meets these requirements with minimal custom code and ongoing maintenance?
Schedule OS Config patch jobs for GKE node pools so base images stay updated, then configure SCC to display patch compliance status as a proxy for vulnerability exposure.
Add a custom Trivy scan step in Cloud Build, export the HTML report to Cloud Storage, and write a Cloud Function that pulls the report into SCC on a daily schedule.
Enable Artifact Registry vulnerability scanning, have Cloud Build poll Container Analysis for the scan result and fail the build if HIGH or CRITICAL findings are present; rely on SCC's automatic import of Container Analysis findings for centralized review.
Enable VPC Flow Logs and Cloud IDS during the build process; configure a log-based alert that rejects deployment if malicious traffic appears, and let SCC surface the IDS findings.
Enabling Artifact Registry's native vulnerability scanning causes each pushed image to be analyzed automatically by Container Analysis. Security Command Center natively ingests these vulnerability findings, giving analysts centralized visibility without extra integration work. In Cloud Build you can add an "enforce-vulnz" build step that waits for the scan result; if Container Analysis reports any vulnerability whose effective severity exceeds the configured HIGH threshold, the step fails the build, stopping the image from being promoted or deployed. This solution relies entirely on managed Google Cloud features, requires no custom scanners or external data transfers, and directly enforces the compliance rule. The other options introduce unsupported SCC ingest paths, address node patching rather than image scanning, or attempt to block deployments based on unrelated network telemetry, so they do not satisfy both enforcement and visibility requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Artifact Registry vulnerability scanning?
Open an interactive chat with Bash
How does Security Command Center ingest Container Analysis findings?
Open an interactive chat with Bash
What is the purpose of the 'enforce-vulnz' build step in Cloud Build?
Open an interactive chat with Bash
What is Artifact Registry vulnerability scanning?
Open an interactive chat with Bash
How does Security Command Center integrate with Container Analysis findings?
Open an interactive chat with Bash
What is an 'enforce-vulnz' build step in Cloud Build?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .