GCP Professional Cloud Security Engineer Practice Question
Your security team needs an end-to-end control that automatically scans every container image built by Cloud Build as soon as it is pushed to Artifact Registry, and blocks deployment of any image that contains HIGH or CRITICAL CVEs from reaching the production GKE clusters. The solution must rely solely on managed Google Cloud services, avoid custom scanning steps in Cloud Build, and surface findings centrally in Security Command Center. What should you do?
Migrate images to Container Registry, enable its legacy vulnerability scanning feature, and configure Cloud Build to query the Container Analysis API; if any HIGH or CRITICAL vulnerability is reported, tag the image with "do-not-deploy" and push it back to the registry.
Add a Cloud Build step that runs the gcloud artifacts docker images scan command for each image and fails the build if any HIGH or CRITICAL vulnerability is found before pushing the image to Artifact Registry.
Deploy an open-source scanning DaemonSet such as Trivy on each GKE cluster, configure it to poll images pulled from Artifact Registry, and create Cloud Monitoring alerts for HIGH or CRITICAL findings.
Enable vulnerability scanning on the Artifact Registry repository and turn on Binary Authorization vulnerability-based admission with a maximum allowed severity of MEDIUM, then enforce Binary Authorization on the production GKE clusters.
Enabling built-in vulnerability scanning on the Artifact Registry repository ensures that every image is scanned automatically on upload, and the results are published to Container Analysis where Security Command Center can ingest them. Configuring Binary Authorization with a vulnerability-based admission policy that rejects images whose maximum allowed severity is above MEDIUM lets GKE enforce the organization's risk threshold at deploy time without any extra code in the CI pipeline. Because both services are fully managed, the approach meets the requirement to avoid custom scanning steps while providing centralized visibility of findings. The other options either require custom build logic, third-party components that must be maintained, or depend on a deprecated registry and cannot provide deploy-time enforcement through a managed control plane.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Binary Authorization and how does it block deployment in GKE?
Open an interactive chat with Bash
What is Artifact Registry vulnerability scanning and how does it work?
Open an interactive chat with Bash
What is Security Command Center and how does it integrate with vulnerability scanning?
Open an interactive chat with Bash
What is Artifact Registry and how does its vulnerability scanning work?
Open an interactive chat with Bash
What does Binary Authorization do in Google Kubernetes Engine (GKE)?
Open an interactive chat with Bash
How does Security Command Center integrate findings from Artifact Registry and Binary Authorization?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .