ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During design of a DevSecOps pipeline for containerized services, you must guarantee that only validated images can reach production. A Kubernetes admission controller will admit images only if they bear a trusted cryptographic signature. At which point in the CI/CD workflow should the image-signing step be performed to provide maximum assurance while minimizing developer friction?

After the container runtime pulls the image in production but before the entry-point command executes
Immediately after all build and security tests succeed, before the pipeline pushes the container image to the registry
As a pre-commit Git hook that signs the source code before any build steps run
As part of manually editing deployment manifests just before applying them to the production cluster

Report Issue

Answer Description

Signing the image immediately after it has passed all automated security and functional tests-just before the pipeline pushes it to the registry-ensures that

the signature covers exactly the tested artifact, preventing later tampering, and
developers are not burdened with manual signing during coding or commit time. If signing were attempted at pre-commit, no container image yet exists; signing deployment manifests in production does not protect the image itself; and signing after the runtime pulls the image is too late because an unsigned or altered image could already reside in-or be fetched from-an untrusted registry. Therefore, integrating signing as the final CI task before the push both preserves integrity and fits naturally into automated workflows.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.