ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 3 question 25 discussion

Actual exam question from Microsoft's SC-100
Question #: 25
Topic #: 3
[All SC-100 Questions]

HOTSPOT -
Your company has an Azure App Service plan that is used to deploy containerized web apps.
You are designing a secure DevOps strategy for deploying the web apps to the App Service plan.
You need to recommend a strategy to integrate code scanning tools into a secure software development lifecycle. The code must be scanned during the following two phases:
✑ Uploading the code to repositories
✑ Building containers
Where should you integrate code scanning for each phase? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: GitHub Enterprise -
A GitHub Advanced Security license provides the following additional features:
Code scanning - Search for potential security vulnerabilities and coding errors in your code.
Secret scanning - Detect secrets, for example keys and tokens, that have been checked into the repository. If push protection is enabled, also detects secrets when they are pushed to your repository.
Etc.
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub Enterprise Cloud.

Box 2: Azure Pipelines -
Building Containers with Azure DevOps using DevTest Pattern with Azure Pipelines
The pattern enabled as to build container for development, testing and releasing the container for further reuse (production ready).
Azure Pipelines integrates metadata tracing into your container images, including commit hashes and issue numbers from Azure Boards, so that you can inspect your applications with confidence.
Incorrect:
* Not Azure Boards: Azure Boards provides software development teams with the interactive and customizable tools they need to manage their software projects.
It provides a rich set of capabilities including native support for Agile, Scrum, and Kanban processes, calendar views, configurable dashboards, and integrated reporting.
* Not Microsoft Defender for Cloud
Microsoft Defender for Containers is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications.
You cannot use Microsoft Defender for Cloud to scan code, it scans images.
Reference:
https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security https://microsoft.github.io/code-with-engineering-playbook/automated-testing/tech-specific-samples/azdo-container-dev-test-release/
by PlumpyTumbler at Sept. 2, 2022, 4 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
PlumpyTumbler
Highly Voted 2 years, 8 months ago
Agreed
upvoted 22 times
...
TJ001
Highly Voted 2 years, 4 months ago
As a sequence in the process I like to see as below ; hence the given answers are correct. GitHub Actions (repo commit stage) Azure pipeline (building the docker image stage) Container Images published to ACR (Defender for Containers) Containers running in AKS (Defender for Containers)
upvoted 12 times
...
Victory007
Most Recent 1 year, 9 months ago
Answer is Right. 1. Git Hub & Pipeline. You can integrate code scanning tools with GitHub Enterprise to automatically scan the code when it is uploaded to repositories. GitHub offers code scanning as a feature that analyzes the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub, allowing developers to find, triage, and prioritize fixes for existing problems in their code. You can integrate code scanning tools with Azure Pipelines to automatically scan the code when building containers. Azure Pipelines is a cloud service that you can use to automatically build, test, and deploy your code. You can configure Azure Pipelines to use various code scanning tools, such as Microsoft Security Code Analysis, to automatically scan your code for vulnerabilities during the build process.
upvoted 4 times
...
cychoia
2 years, 5 months ago
Answer is correct
upvoted 5 times
...
JakeCallham
2 years, 6 months ago
A is wrong, you can do code scans in Azure pipelines as well. This doesn't make sense at all.
upvoted 1 times
Learing
2 years, 6 months ago
Yes but not during upload to git, which is a requirement
upvoted 3 times
ariania
9 months, 2 weeks ago
but it dosent say they use github, maybe they use azure devops? the scans then comes from defender from devops on the pipeline. Im not sure advanced github security will scan anything when comitting tho.
upvoted 1 times
...
...
dc2k79
2 years, 4 months ago
When uploading to the repo, you will scan the code in the repo.
upvoted 2 times
...
...
tonuywildthing22
2 years, 8 months ago
Answer is correct
upvoted 6 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago