Which of the following best describes the purpose of container image vulnerability scanning in a supply chain?
Think about what security scanning tools do before containers run.
Vulnerability scanning inspects container images for known security flaws before they are deployed, helping prevent vulnerable software from running.
In Google Cloud, which component enforces that only trusted container images are deployed to GKE clusters?
Consider the service that controls image deployment policies.
Binary Authorization enforces deployment policies ensuring only trusted container images are allowed to run on GKE clusters.
Given this Binary Authorization policy snippet, what will happen if an image is not signed by the trusted authority?
{
"defaultAdmissionRule": {
"enforcementMode": "ENFORCED",
"requireAttestationsBy": ["projects/my-project/attestors/my-attestor"]
}
}What does enforcementMode ENFORCED imply?
With enforcementMode set to ENFORCED and required attestations specified, images not signed by the trusted attestor will be blocked from deployment.
What is the primary role of the Container Analysis API in Google Cloud's container supply chain security?
Think about metadata and security information storage.
Container Analysis API provides a centralized place to store and access metadata like vulnerability reports and attestations for container images.
In a multi-stage container supply chain using Binary Authorization, what is the impact if an intermediate build stage image lacks a required attestation?
Consider how Binary Authorization verifies the entire supply chain.
Binary Authorization requires attestations for all stages in the supply chain to ensure integrity. Missing attestations in intermediate stages cause deployment to be blocked.