Quiz: Security Scanning¶
10 questions
L0 (1 questions)¶
1. What does a container image vulnerability scanner like Trivy check for?
Show answer
Trivy scans container images for: (1) known CVEs in OS packages (apt, yum), (2) vulnerable application dependencies (Python pip, Node npm, Go modules), (3) misconfigurations in Dockerfiles, and (4) exposed secrets/credentials in the image layers.L1 (4 questions)¶
1. In a CI pipeline, how do you configure Trivy to fail the build only on CRITICAL and HIGH vulnerabilities?
Show answer
Set exit-code to 1 and severity to CRITICAL,HIGH: trivy image --exit-code 1 --severity CRITICAL,HIGH2. What is the difference between SAST and DAST in application security?
Show answer
SAST (Static) analyzes source code without running it — finds code-level flaws early. DAST (Dynamic) tests the running application — finds runtime issues like injection and misconfigs. Both are complementary; use both in CI/CD. *Common mistake:* SAST is always more accurate than DAST3. What does a Software Bill of Materials (SBOM) contain and why is it valuable?
Show answer
An SBOM lists all software components (direct + transitive dependencies), their versions, and licenses. It enables: vulnerability tracking across your fleet, license compliance, and rapid response when a new CVE affects a common library. *Common mistake:* An SBOM is a backup of your source code4. Why is it important to scan container images in the registry, not just during build?
Show answer
New CVEs are disclosed after build time. Registry scanning continuously re-evaluates stored images against updated vulnerability databases. This catches newly-discovered vulnerabilities in already-deployed images. *Common mistake:* Registry scanning is only needed for public imagesL2 (4 questions)¶
1. What is an SBOM (Software Bill of Materials) and why is it important for security scanning?
Show answer
An SBOM is a complete inventory of all software components, libraries, and dependencies in an image or application. It enables: (1) tracking which images are affected when a new CVE is published, (2) compliance requirements (US Executive Order 14028), (3) supply chain security auditing. Generate with: trivy image --format spdx-json or syft. Without an SBOM, you cannot answer 'which of our services use log4j?' quickly.2. Your container image scan shows a critical CVE in a base image package you don't directly use. How do you assess the real risk?
Show answer
Check:1. Is the vulnerable code reachable from your application?
2. Is the vulnerable function called?
3. Is the attack vector exposed (network vs local)? Many CVEs are not exploitable in your specific context. Rebuild with patched base if feasible; document risk acceptance if not. *Common mistake:* Immediately rebuild all containers regardless of context
3. How would you integrate dependency vulnerability scanning into a CI/CD pipeline without blocking every build?
Show answer
Run the scanner on every PR. Block on critical/high CVEs with known exploits. Warn on medium/low. Allow a grace period for newly disclosed CVEs. Maintain an allowlist for accepted risks with expiry dates. This balances security with developer velocity. *Common mistake:* Block all builds until every CVE is resolved4. What is infrastructure-as-code scanning and name two tools that do it?
Show answer
IaC scanning checks Terraform, CloudFormation, Helm charts etc. for security misconfigurations (public S3 buckets, missing encryption, overly permissive IAM) before deployment. Tools: Checkov, tfsec, Trivy (also does IaC), KICS. *Common mistake:* IaC scanning checks code syntax onlyL3 (1 questions)¶
1. Design a container security scanning strategy that covers the full lifecycle: build, registry, and runtime.