Linux Foundation Certified Cloud Native Platform Engineering Associate CNPA Question # 25 Topic 3 Discussion
CNPA Exam Topic 3 Question 25 Discussion:
Question #: 25
Topic #: 3
In the context of platform engineering and the effective delivery of platform software, which of the following statements describes the role of CI/CD pipelines in relation to Software Bill of Materials (SBOM) and security scanning?
A.
SBOM generation and security scanning are particularly valuable for application software. While platform software may have different security considerations, these practices are highly beneficial within CI/CD pipelines for applications.
B.
CI/CD pipelines should integrate SBOM generation and security scanning as automated steps within the build and test phases to ensure early detection of vulnerabilities and maintain a clear inventory of components.
C.
CI/CD pipelines are designed to accelerate the delivery of platform software, and adding SBOM generation and security scanning would slow down the process, so these activities are better suited for periodic audits conducted outside of the pipeline.
D.
CI/CD pipelines are primarily for automating deployments; SBOM generation and security scanning are separate, manual processes performed after deployment.
Modern platform engineering requires security and compliance to be integral parts of the delivery process, not afterthoughts. CI/CD pipelines are the foundation for delivering platform software rapidly and reliably, and integrating SBOM generation and automated vulnerability scanning directly within pipelines ensures that risks are identified early in the lifecycle.
Option B is correct because it reflects recommended practices from cloud native platform engineering standards: SBOMs provide a transparent inventory of all software components, including dependencies, which is crucial for vulnerability management, license compliance, and supply chain security. By automating these steps in CI/CD, teams can maintain both velocity and security without manual overhead.
Option A downplays the relevance of SBOMs for platform software, which is inaccurate because platform components (like Kubernetes operators, ingress controllers, or logging agents) are equally susceptible to vulnerabilities. Option C dismisses automation in favor of periodic audits, which contradicts the shift-left security principle. Option D misunderstands CI/CD’s purpose: security must be integrated, not separated.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit