SC-100 Certification Practice Question #155

Question

Your company has an Azure App Service plan that is used to deploy containerized web apps.
You are designing a secure DevOps strategy for deploying the web apps to the App Service plan.
You need to recommend a strategy to integrate code scanning tools into a secure software development lifecycle. The code must be scanned during the following two phases:
✑ Uploading the code to repositories
✑ Building containers
Where should you integrate code scanning for each phase? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Accepted Answer

The two phases map cleanly to two distinct DevSecOps surfaces. For "uploading the code to repositories," scanning happens where the source lives and where the push event fires — GitHub (GitHub Enterprise / Advanced Security), which MS Learn describes as triggering code scans on repository push events. For "building containers," scanning is integrated into the build pipeline that produces the image — Azure Pipelines, where CodeQL runs as Init/AutoBuild/Analyze build tasks. Azure Boards is project-tracking and Microsoft Defender for Cloud is a runtime/posture tool, so both are eliminated. The community is unanimous that the displayed answer is correct, and the lone dissent only notes pipelines can also scan — which doesn't satisfy the explicit "during upload to repositories" requirement. Confidence is 85 (not higher) because this HOTSPOT has no answer image; the selection is derived from the marked image, strong community agreement, and MS Learn.

More SC-100 practice questions