Logo
AWS Certified Developer – Associate / Question #614 of 557

Question #614

A company needs to integrate static application security testing (SAST) into its CI/CD pipeline to analyze container images before deployment. The application uses Amazon Elastic Container Registry (ECR) for image storage, Amazon Elastic Kubernetes Service (EKS) for compute, and AWS CodePipeline for orchestration. SAST currently runs in a post-deployment stage in a development EKS namespace, but the team wants to shift this analysis earlier in the pipeline.

Which solution meets these requirements with the MOST operational efficiency?

A

Use a third-party SAST tool integrated into the developer's local environment. Require developers to scan images before committing code. Implement Git pre-commit hooks to enforce scanning and block commits with vulnerabilities.
B

Add a new CodePipeline stage after the container image is built and pushed to ECR. Enable ECR enhanced scanning with AWS Lambda to parse results. Configure the Lambda function to validate scan findings and halt the pipeline if vulnerabilities exist.
C

Create a new pipeline stage after the source code is fetched. Run SAST directly on the source code repository contents. Fail the pipeline if vulnerabilities are detected in the source code analysis.
D

Modify the build stage in CodePipeline to include a custom SAST action using AWS Fargate. Configure Fargate to run the SAST tool on the built image and fail the pipeline if findings are present.

Explanation

Answer B is correct because it shifts SAST analysis earlier by adding a CodePipeline stage after the container image is built and pushed to ECR. AWS ECR's enhanced scanning (powered by Amazon Inspector) provides built-in vulnerability scanning for container images, eliminating the need for third-party tools or custom infrastructure. A Lambda function parses the scan results and halts the pipeline if vulnerabilities are found, ensuring security gates are enforced pre-deployment. This approach minimizes operational overhead by using managed AWS services.

Other options are less efficient:
- A relies on developer-local scans, which are error-prone and unenforceable.
- C focuses on source code SAST, but the question specifies container image analysis.
- D introduces custom Fargate tasks, increasing operational complexity compared to ECR's native scanning.

Key points: Use AWS-managed services (ECR enhanced scanning) for operational efficiency, integrate security checks early in CI/CD, and leverage serverless components (Lambda) for scalability.

Answer

The correct answer is: B