Knowledge check

1.

A security engineer wants to use the Microsoft Security DevOps (MSDO) GitHub Action to scan only infrastructure as code files in a repository, excluding code scanning. Which configuration achieves this?

Set the tools parameter to template-analyzer in the GitHub Action workflow.

Add categories: 'IaC' in the with: block of the Microsoft Security DevOps GitHub Action.

Create a separate workflow file that uses file path filters to include only .bicep and .json files.

Set the severity threshold parameter to Medium to filter out non-IaC findings.

2.

A Bicep template passes the IaC scan in a pipeline. The deploying engineer bypasses the pipeline and uses Azure CLI to deploy the template directly to production. Which control prevents the noncompliant resource from being created?

Microsoft Defender for DevOps agentless scanning detects the deployment and blocks it.

PR annotations that block merging the noncompliant code would prevent the deployment.

Azure Policy with a Deny effect assigned at management group scope blocks the noncompliant resource at the platform level.

Enabling the MSDO extension in the Azure CLI installation would scan templates at runtime.

3.

What is the recommended first step when introducing a new Azure Policy definition in a policy-as-code workflow?

Assign the policy definition immediately with a Deny effect at management group scope to protect all environments at once.

Assign the policy definition in Audit effect in a development or test environment and review compliance results before promoting to Deny.

Create a remediation task for the policy definition before assigning it to any scope.

Add the policy definition to an initiative and assign the initiative before testing the individual definition.

Check your knowledge

Feedback