Back to the course
Test yourself

Secure CI/CD with GitLab

Final exam · 50 questions · answers explained as you pick
GitLab CI fundamentals
10 questions
01A GitLab pipeline is defined…
Incorrect — GitLab CI has no controller UI for pipeline definition.
Correct — the pipeline is code, reviewed like code.
Incorrect — it lives in the repo file, not a DB.
Incorrect — runners execute jobs; they do not define the pipeline.
02Within a single stage, jobs…
Incorrect — that is how stages relate, not jobs within a stage.
Incorrect — they run.
Correct — lint, unit, and scan in one stage execute together.
Incorrect — branch has nothing to do with intra-stage parallelism.
03Stages in a pipeline…
Correct — build completes before any test job begins.
Incorrect — jobs within a stage parallelize; stages are ordered.
Incorrect — they define execution order.
Incorrect — they run top-to-bottom as listed.
04The image: key on a job sets…
Incorrect — that is environment/deploy config.
Correct — maps to container in Actions, agent{docker} in Jenkins.
Incorrect — artifacts are declared separately.
Incorrect — runner selection is tags:, not image:.
05A GitLab job fails when its script…
Correct — exit 0 = pass, anything else = fail; a failed job fails its stage.
Incorrect — warnings do not fail a job.
Incorrect — length is irrelevant.
Incorrect — containers are normal, not a failure.
06To pass a built dist/ folder from build to deploy, you use…
Incorrect — cache is a re-fetchable optimization, not a contract between stages.
Incorrect — you cannot pass a folder in an env var.
Correct — artifacts are uploaded and made available to later stages.
Incorrect — runners do not carry files between jobs.
07The difference between cache and artifacts is…
Incorrect — they serve different purposes.
Correct — a job must still work with an empty cache.
Incorrect — never put secrets in cache.
Incorrect — artifacts are uploaded and stored by GitLab.
08The rules: keyword controls…
Correct — it replaces only/except and handles conditional jobs.
Incorrect — that is tags:.
Incorrect — that is image:.
Incorrect — that is expire_in.
09A production deploy job should have a rule that…
Incorrect — that would deploy prod from feature branches.
Incorrect — MRs should not deploy production.
Correct — reviewed code, deliberate trigger.
Incorrect — then it could not deploy at all.
10Because .gitlab-ci.yml lives in the repo, a change to it…
Incorrect — that is the risk you must prevent with branch protection.
Correct — a bad edit can exfiltrate secrets or ship a bad artifact.
Incorrect — it can — it controls build and deploy.
Incorrect — it controls the whole pipeline.
10 questions · explanations appear as you answer
Securing the pipeline itself
10 questions
01The core mindset of pipeline security is…
Correct — as valuable a target as the servers it deploys to.
Incorrect — CI holds the crown-jewel credentials.
Incorrect — scanning is one layer, not the whole control set.
Incorrect — they hold secrets while running.
02The most secure runner executors are…
Incorrect — shell runs on the host and shares it across jobs — risky.
Correct — a poisoned build is thrown away with its environment.
Incorrect — not the isolation model you want for untrusted builds.
Incorrect — isolation, not speed, is the security criterion.
03Enabling privileged: true (or mounting docker.sock) on a runner…
Incorrect — daemonless builders avoid it entirely.
Incorrect — it grants root on the host.
Correct — the exact escape path to avoid, especially on shared/fork runners.
Incorrect — unrelated to caching.
04A protected CI/CD variable is exposed…
Incorrect — that is an unprotected variable.
Correct — so forks/feature branches cannot read production secrets.
Incorrect — it is injected into protected-ref jobs.
Incorrect — protected jobs can read it.
05The classic CI takeover is…
Correct — the MR reads the secrets or roots the host.
Incorrect — stage count is not a security issue.
Incorrect — speed is not the takeover vector.
Incorrect — containers are the safer option.
06Protected runners exist so that…
Incorrect — it is about trust, not speed.
Correct — a feature-branch job cannot land on the production runner.
Incorrect — the opposite — keep fork jobs off protected runners.
Incorrect — unrelated to caching.
07Both flags a sensitive CI/CD variable needs are…
Incorrect — the opposite of secure.
Incorrect — never cache or artifact secrets.
Correct — masking stops log leaks; protected stops untrusted pipelines reading it.
Incorrect — not the GitLab variable options that matter here.
08Log masking is limited because it…
Correct — never echo, base64, or write a secret to a file.
Incorrect — it redacts a value; it does not encrypt.
Incorrect — masking is not branch-dependent.
Incorrect — masking redacts; it does not fail the job.
09The strongest secrets pattern in CI is…
Incorrect — better than committed, but still a standing credential.
Correct — little to leak; centrally rotated and audited.
Incorrect — never commit secrets.
Incorrect — never print a secret.
10An unprotected variable is dangerous because it can be read by…
Incorrect — that would be fine; unprotected is broader.
Incorrect — unprotected means broadly readable.
Correct — mark sensitive variables protected + masked.
Incorrect — the exposure is to pipelines, including untrusted ones.
10 questions · explanations appear as you answer
Security scanning stages
10 questions
01SAST analyzes…
Correct — SQL injection, unsafe deserialization, hardcoded creds.
Incorrect — that is DAST.
Incorrect — that is image scanning.
Incorrect — that is secret detection.
02A fresh SAST/scanner should first be run…
Incorrect — false positives get it disabled within a sprint.
Correct — a scanner developers trust stays enabled.
Incorrect — it should run — just tuned first.
Incorrect — scan in the pipeline, before prod.
03Secret detection scans…
Incorrect — not what it does.
Incorrect — that is image scanning.
Correct — catch the key before it reaches the default branch.
Incorrect — that is DAST.
04A secret found in git history must be…
Correct — deleting it in a later commit does not un-leak it.
Incorrect — history and clones still hold it.
Incorrect — private does not make a leaked secret safe.
Incorrect — renaming does nothing; rotate it.
05Dependency scanning (SCA) reads…
Incorrect — that is SAST.
Correct — you own the vulnerabilities you imported.
Incorrect — not what SCA does.
Incorrect — it reads resolved dependencies, not just the Dockerfile.
06--ignore-unfixed on a dependency/image scan gate means you…
Incorrect — no — only those with no available fix.
Incorrect — you still gate on fixable criticals.
Correct — blocking on unfixable CVEs just gets the scanner disabled.
Incorrect — the scan still runs.
07The two-pass scan pattern (exit-code 0 then 1) gives you…
Incorrect — it is about visibility vs gating, not speed.
Correct — report everything; gate on what you would page for.
Incorrect — SBOM is a separate step.
Incorrect — caching is configured separately.
08To keep an image scan fast (so it is not skipped), you…
Correct — a sub-30s scan is one nobody routes around.
Incorrect — that defeats the pre-push gate.
Incorrect — never — a scanner that changes under you is a supply-chain risk.
Incorrect — that makes it slower.
09The image scan should run…
Incorrect — then the vulnerable image is already published.
Incorrect — gate every build that pushes.
Correct — scan-then-push keeps bad images out of the registry.
Incorrect — CI is the enforced gate.
10DAST differs from the static scanners because it…
Incorrect — that is SAST.
Correct — auth flaws, headers, exposed paths; runs late, often not per-MR.
Incorrect — that is SCA.
Incorrect — that is signing, not DAST.
10 questions · explanations appear as you answer
Trust the artifacts
10 questions
01Signing an image proves…
Correct — verified downstream, it detects tampering/unauthorized images.
Incorrect — that is scanning, not signing.
Incorrect — unrelated to size.
Incorrect — unrelated.
02Cosign keyless signing avoids a leaked key by…
Incorrect — that is exactly the leakable secret it removes.
Correct — no long-lived key to steal.
Incorrect — signing is independent of registry auth.
Incorrect — signing is not encryption.
03You should sign the image’s ___, not its ___.
Incorrect — reversed — a tag is mutable and proves nothing.
Incorrect — not the distinction that matters.
Correct — the immutable digest is the bytes; a tag can be repointed.
Incorrect — not the signing target.
04Verifying a signature must assert…
Correct — an attacker can sign their own image with their own identity.
Incorrect — irrelevant to trust.
Incorrect — irrelevant.
Incorrect — presence alone lets attacker-signed images pass.
05A signature nobody verifies…
Incorrect — no — without verification nothing is enforced.
Correct — signing is half; verification is the control.
Incorrect — signing is not encryption.
Incorrect — unrelated.
06An SBOM is…
Incorrect — that is signing/attestation.
Incorrect — related, but an SBOM is the inventory itself.
Correct — query it when the next CVE drops.
Incorrect — that is Kubernetes YAML, not an SBOM.
07The concrete payoff of an SBOM is…
Correct — the Log4Shell fire-drill becomes a query.
Incorrect — SBOMs do not shrink images.
Incorrect — unrelated.
Incorrect — signing is separate.
08SLSA provenance primarily records…
Incorrect — not what provenance is about.
Correct — the artifact’s machine-verifiable birth certificate.
Incorrect — that is the deploy audit log, not build provenance.
Incorrect — that is scanning.
09An unsigned SBOM or provenance file is…
Incorrect — no — anyone could have written it.
Incorrect — nothing verifies it unless you do.
Correct — sign + verify, or it adds process without protection.
Incorrect — attestations are signed, not encrypted.
10The strongest deploy gate combines…
Correct — belt and braces: judgment plus objective, unskippable checks.
Incorrect — appearance of control, none of the substance.
Incorrect — that removes the control entirely.
Incorrect — unrelated to gating.
10 questions · explanations appear as you answer
GitOps & safe delivery
10 questions
01In GitOps, deploys happen by…
Incorrect — that is push CD; GitOps inverts it.
Correct — Argo CD/Flux pull the desired state and apply it.
Incorrect — not how GitOps works.
Incorrect — the agent would revert that drift.
02A key security win of GitOps is that…
Correct — a compromised pipeline cannot directly touch the cluster.
Incorrect — scanning is still required.
Incorrect — not what GitOps does.
Incorrect — not a security property, and not the point.
03GitOps detects drift because…
Incorrect — unrelated to drift.
Incorrect — not the mechanism.
Correct — selfHeal reconciles the cluster back to the repo.
Incorrect — it reconciles, not locks.
04In GitOps, the deployment/state repo is effectively…
Incorrect — no — write access to it is deploy access to prod.
Correct — the attack surface moved to "who can merge here".
Incorrect — it drives real deploys.
Incorrect — it is the source of truth, not a cache.
05CI and GitOps meet when the pipeline’s final step…
Correct — reviewed and merged, the agent rolls it out.
Incorrect — GitOps avoids direct cluster access.
Incorrect — not a step in any sane pipeline.
Incorrect — the handoff is a commit/MR, not email.
06A deploy gate’s purpose is to make production changes…
Incorrect — the opposite of a gate.
Correct — change control without a separate ticket system.
Incorrect — safety and evidence, not speed.
Incorrect — the point is a recorded, visible decision.
07A meaningful gate does more than prompt a human by also…
Incorrect — that weakens it.
Incorrect — a rubber stamp is not a control.
Correct — human judgment plus unskippable checks.
Incorrect — unrelated to the gate’s substance.
08A canary deployment…
Correct — few users affected if it is bad.
Incorrect — that is blue/green.
Incorrect — you keep it for rollback.
Incorrect — it is a rollout strategy, not a test skip.
09Automated canary analysis (Argo Rollouts / Flagger) works by…
Incorrect — the point is to automate on real signals.
Correct — self-driving: advances on good data, reverts on bad.
Incorrect — that is not canary analysis.
Incorrect — that is blue/green, not gradual canary.
10In GitOps, rolling back a bad release is…
Incorrect — it is actually easy and exact.
Incorrect — that causes drift; use Git.
Correct — exact and fast, because the good state is in Git.
Incorrect — no rebuild needed; the prior state is declared.
10 questions · explanations appear as you answer