312-97 Questions and Answers

If a pre-commit hook script does not explicitly detect sensitive information or return a non-zero exit code, Git will treat the hook execution as successful. In this scenario, although the hook was made executable, Beth still managed to commit sensitive information. This implies that the hook either did not contain logic to detect such data or did not fail the commit upon detection. As a result, the script exited with0, allowing the commit to proceed. Exit code 0 always signals success to Git, while non-zero exit codes block commits. This highlights the importance of properly implementing security checks within hooks, not just enabling them. Making a hook executable is necessary, but it must also include correct validation logic to enforce security policies during the Code stage.

========

HashiCorp Packer is an image automation tool that uses the packer build command to create machine images from configuration files written in HCL or JSON. When Robin defines her Docker image configuration in the file docker-ubuntu.pkr.hcl, the correct way to initiate the build process is by running packer build docker-ubuntu.pkr.hcl. This command reads the configuration file, initializes required plugins, executes defined builders and provisioners, and produces the final Docker image. The other options are syntactically incorrect because Packer does not support abbreviated flags such as -b or alternative verbs like -build. Building container images during the Build and Test stage ensures that images are reproducible, standardized, and compliant with organizational security requirements before deployment. Using Packer also supports immutability and reduces configuration drift, which are key principles in secure DevSecOps pipelines.

========

Interactive Application Security Testing (IAST) solutions are classified based on how they interact with the application and runtime environment. In this scenario, the solution uses aweb scannerto actively send requests to the application while also deploying anagent inside the application serverto observe runtime behavior and map vulnerabilities directly to source code locations. This combined approach is known assemi-active IAST. It is considered “semi-active” because it actively drives traffic through the application using a scanner, while the agent passively observes execution paths, data flows, and method calls. Passive IAST solutions rely only on observing existing traffic and do not use scanners, while active IAST solutions do not typically rely on deep runtime agents in the same manner. Semi-active IAST significantly reduces false positives and provides precise remediation details, making it highly effective during the Build and Test stage, where applications are actively exercised and security issues can be identified and fixed before release.

========

HashiCorp Vault enables authentication mechanisms using the vault auth enable command followed by the name of the authentication method. To enable AppRole authentication, the correct command is vault auth enable approle. AppRole is specifically designed for machine-to-machine authentication, making it ideal for CI/CD tools like Jenkins. It allows applications to authenticate securely using role IDs and secret IDs instead of static credentials. The other options do not follow Vault CLI syntax and would result in command errors. Enabling AppRole during the Build and Test stage ensures that secrets are accessed securely and dynamically, supporting least-privilege access control and reducing the risk of credential leakage across the DevSecOps pipeline.

Jenkins exposes a predefined endpoint for receiving GitHub webhook events. This endpoint is /github-webhook/ and must be appended to the Jenkins base URL in the GitHub webhook configuration. Option C correctly matches the required endpoint format. The other options use incorrect casing, separators, or naming conventions that Jenkins does not recognize. Correct webhook configuration ensures that Jenkins jobs are automatically triggered when code changes occur in GitHub repositories. This integration supports continuous integration and immediate feedback during the Code stage of the DevSecOps pipeline.

========

When working inside an interactive Docker container session, the container continues running as long as its primary foreground process is active. Executing the exit command terminates the shell session, which in turn stops the container if no other foreground processes are running. The kill command requires a process identifier and is not used in this context, while clear simply clears the terminal screen and does not affect container execution. The stop command is not a valid shell command inside a container. Properly stopping containers during the Operate and Monitor stage helps free system resources, prevent unintended service exposure, and maintain a clean runtime environment. This practice aligns with container lifecycle management best practices and reduces operational risk.

========

To identify the version of a service running on a target system, Nmap uses the -sV option, which enables service version detection. The -sS flag specifies a TCP SYN scan, which is a common and efficient scanning method. Combining these two flags allows Nmap to discover open ports and accurately identify the service versions running on those ports, such as Jenkins. Options A and B reference invalid scan types (-sJ) and do not enable version detection. Option C includes the correct flags but places them in a less conventional order; however, the commonly accepted and documented usage is -sV -sS. Running this scan during the Operate and Monitor stage helps security teams understand exposed services and assess potential attack surfaces.

========

To clone a repository from GitHub, the correct command is git clone followed by the accurate repository URL. The organization name continuumsecurity and repository name bdd-security must be spelled correctly for the command to succeed. Options using github clone are invalid because github is not a standard Git command-line utility. Options with misspelled organization names will result in errors. Cloning security testing frameworks during the Code stage enables DevSecOps engineers to evaluate, customize, and integrate security automation tools into development workflows, supporting secure application development and testing practices.

Deploy-time checks are designed to identify vulnerabilities that may not surface during earlier stages such as commit-time, build-time, or test-time checks. These checks analyze applications in environments that closely resemble or are part of production, making it possible to detect configuration issues, runtime vulnerabilities, and environment-specific weaknesses. Pre-production testing often cannot fully replicate production conditions, so deploy-time checks act as an additional safety net. Commit-time and build-time checks focus on code quality and static analysis, while test-time checks validate application behavior in controlled environments. Deploy-time checks therefore help Victor uncover vulnerabilities missed earlier, improving overall security assurance before or during deployment.

========

GitHub Code Scanning is a built-in security capability designed to automatically analyze source code for security vulnerabilities and coding errors. The primary and officially supported engine for GitHub Code Scanning isCodeQL. CodeQL works by converting source code into a database and running security queries to detect issues such as injection flaws, insecure coding patterns, and logic errors. William can enable CodeQL by configuring GitHub Actions with either the default or advanced CodeQL workflow. Once enabled, CodeQL scans are triggered on events such as code pushes and pull requests, and the results appear as code scanning alerts in the repository’s Security tab. Gauntlt is a security testing harness used mainly for infrastructure and application testing, GitMiner is used to discover sensitive data like secrets in repositories, and OWASP ZAP is a dynamic application security testing tool used against running applications. None of these tools configure GitHub’s native Code Scanning feature. Therefore, CodeQL is the correct tool to set up GitHub Code Scanning in the Code stage of a DevSecOps pipeline.

========

Syft is used by Anchore to generate Software Bill of Materials (SBOMs) from container images and directories. By default, Syft may only analyze the squashed image view. Using the --scope all-layers flag instructs Syft to include software components fromall image layers, ensuring comprehensive visibility into dependencies introduced at every stage of image creation. The other options use invalid syntax or unsupported flags. Including all layers during SBOM generation improves vulnerability detection accuracy and supports compliance requirements, making it a critical practice during the Build and Test stage.

ThreatModeler’sAcceleratorcapability allows automatic generation of threat models directly from an organization’s live AWS environment. It connects to AWS services, analyzes deployed resources, and converts them into architectural diagrams and threat models without manual input. YAML-based orchestration tools and STRIDE per Element are methodologies used for modeling but do not automatically ingest live cloud configurations. Architect is a design construct, not an automation engine. Using Accelerator during the Plan stage enables proactive, continuous threat modeling, ensuring that evolving cloud infrastructure is always assessed for risk and security gaps.

========

AWS CodeCommit is a fully managed, AWS-hosted source control service that allows teams to store and manage source code, binaries, and other digital assets securely in the cloud. It supports Git-based repositories and integrates seamlessly with other AWS DevOps services such as CodeBuild, CodePipeline, and CodeDeploy. CodePipeline orchestrates CI/CD workflows, CodeBuild performs build and test operations, and CodeDeploy automates application deployment—but none of these are version control systems. For organizations migrating from on-prem to AWS, CodeCommit provides fine-grained access control using IAM, encryption at rest and in transit, and high availability without the need to manage infrastructure. Using CodeCommit during the Code stage supports secure collaboration, version tracking, and centralized source control aligned with DevSecOps best practices.

========

ThreatPlaybook uses the playbook apply feature command to push user-story–driven threat models to the server. The -f flag specifies the path to the YAML file containing the defined user stories, abuser stories, and threat scenarios, while the -p flag specifies the target project. Option C correctly combines these parameters. The -y flag is invalid in this context, and options that misuse -t instead of -p do not correctly identify the project destination. Executing this command during the Plan stage enables teams to integrate threat modeling early, ensuring security risks are identified and addressed before development and deployment proceed.

The description matches AWSBugBust, which AWS positions as a gamified, team-based bug fixing challenge rather than a classic external “bug bounty” for finding vulnerabilities in AWS itself. The key hints are “fun-based solution for bashing bugs,” “encouraging team building,” and “friendly competition,” along with scoring points and awarding prizes. BugBust focuses on improving code quality by motivating developers to find and fix issues (often via static analysis findings) in languages like Java and Python. Participants earn points for remediations and compete on leaderboards, which aligns directly with Sarah “scored the highest points” and received a cash reward. The other names (BugFixer, BugFinder, BugHunt) are plausible-sounding but do not match the commonly referenced AWS gamified program described. In a DevSecOps context, this type of program supports culture by incentivizing secure coding habits, encouraging shared ownership of quality, and making remediation visible and rewarding across the engineering team.

========

Interactive Application Security Testing (IAST) works by instrumenting the application at runtime, allowing it to observe both thesource code execution pathsand theHTTP requests and responsesflowing through the application. Because of this dual visibility, IAST can analyze every executed line of code (similar to SAST) while also monitoring real-time application behavior (similar to DAST). This unique capability enables highly accurate vulnerability detection with fewer false positives. The other options do not correctly explain how IAST achieves this hybrid analysis. Access to both code and HTTP traffic is what allows IAST to bridge static and dynamic testing techniques, making it highly effective across development, QA, and production environments.

========

GitMiner is a Python-based tool, and like most Python projects, it manages its dependencies through a requirements file named requirements.txt. The correct way to install all dependencies listed in this file is by using the pip3 install -r requirements.txt command. The -r flag instructs pip to read package names and versions from the specified file and install them accordingly. The other flags shown in the options do not correspond to dependency installation from a requirements file and would result in command errors or unexpected behavior. Installing dependencies correctly is a prerequisite for running GitMiner successfully. During the Code stage, tools like GitMiner help identify hard-coded secrets and sensitive information early, reducing the risk of credential leakage and preventing security incidents later in the DevSecOps pipeline.

Gauntlt is a security testing framework written in Ruby and distributed as a Ruby gem. The correct way to install a Ruby gem is using the gem install command followed by the lowercase gem name. RubyGems are case-sensitive and standardized to lowercase naming conventions, which makes gem install gauntlt the correct command. The gems command does not exist in Ruby’s package management ecosystem, and using uppercase names such as Gauntlt can lead to installation failures. Installing Gauntlt allows DevSecOps teams to write human-readable security tests and integrate them into CI/CD pipelines, enabling automated and collaborative security validation during the Build and Test stage.

========

Git post-commit hooks are executed automatically after a commit is successfully created. To trigger the Jenkins build job configured to respond to commits, Alex must create a valid Git commit using the correct Git command. The standard command to commit changes with a message is git commit -m "commit from terminal". Running this command records the changes in the repository and triggers the post-commit hook, which in turn initiates the Jenkins build. Commands using github commit are invalid because github is not a native Git command-line utility. The -b flag is also not used with git commit. Automating build triggers during the Code stage improves efficiency, reduces manual intervention, and ensures continuous integration is consistently enforced.

========

Bitbucket provides a cloud-based source code management platform that supports collaboration, CI/CD integration, and secure code hosting. One of the key features offered by Bitbucket isfree unlimited private repositories, particularly beneficial for organizations developing proprietary software such as IoT applications. This allows teams to store source code securely without exposing it publicly while still enabling collaboration features like pull requests, issue tracking, and pipeline automation. The term “limited private repositories” is inaccurate because Bitbucket does not restrict the number of private repositories under its free offering; rather, user count limits apply. While Bitbucket also supports public repositories, the option that best represents its value to enterprise and product-based teams is unlimited private repositories. This capability aligns with DevSecOps practices by ensuring confidentiality of source code while enabling integrated planning, testing, and deployment workflows within a single platform.

========

CloudMapper requires read-only access to AWS resources in order to collect metadata, visualize architectures, and perform security analysis without modifying infrastructure. The AWS-managed policySecurityAuditprovides permissions to view security-related configuration across services, whileViewOnlyAccessallows read-only access to AWS resources more broadly. Together, these policies enable CloudMapper to gather comprehensive information about the AWS environment without granting write privileges. The other options either reference invalid policy names, incorrect formatting, or excessive permissions such as AWSLambdaFullAccess, which are unnecessary and violate least-privilege principles. Granting SecurityAudit and ViewOnlyAccess aligns with secure auditing practices during the Operate and Monitor stage.

========

GitGraber uses specific command-line flags to define how secret detection is performed. The -k flag is used to specify akeyword filethat contains search terms for identifying sensitive data in repositories. In this case, William wants to search for secrets using the keyword “yahoo,” which is passed using the -q flag. Options -w, -g, and -p are not valid flags for keyword-based scanning in GitGraber. By using -k, GitGraber scans repositories for matches against the defined keywords and reports potential secret exposures in real time. This capability is especially valuable during the Code stage, helping teams prevent credential leakage and maintain secure repositories.

Build-time checks are designed to enforce security gates within the CI/CD pipeline. When critical vulnerabilities such as SQL injection and cross-site scripting (XSS) are detected during this stage, the correct and expected behavior is tofail the build. Stopping the build process prevents insecure code from progressing to later stages such as testing, deployment, or production. Ignoring issues or merely sending alerts while continuing the pipeline undermines the purpose of shift-left security. Alerts to SIEM systems and issue trackers are typically supplementary actions, but the primary enforcement mechanism at build time is to block the pipeline when severity thresholds are exceeded. This approach reduces remediation costs, limits exposure, and ensures that only secure artifacts move forward in the DevSecOps lifecycle.

========

When configuring Burp Suite scans in Jenkins using an Execute shell build step, environment variables are often set or echoed so that subsequent scan steps can consume them. The echo command is used to output or define values in the shell context. In this case, echo BURP_SCAN_URL = http://target-website.com correctly defines the target URL for Burp Suite scanning. Commands like grep and cat are used for searching or displaying file contents and are not appropriate for setting scan parameters. The sudo command is unnecessary and incorrect in this context. Using the correct shell command ensures that Burp Suite receives the proper target information during the Build and Test stage, enabling accurate dynamic application security testing.

========

Docker allows inspection of container runtime configuration using the docker inspect command. To list security-related options such as no_new_privileges for all containers, the correct approach is to first retrieve all container IDs using docker ps --quiet --all and then pass them to docker inspect with a formatted output. The command docker ps --quiet --all | xargs docker inspect --format ': SecurityOpt=' correctly extracts the security options configured for each container. Options that use incorrect flags such as -quiet instead of --quiet, omit required parameters, or misformat the output string are invalid. Inspecting security options during the Operate and Monitor stage helps ensure that privilege escalation protections are enforced consistently, supporting container hardening and compliance with security benchmarks.

========