ECDE 312-97 Book

Build-time checks are designed to enforce security gates within the CI/CD pipeline. When critical vulnerabilities such as SQL injection and cross-site scripting (XSS) are detected during this stage, the correct and expected behavior is tofail the build. Stopping the build process prevents insecure code from progressing to later stages such as testing, deployment, or production. Ignoring issues or merely sending alerts while continuing the pipeline undermines the purpose of shift-left security. Alerts to SIEM systems and issue trackers are typically supplementary actions, but the primary enforcement mechanism at build time is to block the pipeline when severity thresholds are exceeded. This approach reduces remediation costs, limits exposure, and ensures that only secure artifacts move forward in the DevSecOps lifecycle.

========

Prisma Cloud leveragesadvanced unsupervised machine learningto establish baselines of normal behavior within a customer’s cloud environment. By analyzing patterns in network traffic, resource interactions, and workload behavior without relying on labeled training data, it can detect anomalies and potential zero-day attacks with minimal false positives. Supervised approaches require predefined labels and known attack patterns, which limits effectiveness against new or unknown threats. Unsupervised data mining alone lacks the adaptive intelligence provided by machine learning models. Using unsupervised machine learning during the Build and Test stage enables continuous, intelligent security analysis across dynamic cloud-native workloads, supporting proactive threat detection in DevSecOps pipelines.

HashiCorp Packer is an image automation tool that uses the packer build command to create machine images from configuration files written in HCL or JSON. When Robin defines her Docker image configuration in the file docker-ubuntu.pkr.hcl, the correct way to initiate the build process is by running packer build docker-ubuntu.pkr.hcl. This command reads the configuration file, initializes required plugins, executes defined builders and provisioners, and produces the final Docker image. The other options are syntactically incorrect because Packer does not support abbreviated flags such as -b or alternative verbs like -build. Building container images during the Build and Test stage ensures that images are reproducible, standardized, and compliant with organizational security requirements before deployment. Using Packer also supports immutability and reduces configuration drift, which are key principles in secure DevSecOps pipelines.

========

When working inside an interactive Docker container session, the container continues running as long as its primary foreground process is active. Executing the exit command terminates the shell session, which in turn stops the container if no other foreground processes are running. The kill command requires a process identifier and is not used in this context, while clear simply clears the terminal screen and does not affect container execution. The stop command is not a valid shell command inside a container. Properly stopping containers during the Operate and Monitor stage helps free system resources, prevent unintended service exposure, and maintain a clean runtime environment. This practice aligns with container lifecycle management best practices and reduces operational risk.

========