Develop a security and compliance plan

Question 1

What is the difference between authentication and authorization

Answer 1

Authentication verifies identity while authorization grants access to resources

Question 2

When should you use a Service Principal in Azure DevOps

Answer 2

When a nonhuman application or automation needs to access Azure resources

Question 3

What is the purpose of a Managed Identity in Azure

Answer 3

To provide an automatically managed identity for Azure services without credentials

Question 4

Describe the difference between a system-assigned and user-assigned Managed Identity

Answer 4

System-assigned is tied to one resource user-assigned can be shared among resources

Question 5

When would you choose a user-assigned Managed Identity

Answer 5

When multiple resources need to share the same identity

Question 6

How is authentication handled for GitHub Actions using GITHUB_TOKEN

Answer 6

GitHub automatically creates a short-lived token available to the workflow

Question 7

What is a GitHub App used for

Answer 7

For integrating external tools or services in a secure granular way

Question 8

When should you use a personal access token in GitHub

Answer 8

For manual authentication by users or custom scripts that cannot use GITHUB_TOKEN

Question 9

How do you securely store a GitHub personal access token in a workflow

Answer 9

Add it as an encrypted repository secret

Question 10

What is a service connection in Azure DevOps

Answer 10

A secure connection for Azure Pipelines or Releases to access external services

Question 11

Which Azure DevOps token type is designed for personal automation or API access

Answer 11

Personal Access Token PAT

Question 12

Why should you prefer service connections over PATs in Azure DevOps

Answer 12

Service connections have more granular controls and can be managed centrally

Question 13

What are permissions in GitHub

Answer 13

Settings defining what actions users and teams can perform in repositories

Question 14

How do you assign repository access to a team in GitHub

Answer 14

Add the team to the repository and set the desired permission level

Question 15

What is the role of security groups in Azure DevOps

Answer 15

To organize users and manage permissions across projects and teams

Question 16

How do you restrict permission inheritance in Azure DevOps

Answer 16

Use custom security groups or set explicit permissions at project or resource level

Question 17

What is the benefit of using Teams in Azure DevOps

Answer 17

To manage permissions work items and notifications for a group of users

Question 18

What access level is given to users who can only view work items in Azure DevOps

Answer 18

Stakeholder access

Question 19

Who are outside collaborators in GitHub

Answer 19

Users invited to individual repositories with limited access to the organization

Question 20

What is the purpose of organizing projects in Azure DevOps

Answer 20

To logically separate workloads teams and security boundaries

Question 21

How do you add a new team to a project in Azure DevOps

Answer 21

Go to Project Settings Teams and select New team

Question 22

What is the principle of least privilege in DevOps security

Answer 22

Granting users and services only the access absolutely necessary

Question 23

Where should you store secrets keys and certificates for Azure pipelines

Answer 23

Azure Key Vault

Question 24

How can a pipeline access values from Azure Key Vault

Answer 24

Using an Azure Key Vault task or variable group in the pipeline

Question 25

What is a best practice for storing secrets in GitHub Actions

Answer 25

Store them as encrypted secrets at the repo or org level

Question 26

How do you prevent accidental exposure of secrets in pipeline logs

Answer 26

Mask secret values and avoid echoing values in output

Question 27

What is the Azure Pipelines secure files feature used for

Answer 27

Storing sensitive files like certificates for access during pipeline runs

Question 28

How do you upload a sensitive file to be used securely in Azure Pipelines

Answer 28

Store it as a secure file within the pipeline library

Question 29

What should you avoid in your scripts and templates to prevent secret leakage

Answer 29

Never hardcode secrets and do not print secret variables

Question 30

How does a pipeline variable marked as secret behave

Answer 30

Its value is redacted in logs to avoid exposure

Question 31

Name a method for limiting secret lifetime in automation

Answer 31

Use short-lived tokens or rotate secrets regularly

Question 32

What is dependency scanning in secure DevOps

Answer 32

Checking dependencies for known vulnerabilities or outdated versions

Question 33

What is code scanning used for in DevOps

Answer 33

Automatically analyzing source code for security vulnerabilities or bugs

Question 34

Which tool does Microsoft recommend for automating code scanning in GitHub

Answer 34

CodeQL

Question 35

What is a secret scan in the context of CI

Answer 35

Searching for credentials and sensitive values accidentally checked into source code

Question 36

How can you automate license compliance checks in open source projects

Answer 36

Use automated tools like Dependabot to report licensing compliance

Question 37

What does Microsoft Defender for Cloud DevOps Security provide

Answer 37

Integrated security analysis and monitoring for Azure DevOps and GitHub

Question 38

How do you enable Microsoft Defender for Cloud DevOps Security

Answer 38

Turn on Defender for DevOps under Microsoft Defender for Cloud settings

Question 39

What is GitHub Advanced Security used for

Answer 39

Advanced code scanning secret scanning and dependency review in GitHub and Azure DevOps

Question 40

How can GitHub Advanced Security be integrated with Azure DevOps

Answer 40

Enable Advanced Security in the Azure DevOps project then connect with GitHub Advanced Security

Question 41

How does Microsoft Defender for Cloud integrate with GitHub Advanced Security

Answer 41

Combines insights and alerts from both platforms for holistic security visibility

Question 42

What type of resources can be protected with GitHub Advanced Security

Answer 42

GitHub repositories and Azure DevOps repositories

Question 43

Which built-in tool can automatically update and scan dependencies in GitHub

Answer 43

Dependabot

Question 44

What is the role of CodeQL analysis within containers

Answer 44

It scans containerized application code for security vulnerabilities

Question 45

How do you initiate CodeQL analysis as part of a GitHub Actions workflow

Answer 45

Add the GitHub Actions CodeQL workflow to the repository

Question 46

What is container image scanning

Answer 46

Analyzing container images for security vulnerabilities and compliance issues

Question 47

Name a Microsoft service that provides container image scanning

Answer 47

Microsoft Defender for Containers

Question 48

Why is it important to scan open-source dependencies

Answer 48

To identify vulnerabilities and licensing issues before production

Question 49

How does Dependabot help manage open-source vulnerabilities

Answer 49

It creates alerts and pull requests with fixes for outdated or vulnerable packages

Question 50

What is a key benefit of using GITHUB_TOKEN over a personal access token

Answer 50

It is short-lived automatically rotated and restricted in scope

Question 51

Where are GitHub Actions secrets encrypted

Answer 51

On GitHub servers until used in a workflow

Question 52

How should you avoid exposing secrets in build output

Answer 52

Do not log or echo secret variables in scripts or pipeline steps

Question 53

What is a good practice for managing access to repository secrets in GitHub

Answer 53

Limit secret access to required workflows and individuals only

Question 54

What does Azure Key Vault provide for certificates

Answer 54

Secure certificate storage lifecycle management and access controls

Question 55

How do you reference Azure Key Vault secrets from an ARM template or Bicep file

Answer 55

Use a Key Vault reference as part of the template parameter

Question 56

What type of files should be stored as Azure Pipelines secure files

Answer 56

Certificates provisioning profiles or any sensitive deployment assets

Question 57

How do you remove unused secrets from a repository or pipeline

Answer 57

Delete them from the secrets management or key vault interface

Question 58

Why is regular secret rotation important for security

Answer 58

It reduces exposure from potential leaks or compromised credentials

Question 59

When configuring a service connection what is a security best practice

Answer 59

Use the minimum required permissions and enable approval if available

Question 60

What Azure DevOps feature allows granular pipeline run permissions

Answer 60

Pipeline permissions in project security settings

Question 61

How can you monitor unauthorized access attempts in DevOps platforms

Answer 61

Review audit logs and configure alerting on unusual activity

Question 62

What is the recommended way to share deployment credentials across multiple pipelines

Answer 62

Use a centrally managed vault such as Azure Key Vault or organization secrets

Question 63

How do you control which users can approve pipeline deployments

Answer 63

Set environment protection rules or approval policies

Question 64

What is one way to automate compliance checks in a DevOps pipeline

Answer 64

Add automated tasks or extensions for compliance scanning tools

Question 65

How is secret scanning enabled in GitHub repositories

Answer 65

Enable secret scanning in repository or organization settings with Advanced Security

Question 66

What does enabling GitHub Advanced Security provide to a repository

Answer 66

Enables code scanning secret scanning and dependency review features

Question 67

What is the recommended tool for security scanning in Azure DevOps

Answer 67

Microsoft Defender for Cloud DevOps Security or integrated third-party scanners

Question 68

How do you configure a GitHub App for fine-grained repository access

Answer 68

Set specific repository and organization permissions during app registration

Question 69

What is RBAC and how is it applied in Azure DevOps

Answer 69

Role-Based Access Control assigns user roles and permissions to restrict resources

Question 70

What is the best practice for providing access to a contractor in GitHub

Answer 70

Invite as an outside collaborator to relevant repositories only

Question 71

What type of information should never be committed to source control

Answer 71

Passwords private keys connection strings and API keys

Question 72

How do you keep sensitive configuration files safe during deployment

Answer 72

Store them as secure files and only decrypt when running in the appropriate environment

Question 73

What policy can you enable to require secret scanning in GitHub Actions workflows

Answer 73

Use required workflows and enable secret scanning at the org or repo level

Question 74

What is Azure DevOps Stakeholder access appropriate for

Answer 74

Users who need basic work tracking without contributing code or accessing resources

Question 75

How do you automate open source package vulnerability checks in GitHub

Answer 75

Enable Dependabot alerts for the repository

Question 76

What setting allows automatic dependency updates in Azure DevOps

Answer 76

Enable pipeline tasks for dependency updates or use extensions like Dependabot for Azure

Question 77

When integrating with a third-party service what is a safer credential storage method for pipelines

Answer 77

Use Azure Key Vault or GitHub secrets instead of plaintext variables

Question 78

How do you ensure deleted users no longer have access to your DevOps platform

Answer 78

Regularly audit memberships and use automated identity management controls

Question 79

What type of compliance scanning is critical in regulated environments

Answer 79

License verification vulnerability scans and audit logging

Question 80

How does CodeQL assist with compliance and security

Answer 80

Automatically identifies vulnerabilities and coding errors as part of the workflow

Question 81

How do you configure a pipeline to run security analysis on every pull request

Answer 81

Set triggers on pull requests to run security or code scanning jobs

Question 82

What environment variable provides the token in GitHub Actions workflows

Answer 82

GITHUB_TOKEN

Question 83

What is the benefit of using secret variables over plain variables in pipeline definitions

Answer 83

Secret variables are encrypted and masked in build logs

Question 84

How do you restrict which workflows can access a specific secret in GitHub

Answer 84

Configure secret access policy in repository or environment settings

Question 85

Why automate secret expiration and rotation

Answer 85

Limits the attack window if credentials are exposed

Question 86

What is a primary benefit of system-assigned Managed Identities

Answer 86

They automatically clean up with the resource and do not require user management

Question 87

How do you monitor compliance of open source dependencies

Answer 87

Automate dependency checks with tools like Dependabot or native scanning solutions

Question 88

What logging feature is crucial for investigating security incidents in pipelines

Answer 88

Centralized audit logs for access and pipeline actions

Question 89

How can you enforce multi-factor authentication for DevOps tool access

Answer 89

Configure MFA or SSO with organization identity providers

Question 90

How do you ensure that only authorized users can modify pipeline definitions

Answer 90

Restrict repository branch protection and pipeline editing permissions

Question 91

What is Secure DevOps Kit for Azure

Answer 91

A collection of tools and scripts for security best practices in Azure environments

Question 92

How do you integrate SAST Static Application Security Testing into CI workflows

Answer 92

Add SAST scanning tasks or steps in the build pipeline

Question 93

What is a recommended process for managing certificates in automated deployments

Answer 93

Store in a vault and use secure file tasks for deployment retrieval

Question 94

How do you ensure compliance checks are repeated for every deployment

Answer 94

Include automated compliance or security scanning steps in each pipeline run

Question 95

How is the audit trail maintained for pipeline usage and changes

Answer 95

Enable auditing and use source control for pipeline definitions

Question 96

What is the use of Azure Policies in the context of DevOps security

Answer 96

To enforce deployment standards and security rules automatically