Practice Free 312-97 EC-Council Certified DevSecOps Engineer (ECDE) Exam Questions Answers With Explanation

HashiCorp Vault provides a key-value (KV) secrets engine for securely storing sensitive data. To remove a secret from the KV store, the correct command is vault kv del . This command deletes the secret data at the specified path. Options using -delete or -del are syntactically incorrect, and vault kv delete is not a valid Vault CLI command. Proper secret deletion is an essential part of secret lifecycle management, especially when credentials may have been compromised. Performing this action during the Operate and Monitor stage helps contain security incidents, reduce exposure, and ensure that compromised secrets are no longer accessible. Timely deletion of secrets supports effective incident response and strengthens overall security posture.

========

Kubernetes uses namespaces to logically isolate resources such as pods, services, and deployments. When an application like Jenkins is deployed into a specific namespace, the correct way to view the pods running in that namespace is by using the -n (or --namespace) flag with the kubectl get pods command. The command kubectl get pods -n jenkins instructs Kubernetes to list all pods in the “jenkins” namespace. The other options use invalid or unrelated flags that are not supported for namespace selection. Verifying pod status during the Release and Deploy stage is essential to ensure that applications have been deployed successfully and are running as expected before exposing services or proceeding to monitoring. This step supports deployment validation and operational readiness in Kubernetes-based DevSecOps environments.

GitLab CI/CD pipelines are defined using a configuration file namedgitlab-ci.yml, which must be placed in the root directory of the repository. This file controls pipeline stages, jobs, and template inclusions. To integrate Checkmarx SCA using a predefined template, the template reference must be included in the root-level gitlab-ci.yml file so GitLab can load and execute the defined jobs automatically. The other filenames listed in the options are not recognized by GitLab as valid pipeline configuration files. Integrating SCA at the Code stage allows early detection of vulnerable open-source dependencies, reducing remediation cost and preventing insecure components from progressing further in the DevSecOps pipeline.

Chef InSpec provides a command-line interface for creating and executing compliance profiles. To initialize a new profile with the required directory structure, metadata file, and example controls, the correct command is inspec init profile . In Jeremy’s case, running inspec init profile jyren-azureTests creates a new folder with all required artifacts needed to write and run Azure compliance tests. Options using prof are invalid abbreviations, and prefixing the command with chef is incorrect when using the InSpec CLI directly. Creating a structured InSpec profile during the Build and Test stage enables automated validation of infrastructure against architectural standards and security policies, supporting Infrastructure as Code security and continuous compliance practices.

========

Git post-commit hooks are executed automatically after a commit is successfully created. To trigger the Jenkins build job configured to respond to commits, Alex must create a valid Git commit using the correct Git command. The standard command to commit changes with a message is git commit -m "commit from terminal". Running this command records the changes in the repository and triggers the post-commit hook, which in turn initiates the Jenkins build. Commands using github commit are invalid because github is not a native Git command-line utility. The -b flag is also not used with git commit. Automating build triggers during the Code stage improves efficiency, reduces manual intervention, and ensures continuous integration is consistently enforced.

========

Burp Suite’sOut-of-band Application Security Testing (OAST)feature is designed to detect vulnerabilities that do not produce immediate or visible responses during standard scanning. OAST works by triggering interactions such as DNS or HTTP callbacks, which occur outside the normal request-response cycle. This capability enables detection of blind vulnerabilities like blind SQL injection and server-side request forgery. Because findings are based on confirmed external interactions, OAST significantly reduces false positives. The other options listed are not valid Burp Suite features. Integrating OAST during the Build and Test stage improves the accuracy of dynamic security testing and ensures deeper coverage of complex and hard-to-detect vulnerability classes before applications are released.

========

Keywhiz CLI requires authentication before secrets can be added. The correct process involves logging in using the --devTrustStore option and authenticating as an administrator using the --admin flag. Once authenticated, the add secret command is used with input redirection to securely store the secret. Options that use incorrect flag names, incorrect casing, or invalid trust store identifiers do not follow Keywhiz CLI syntax. Adding secrets through Keywhiz instead of embedding them in code supports secure secret distribution and management, which is a fundamental aspect of DevSecOps culture. This approach ensures secrets remain protected, auditable, and available even during outages.

Azure Container Instances (ACI) exposes container logs via the Azure CLI using the az container logs command. To retrieve logs, you must provide the resource group and the container group name using the long-form parameters --resource-group and --name. Option A matches the correct CLI structure and parameter format: az container logs --resource-group ACI --name aci-test-closh. Options B and D incorrectly use single-dash forms (-resource-group and -name), which are not valid for these long option names. Options C and D incorrectly use azure instead of az; the Azure CLI command group is invoked with az, not azure. Getting logs after deployment review is a critical Operate and Monitor activity: it helps confirm the container started correctly, diagnose runtime errors, and validate that runtime protection (such as a RASP/micro-agent) is functioning. This visibility supports faster incident response and helps ensure the containerized workload remains secure and stable in its runtime environment.

========

Kubernetes clusters are managed and inspected using the kubectl command-line tool. To verify whether a Kubernetes cluster is functioning correctly, administrators commonly run kubectl version to confirm that both the client and server components are reachable and operational. This is followed by kubectl cluster-info, which displays information about the cluster’s control plane and core services. These commands together confirm API server availability, cluster connectivity, and basic health status. The other options list invalid command names such as kube, kubernetes, or kube-etcd, which are not used for standard cluster validation. Performing these checks during the Operate and Monitor stage helps quickly identify whether application issues stem from cluster-level problems or application-level misconfigurations. This supports faster troubleshooting and more reliable production operations.

========

The practices described—access management, defense in depth, minimizing third-party dependencies, and securing weak links—are all architectural and design-level decisions. These controls are not merely coding techniques or configuration defaults but reflect security being embedded into the system’s blueprint from the earliest stages. This aligns directly with theSecure by Designprinciple, which emphasizes proactively designing systems to resist attacks rather than reacting to vulnerabilities later. Secure by implementation focuses on writing correct and safe code, secure by default focuses on initial configuration settings, and secure by communication addresses trust and confidentiality in communication channels. Orange International’s approach demonstrates a holistic security mindset that anticipates threats and integrates protective measures throughout the system architecture, making Secure by Design the correct choice.

========

The correct installation procedure for the Sqreen PHP microagent involves downloading the installer script and executing it with the organization token and application name. The curl -s option downloads the script silently, while the > redirection operator saves it locally as sqreen-install.sh. The script is then executed using bash, passing the required token and app name as parameters. Options using input redirection (<) are incorrect because they do not save the downloaded script to a file. The -i option includes HTTP headers in the output, which is unnecessary and could corrupt the script. Installing the microagent correctly enables runtime monitoring, attack detection, and automatic blocking, supporting strong runtime security during the Operate and Monitor stage.

========

AWS CodeCommit is a fully managed, AWS-hosted source control service that allows teams to store and manage source code, binaries, and other digital assets securely in the cloud. It supports Git-based repositories and integrates seamlessly with other AWS DevOps services such as CodeBuild, CodePipeline, and CodeDeploy. CodePipeline orchestrates CI/CD workflows, CodeBuild performs build and test operations, and CodeDeploy automates application deployment—but none of these are version control systems. For organizations migrating from on-prem to AWS, CodeCommit provides fine-grained access control using IAM, encryption at rest and in transit, and high availability without the need to manage infrastructure. Using CodeCommit during the Code stage supports secure collaboration, version tracking, and centralized source control aligned with DevSecOps best practices.

========

Git requires developers to configure their identity using two specific configuration keys:user.nameanduser.email. These values are embedded into every commit and are essential for accountability, auditing, and collaboration. The correct configuration syntax uses dot-separated key names (user.name and user.email) and the --global flag to apply the settings across all repositories on the system. Among the provided options, only optionBuses the correct configuration keys. The other options use invalid key names such as user-name, user_name, or incorrect command structure. Although the options display a minor command typo (“get config” instead of git config), the question is clearly testing knowledge of the correct Git configuration keys. Configuring Git identity in the Code stage ensures accurate commit history and supports traceability across the DevSecOps pipeline.

Jenkins automatically assigns a unique identifier to each build using the environment variableBUILD_ID. When integrating OWASP ZAP with Jenkins, appending ${BUILD_ID} to output filenames or reports ensures that every scan result corresponds to a specific build execution. This avoids overwriting previous reports and allows traceability between build artifacts and security findings. Variables such as ${ZAPROXY_HOME} refer to installation paths, not build uniqueness, while ${Profile_ID} and ${zap_scan} are not standard Jenkins variables for uniquely identifying builds. Using ${BUILD_ID} supports better auditing, historical analysis, and correlation between detected vulnerabilities and the exact build in which they were found, which is critical during the Build and Test stage of a DevSecOps pipeline.

========

Interactive Application Security Testing (IAST) solutions are classified based on how they interact with the application and runtime environment. In this scenario, the solution uses aweb scannerto actively send requests to the application while also deploying anagent inside the application serverto observe runtime behavior and map vulnerabilities directly to source code locations. This combined approach is known assemi-active IAST. It is considered “semi-active” because it actively drives traffic through the application using a scanner, while the agent passively observes execution paths, data flows, and method calls. Passive IAST solutions rely only on observing existing traffic and do not use scanners, while active IAST solutions do not typically rely on deep runtime agents in the same manner. Semi-active IAST significantly reduces false positives and provides precise remediation details, making it highly effective during the Build and Test stage, where applications are actively exercised and security issues can be identified and fixed before release.

========

When integrating security controls at the CDN edge with AWS CloudFront, the typical deployment model usesLambda@Edge, which allows code to execute at CloudFront edge locations on viewer request/response or origin request/response events. Deploying the tCell agent “as a CloudFormation stack” describes packaging the required AWS resources (IAM roles, functions, permissions, and CloudFront associations) into infrastructure-as-code, but the actual attachment point for CloudFront request/response processing is Lambda@Edge. Option C correctly reflects this: “plugging into CloudFront through Lambda@Edge.” Standard Lambda functions run in regional AWS environments and cannot directly run at CloudFront edge locations in the same way; therefore, “CloudFront through Lambda Function” is not the best match for edge enforcement needs like CSP handling and redirect protections. Options that claim “plugging into CloudFormation” misunderstand CloudFormation’s role: it deploys resources, but it is not the runtime integration point. Hence, CloudFront + Lambda@Edge is the correct deployment approach.

The docker save command exports one or more Docker images to a tar archive by writing the image data to standard output (STDOUT). To redirect this output into a file, the > redirection operator is used. The correct syntax is docker save > .tar. In this scenario, the image repository name is centos, and the desired archive file is centos-all.tar, making option B correct. Options C and D incorrectly use input redirection (<) instead of output redirection. Option A includes a space in the filename (centos all.tar), which would be interpreted as two separate arguments and cause an error unless quoted. Saving images to a tar archive is a common operational task used for backups, transfers between environments, or offline analysis during the Operate and Monitor stage.

========

AWS Inspector is a managed vulnerability assessment service designed specifically to scan workloads running on Amazon EC2 instances and container images for security vulnerabilities and unintended network exposures. It automatically evaluates instances against known vulnerabilities and security best practices, providing detailed findings and risk severity levels. AWS WAF protects web applications from common web exploits but does not perform host-based vulnerability scanning. AWS Config tracks configuration changes and compliance but does not actively scan workloads for vulnerabilities. Amazon CloudWatch focuses on monitoring logs, metrics, and alarms rather than security scanning. For a Spring Boot microservices application deployed on EC2, AWS Inspector is the correct choice to continuously assess security posture during the Build, Deploy, and Operate phases of the DevSecOps pipeline.

========

The Warnings Next Generation Plugin in Jenkins is designed tocollect, aggregate, visualize, and manage static analysis resultsproduced by various tools, including Brakeman. In this scenario, Dave uses Brakeman to scan Ruby on Rails applications for security vulnerabilities. Brakeman generates output files containing findings, and the Warnings Next Generation Plugin parses these results and presents them in a standardized, user-friendly format within Jenkins. This allows teams to track trends, enforce quality gates, and fail builds based on severity thresholds. The plugin does not inspect TypeScript code, validate compiler settings, or control Brakeman’s execution logic. Its role is purely to manage and display analysis results. Using this plugin during the Code stage improves visibility into security issues, supports decision-making, and helps enforce security standards across the development lifecycle.

========

ThreatModeler integration with Azure Pipelines is achieved using abidirectional API, which allows automated and continuous interaction between the pipeline and the threat modeling platform. This bidirectional communication enables Azure Pipelines to trigger threat modeling activities while also receiving results, risk scores, and actionable insights back from ThreatModeler. Such feedback loops are critical for proactive security decision-making during the Plan stage of DevSecOps. Unidirectional APIs or UI-based integrations limit automation and do not support continuous feedback, making them unsuitable for pipeline-driven workflows. UI-based approaches also introduce manual steps, which conflict with DevSecOps principles of automation and consistency. By using a bidirectional API, William’s organization can embed threat modeling into the planning process, identify architectural risks early, and ensure security considerations are continuously enforced as part of the pipeline.

========

The Jscrambler configuration file .jscramblerrc is written inJSON format. JSON is widely used for configuration because it is lightweight, human-readable, and easily parsed by tools in CI/CD pipelines. Removing access and secret keys from this file is a recommended security practice to prevent credential leakage when the repository is shared or stored in version control. Instead, credentials are typically injected through environment variables or secure CI/CD secrets. XML, YAML, and HTML are not the formats used by Jscrambler for its primary configuration file. Using JSON-based configuration during the Code stage allows consistent integration with GitLab pipelines while maintaining secure handling of sensitive data.

========

Chef InSpec executes compliance tests using the inspec exec command. When testing Azure infrastructure, InSpec requires a target specification using the -t flag with the Azure transport identifier azure://. The correct command is inspec exec inspec-tests/integration/ -t azure://. Options using exe instead of exec are invalid due to incorrect command spelling. Options that use the -it flag misuse command-line parameters that are not intended for target selection. Running InSpec tests in this way allows DevSecOps teams to validate that Azure resources comply with architectural, security, and regulatory requirements. Integrating these checks into the Build and Test stage ensures continuous compliance and reduces the risk of insecure infrastructure reaching production environments.

========

CloudMapper requires read-only access to AWS resources in order to collect metadata, visualize architectures, and perform security analysis without modifying infrastructure. The AWS-managed policySecurityAuditprovides permissions to view security-related configuration across services, whileViewOnlyAccessallows read-only access to AWS resources more broadly. Together, these policies enable CloudMapper to gather comprehensive information about the AWS environment without granting write privileges. The other options either reference invalid policy names, incorrect formatting, or excessive permissions such as AWSLambdaFullAccess, which are unnecessary and violate least-privilege principles. Granting SecurityAudit and ViewOnlyAccess aligns with secure auditing practices during the Operate and Monitor stage.

========

The BDD Security framework is executed through Gradle wrapper commands, and the correct wrapper script on Unix-like systems is ./gradlew (dot-slash indicates “run the wrapper from the current directory”). Options using /gradlew or /gradlev imply an absolute path at filesystem root and are typically incorrect for a cloned project. Also, the wrapper name isgradlew, notgradlev. For executing only the authentication feature (or scenarios tagged for authentication), Cucumber tag expressions are used through the -Dcucumber.options system property. The command must include --tags @authentication to select authentication-tagged scenarios. To skip scenarios tagged “skip,” the exclusion operator is used as --tags ~@skip (meaning “exclude @skip”). Options A and B incorrectly include --tags @skip which wouldincludeskipped tests rather than exclude them. Therefore, ./gradlew -Dcucumber.options="--tags @authentication --tags ~@skip" is the correct choice to run authentication scenarios while excluding anything marked to skip.

========

To complete Azure Key Vault integration with Jenkins, Kevin must createnew credentialsin Jenkins underGlobal Credentials (unrestricted). These credentials store the Azure client ID, client secret, tenant ID, and subscription details required by the Azure Key Vault plugin to authenticate securely. Modifying old credentials can lead to misconfiguration or credential reuse risks, while restricted credentials may prevent the plugin from accessing secrets across pipelines. Creating new unrestricted credentials ensures proper authentication and controlled access to secrets during the Code stage, supporting secure secret management across CI/CD workflows.