Free Microsoft Cybersecurity SC-100 Actual Exam Questions - Question 14 Discussion
HOTSPOT Your company plans to follow DevSecOps best practices of the Microsoft Cloud Adoption Framework for Azure to integrate DevSecOps processes into continuous integration and continuous deployment (Cl/CD) DevOps pipelines You need to recommend which security-related tasks to integrate into each stage of the DevOps pipelines. What should recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 
I’m thinking secret scanning should be part of both build and release. Catching secrets early helps prevent bad commits, but doing it again before release adds a safety net. Static analysis and vulnerability scans make sense in the build phase since you want to stop issues from moving forward. Compliance checks seem better suited for release since that’s the final gate before deployment. Splitting secret scanning across build and release feels like a solid way to cover all bases without slowing down the pipeline too much.
Static code analysis and vulnerability scanning definitely fit best in the build phase to catch issues early. Secret scanning works better in release to avoid pushing sensitive data into production accidentally.
I'd put compliance checks at release too since that's when you verify everything before going live. Static code analysis and vulnerability scanning fit build phase so you catch problems before deployment.
I'd say static code analysis and vulnerability scanning fit early in the build phase to block issues quickly, while secret scanning should go later in release to avoid leaking sensitive info in production.
Another way to think about this is focusing on automation benefits. Static code analysis and vulnerability scanning should run during the build phase since they can block bad code from moving forward early. Secret scanning and compliance checks are more suited to the release phase because they verify configurations and policies right before deployment. This separation helps catch different issues at the most effective times without slowing down builds unnecessarily. It’s about timing each task where it adds the most value without creating bottlenecks.
Another way to look at this is by focusing on when you get the most value from each task. Static code analysis and vulnerability scans catch coding flaws and dependencies early, so definitely best in the build phase. Secret scanning needs access to environment variables and config files, which are more finalized at release, so that fits there. Compliance checks often require a full package or deployment context, so they also belong in release to make sure everything aligns before going live. This division helps prevent costly fixes later and keeps pipelines efficient without blocking too long
Static code analysis fits best in build; secret scanning suits release stage.
I’d put static code analysis and vulnerability scans in the build stage for early detection, then move secret scanning and compliance checks to the release stage to catch anything before deployment.
This question feels kinda broad and vague. The Microsoft Cloud Adoption Framework covers a lot, and DevSecOps touches everything from code scanning to secrets management. Not sure if they want static code analysis in build, security tests in release, or what exactly for each stage. Anyone else find the way they phrased it confusing? I’d put vulnerability scanning in CI and access controls maybe at deployment, but not 100% sure how they want it mapped here.