Q37 — AWS DOP-C02 Ch.1

Question 37 of 100 | ← Chapter 1

A company stores application source code based on a tiered architecture in AWS CodeCommit. The company deploys applications using AWS CodePipeline. The CodeCommit repository and CodePipeline are deployed in the same AWS account. The company’s security team requires scanning all code for vulnerabilities before deployment to production. If any vulnerabilities are found, deployment must halt.

Correct Answer: A. Create a new CodeBuild project. Configure the project to run a security scan using Amazon CodeGuru Security. Configure the CodeBuild project to fail if CodeGuru Security detects vulnerabilities. Create a new IAM role with sufficient permissions to run CodeGuru Security scans and assign it to the CodeBuild project. In the pipeline, add a new stage before the deploy stage. Select AWS CodeBuild as the action provider for the new stage. Use source artifacts from the CodeCommit repository and configure the action to use the CodeBuild project.

Explanation

Amazon CodeGuru Security is designed for static application security testing (SAST) of source code and integrates natively with AWS CodeBuild and CodePipeline. Option A correctly configures CodeBuild to execute CodeGuru Security scans during the build phase and fails the build on vulnerability detection—blocking deployment. Amazon Inspector assesses running workloads, not source code; DevOps Guru focuses on operational insights and anomaly detection—not code vulnerability scanning. Options C and D incorrectly treat DevOps Guru or CodeGuru Security as direct pipeline action providers, bypassing the required CodeBuild execution context and failure handling.