Coverity is a well-known Static Application Security Testing (SAST) tool used to analyze source code for security vulnerabilities, coding errors, and quality issues. It integrates with CI/CD pipelines and supports enterprise-scale environments, including cloud-based development on platforms such as Azure. Accurics focuses on Infrastructure as Code security, Tenable.io is a vulnerability management platform for infrastructure and assets, and DevSkim is a lightweight code scanning extension rather than a full SAST platform. Selecting Coverity enables deep static analysis of application code during the Code stage, helping teams detect vulnerabilities early and reduce remediation costs.

========

Git post-commit hooks are executed automatically after a commit is successfully created. To trigger the Jenkins build job configured to respond to commits, Alex must create a valid Git commit using the correct Git command. The standard command to commit changes with a message is git commit -m "commit from terminal". Running this command records the changes in the repository and triggers the post-commit hook, which in turn initiates the Jenkins build. Commands using github commit are invalid because github is not a native Git command-line utility. The -b flag is also not used with git commit. Automating build triggers during the Code stage improves efficiency, reduces manual intervention, and ensures continuous integration is consistently enforced.

========

BeSECURE is a vulnerability management and assessment solution designed for continuous scanning of both network and application vulnerabilities. It emphasizes flexibility, accuracy, low maintenance overhead, and frequent updates to vulnerability detection mechanisms. These characteristics align directly with the scenario described, where the organization requires continuous scanning, daily updates, and specialized testing methodologies to detect a wide range of vulnerabilities. SonarQube focuses on static code quality and security analysis during development, Black Duck is primarily used for open-source software composition analysis, and Shadow Daemon is a web application firewall rather than a comprehensive vulnerability management solution. Using BeSECURE during the Operate and Monitor stage allows organizations to maintain ongoing visibility into their security posture, detect new vulnerabilities as they emerge, and reduce the likelihood of repeat attacks by addressing weaknesses proactively.

========

SonarLint is a static code analysis tool designed specifically to be used inside developers’ IDEs, where it provides immediate feedback while code is being written. It highlights bugs, security vulnerabilities, and code smells and, importantly, provides clear remediation guidance that explains why an issue exists and how it can be fixed. This aligns directly with Debra’s requirement to fix issues “before they exist,” meaning before code is committed to the repository. Arachni and OWASP ZAP are dynamic application security testing tools that require a running application and are typically used later in the pipeline. Tenable.io is a vulnerability management platform focused on infrastructure and application scanning rather than real-time developer feedback. By using SonarLint, developers receive continuous guidance during coding, supporting the shift-left security approach in DevSecOps and reducing the cost and effort of fixing vulnerabilities later in the lifecycle.

========

In a mature DevSecOps pipeline, security controls are enforced as gates , not merely as informational checks. When an SCA tool detects a critical vulnerability in a dependency—whether direct or transitive—the correct response at the Build and Test stage is to fail the build . This prevents vulnerable artifacts from moving forward into later stages such as deployment or production, where remediation would be more expensive and risky. Allowing the build to continue, even with notifications, contradicts the shift-left security principle. Ignoring transitive dependencies is also dangerous, as many real-world vulnerabilities originate from indirect libraries. Failing the build forces developers to remediate the issue immediately by upgrading, replacing, or mitigating the vulnerable dependency. This approach reduces attack surface, enforces accountability, and ensures that only secure artifacts are released. Therefore, stopping the pipeline upon detection of critical vulnerabilities reflects a strong DevSecOps maturity model and effective security governance.

The practices described—access management, defense in depth, minimizing third-party dependencies, and securing weak links—are all architectural and design-level decisions. These controls are not merely coding techniques or configuration defaults but reflect security being embedded into the system’s blueprint from the earliest stages. This aligns directly with the Secure by Design principle, which emphasizes proactively designing systems to resist attacks rather than reacting to vulnerabilities later. Secure by implementation focuses on writing correct and safe code, secure by default focuses on initial configuration settings, and secure by communication addresses trust and confidentiality in communication channels. Orange International’s approach demonstrates a holistic security mindset that anticipates threats and integrates protective measures throughout the system architecture, making Secure by Design the correct choice.

========

Chef InSpec executes compliance tests using the inspec exec command. When testing Azure infrastructure, InSpec requires a target specification using the -t flag with the Azure transport identifier azure://. The correct command is inspec exec inspec-tests/integration/ -t azure://. Options using exe instead of exec are invalid due to incorrect command spelling. Options that use the -it flag misuse command-line parameters that are not intended for target selection. Running InSpec tests in this way allows DevSecOps teams to validate that Azure resources comply with architectural, security, and regulatory requirements. Integrating these checks into the Build and Test stage ensures continuous compliance and reduces the risk of insecure infrastructure reaching production environments.

========

GitHub Code Scanning is a built-in security capability designed to automatically analyze source code for security vulnerabilities and coding errors. The primary and officially supported engine for GitHub Code Scanning is CodeQL . CodeQL works by converting source code into a database and running security queries to detect issues such as injection flaws, insecure coding patterns, and logic errors. William can enable CodeQL by configuring GitHub Actions with either the default or advanced CodeQL workflow. Once enabled, CodeQL scans are triggered on events such as code pushes and pull requests, and the results appear as code scanning alerts in the repository’s Security tab. Gauntlt is a security testing harness used mainly for infrastructure and application testing, GitMiner is used to discover sensitive data like secrets in repositories, and OWASP ZAP is a dynamic application security testing tool used against running applications. None of these tools configure GitHub’s native Code Scanning feature. Therefore, CodeQL is the correct tool to set up GitHub Code Scanning in the Code stage of a DevSecOps pipeline.

========

To clone a repository from GitHub, the correct command is git clone followed by the accurate repository URL. The organization name continuumsecurity and repository name bdd-security must be spelled correctly for the command to succeed. Options using github clone are invalid because github is not a standard Git command-line utility. Options with misspelled organization names will result in errors. Cloning security testing frameworks during the Code stage enables DevSecOps engineers to evaluate, customize, and integrate security automation tools into development workflows, supporting secure application development and testing practices.

Ubuntu systems use the Advanced Package Tool (APT) for installing and managing software packages. The correct syntax for installing a package is sudo apt-get install < package-name > . In this case, the OpenSSH server package required for secure remote access is named openssh-server, making sudo apt-get install openssh-server the correct command. Options using apt.get are invalid because the command syntax is incorrect. Options that include the -s flag only simulate the installation process and do not actually install the package. Installing OpenSSH is often required when integrating Docker Bench with Jenkins, as it enables secure communication and remote execution of compliance checks. Performing this setup during the Build and Test stage ensures that container hosts comply with Docker CIS Benchmark recommendations, helping organizations identify misconfigurations and security weaknesses early in the pipeline.

========