Linux Foundation CNPA Exam - Topic 3 Question 2 Discussion

Actual exam question for Linux Foundation's CNPA exam

Question #: 2
Topic #: 3

[All CNPA Questions]

In the context of platform engineering and the effective delivery of platform software, which of the following statements describes the role of CI/CD pipelines in relation to Software Bill of Materials (SBOM) and security scanning?

ASBOM generation and security scanning are particularly valuable for application software. While platform software may have different security considerations, these practices are highly beneficial within CI/CD pipelines for applications.

BCI/CD pipelines should integrate SBOM generation and security scanning as automated steps within the build and test phases to ensure early detection of vulnerabilities and maintain a clear inventory of components.

CCI/CD pipelines are designed to accelerate the delivery of platform software, and adding SBOM generation and security scanning would slow down the process, so these activities are better suited for periodic audits conducted outside of the pipeline.

DCI/CD pipelines are primarily for automating deployments; SBOM generation and security scanning are separate, manual processes performed after deployment.

Show Suggested Answer

Suggested Answer: B

Modern platform engineering requires security and compliance to be integral parts of the delivery process, not afterthoughts. CI/CD pipelines are the foundation for delivering platform software rapidly and reliably, and integrating SBOM generation and automated vulnerability scanning directly within pipelines ensures that risks are identified early in the lifecycle.

Option B is correct because it reflects recommended practices from cloud native platform engineering standards: SBOMs provide a transparent inventory of all software components, including dependencies, which is crucial for vulnerability management, license compliance, and supply chain security. By automating these steps in CI/CD, teams can maintain both velocity and security without manual overhead.

Option A downplays the relevance of SBOMs for platform software, which is inaccurate because platform components (like Kubernetes operators, ingress controllers, or logging agents) are equally susceptible to vulnerabilities. Option C dismisses automation in favor of periodic audits, which contradicts the shift-left security principle. Option D misunderstands CI/CD's purpose: security must be integrated, not separated.

--- CNCF Supply Chain Security Whitepaper

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

by Ernest at Oct 01, 2025, 05:16 PM

Limited Time Offer

25%

5 months ago

I think option B sounds like the best approach. Integrating SBOM and security scanning into the CI/CD pipeline makes a lot of sense to catch issues early.

upvoted 0 times

...