Q: 12
HOTSPOT Your company plans to follow DevSecOps best practices of the Microsoft Cloud Adoption Framework for Azure to integrate DevSecOps processes into continuous integration and continuous deployment (Cl/CD) DevOps pipelines You need to recommend which security-related tasks to integrate into each stage of the DevOps pipelines. What should recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 
Your Answer
Discussion
I got a similar scenario in a lab recently. Infrastructure scanning fits best with build and test since you want to catch IaC issues early, and SAST is typically on commit so you catch code issues before merging. Anyone disagree?
Which pipeline stage would you put infrastructure scanning in according to MS DevSecOps best practices?
Why pick SAST at build/test? MS DevSecOps guidance usually puts SAST at the commit stage, with infra scanning happening during build and test. The build/test option for SAST can seem tempting but isn't best practice here.
Infrastructure scanning fits better at build and test, SAST at commit the code. I get why some pick SAST for build/test since you can scan there too, but in MS DevSecOps best practices it’s usually triggered right at commit to catch issues early. Let me know if you see it differently.
So tired of these MS hotspot pipeline stage questions, always feel overly picky with wording. Build and test for infra scanning, commit the code for SAST.
Be respectful. No spam.
