Building and implementing CI/CD pipelines
Drill 20 practice questions focused entirely on Building and implementing CI/CD pipelines for the Google Cloud PCDE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your team builds container images in Cloud Build and pushes them to Artifact Registry. Security requires that every image be automatically scanned for OS-level vulnerabilities as soon as it is stored, and that developers be able to query the findings without running any additional scanning jobs in the pipeline. You want the least-effort, native approach. What should you do?
Your team runs a GKE production cluster and wants to guarantee that only container images that have passed an automated vulnerability scan and were built by your official Cloud Build pipeline can be deployed. Images built on developer laptops or without a scan must be rejected at deploy time. Which approach best meets this requirement?
Your team uses Cloud Build to build container images that are pushed to a Docker repository in Artifact Registry. After a recent incident, an engineer accidentally re-pushed a new image using an existing tag (v1.4.2) that had already been deployed to production, causing confusion about which binary was actually running. You need to guarantee that once a tagged image is published, that exact tag can never be overwritten by a later push, while still allowing new tags. What should you do?
Your team's Cloud Build pipeline builds a large Java microservice. Each build downloads all Maven dependencies from scratch, and the container image is rebuilt entirely on every commit, causing builds to take over 20 minutes. You want to reduce build times without changing the application source. Which approach should you implement?
Your team hosts application source in GitHub and uses a Cloud Build trigger connected via the Cloud Build GitHub App. Developers open pull requests against the main branch. Leadership mandates that no code can be merged into main unless an automated build-and-test run has succeeded, and the merge must be blocked in the GitHub UI until that check passes. What is the correct way to enforce this?
Your team's Cloud Build pipeline compiles a Go binary and produces a container image. Currently the build succeeds but downstream Cloud Deploy releases cannot find the image, and audits show the built image is never stored in a central location. You need the build to reliably publish the container image to Artifact Registry so it can be referenced by digest in later stages. Which approach correctly ensures the image is pushed and its digest is recorded?
Your team's Cloud Build pipeline runs unit tests, three independent integration test suites, and a static code analysis scan. Currently all steps run sequentially, and the build takes 22 minutes, causing developer frustration. The three integration suites do not depend on each other, and the static analysis does not depend on any tests. You need to reduce total build time without removing any of the checks. What should you do?
Your platform team runs a single Cloud Build project that hosts triggers for dozens of application repositories. Currently all triggers execute using the default Cloud Build service account, which has broad Editor-level permissions across the project. A security audit flags this as excessive: a compromised build for one low-privilege app could push images and deploy to resources belonging to other teams. You must reduce blast radius while keeping each pipeline able to perform only the actions it needs. What should you do?
Your team uses a single Cloud Build pipeline that builds a container image, runs unit tests, pushes to Artifact Registry, and then deploys to a production GKE cluster. Compliance now requires that a human release manager explicitly approve the build before the production deployment steps run, while all earlier build and test steps continue to run automatically on every commit to main. You want the least complex change that satisfies this requirement natively in Cloud Build. What should you do?
Your team's Cloud Build pipeline runs integration tests that must connect to a Cloud SQL instance and internal microservices that only have private IP addresses inside a VPC. The default Cloud Build workers cannot reach these private resources, and security policy prohibits exposing the database or services to public IPs. You need the build's integration test step to successfully reach the private resources with minimal ongoing maintenance. What should you do?
Your security team requires that every container image built by your Cloud Build pipelines includes verifiable build provenance so that downstream consumers can confirm the image was produced by your trusted build system and has not been tampered with. You want to minimize custom scripting and use native platform capabilities. What should you do?
Your platform team runs a Cloud Build pipeline that builds container images, pushes them to Artifact Registry, and then deploys to a GKE cluster via Cloud Deploy. A recent security audit found that a developer was able to manually deploy an image that had never passed through the official build pipeline. Leadership now requires that only images produced by your trusted Cloud Build pipeline can ever be deployed to the production GKE cluster, and that this rule is enforced at admission time regardless of who or what initiates the deployment. Which approach best satisfies this requirement?
Your team maintains a Cloud Build pipeline that runs a lightweight unit-test build on every push to any branch. Separately, you need a heavier end-to-end integration suite that provisions ephemeral resources and takes about 45 minutes to run. The business requirement is that this integration suite runs automatically once every night at 02:00 against the latest commit on the main branch, without any developer having to push code or click a button. Which approach best meets this requirement?
Your team maintains a Cloud Build pipeline that builds and pushes container images to Artifact Registry. Currently a single trigger fires on every push to any branch and always tags images as 'latest'. The release manager wants a separate, repeatable release flow: when a semantic version Git tag (e.g., v1.4.2) is pushed, the pipeline should build an image tagged with that exact version string and push it to a 'release' repository, without changing the existing branch-based development builds. What is the most appropriate way to implement this?
Your team maintains a monorepo in Cloud Source Repositories containing a payment microservice. You must ensure that unit and integration tests run automatically only when a pull request targets the 'main' branch, and that a container image is built and pushed to Artifact Registry only after a commit is merged into 'main'. Developers frequently open feature branches, and you want to avoid running the full test-and-build pipeline on every feature branch push. Which approach best implements this using Cloud Build triggers?
Your team maintains a microservice that is built by a Cloud Build trigger on every merge to the main branch. Currently, an engineer manually runs 'gcloud deploy releases create' after each successful build to push the image through the dev, staging, and prod delivery pipeline. Leadership wants every successful main-branch build to automatically create a new Cloud Deploy release and begin rollout to the dev target, while preserving the existing manual approval gate before staging. What is the most appropriate way to connect the build to the delivery pipeline?
Your organization runs a Cloud Build pipeline that builds container images and pushes them to Artifact Registry. Security requires that only images verifiably produced by the trusted pipeline can be deployed to your production GKE cluster, and that no developer can manually push an arbitrary image that gets deployed. You have already enabled Binary Authorization on the cluster. What is the most appropriate way to complete the supply-chain control so that only pipeline-built images are admitted?
Your team hosts application source code in a self-managed GitLab instance running inside your corporate network, which is not one of Cloud Build's natively integrated SCM providers. You want each merge to the main branch to automatically start a Cloud Build pipeline. The GitLab server can make outbound HTTPS calls to Google Cloud APIs. Which approach lets you trigger the build while protecting the trigger endpoint from unauthorized invocation?
Your team uses Cloud Deploy with a delivery pipeline spanning dev, staging, and prod targets. Currently an engineer manually promotes each release from staging to prod after it has run in staging for a while. Leadership wants releases to automatically promote from staging to prod, but only after the release has soaked in staging for at least 12 hours with no issues, while still keeping a manual approval requirement on the prod target. What should you configure?
Your team runs a payment API on GKE and uses Google Cloud Deploy for releases to production. Compliance requires that a fully provisioned copy of the new version receive synthetic transaction tests before any live customer traffic is shifted, and that traffic can be reverted to the previous version within seconds if the tests reveal a problem. Which deployment strategy configuration in Cloud Deploy best meets these requirements?
More PCDE practice
Keep going with the other Professional Cloud DevOps Engineer domains, or take a full timed mock exam.
← Back to PCDE overview