Interview › Security & DevSecOps
What recent security tool or practice have you adopted, and what risk did it reduce? [Advanced]
Answer
A recent practice I would highlight is keyless artifact signing with OIDC-based CI identity and admission verification. It reduces the risk of deploying tampered or untrusted images and removes long-lived signing keys from CI.
Technical explanation
The CI workflow signs the immutable image digest using its OIDC identity.
Provenance and SBOM attestations are attached to the artifact.
Kubernetes admission verifies the signature and trusted workflow identity before allowing production deployment.
Hands-on example
Example: implement cosign keyless signing in GitHub Actions, generate SLSA provenance, store SBOM attestations, and configure Kyverno or Sigstore policy-controller to allow only images signed by org/repo release workflows from protected branches.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]