Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. EC-Council
  3. 312-97

EC-Council 312-97 Exam (page: 1)
EC-Council Certified DevSecOps Engineer (ECDE)
Updated on: 19-Feb-2026

Viewing Page 1 of 14
312-97 PDF 100 Questions

(William Scott, after completing his graduation in computer science, joined an IT company as a DevSecOps engineer. His team leader has asked him to use GitHub Code Scanning for evaluating the source code in his organization's GitHub repository to detect security issues and coding errors. How can William set up coding scanning in GitHub repository?)

  1. By using Gauntlt.
  2. By using GitMiner.
  3. By using OWASP ZAP.
  4. By using CodeQL.

Answer(s): D

Explanation:

GitHub Code Scanning is a built-in security capability designed to automatically analyze source code for security vulnerabilities and coding errors. The primary and officially supported engine for GitHub Code Scanning is CodeQL. CodeQL works by converting source code into a database and running security queries to detect issues such as injection flaws, insecure coding patterns, and logic errors. William can enable CodeQL by configuring GitHub Actions with either the default or advanced CodeQL workflow. Once enabled, CodeQL scans are triggered on events such as code pushes and pull requests, and the results appear as code scanning alerts in the repository's Security tab. Gauntlt is a security testing harness used mainly for infrastructure and application testing, GitMiner is used to discover sensitive data like secrets in repositories, and OWASP ZAP is a dynamic application security testing tool used against running applications. None of these tools configure GitHub's native Code Scanning feature. Therefore, CodeQL is the correct tool to set up GitHub Code Scanning in the Code stage of a DevSecOps pipeline.



(Brett Ryan has been working as a senior DevSecOps engineer in an IT company in Charleston, South Carolina. He is using git-mutimail tool to send email notification for every push to git repository. By default, the tool will send one output email providing details about the reference change and one output email for every new commit due to a reference change. How can Brett ensure that git-multimail is set up appropriately?)

  1. Running the environmental variable GITHUB_MULTIMAIL_CHECK_SETUP by setting it to non- empty string.
  2. Running the environmental variable GIT_MULTIMAIL_CHECK_SETUP by setting it to empty string.
  3. Running the environmental variable GIT_MULTIMAIL_CHECK_SETUP by setting it to non-empty string.
  4. Running the environmental variable GITHUB_MULTIMAIL_CHECK_SETUP by setting it to empty string.

Answer(s): C

Explanation:

The git-multimail tool provides a mechanism to verify whether it has been installed and configured correctly before being relied upon for production notifications. This verification is done using an environment variable named GIT_MULTIMAIL_CHECK_SETUP.
When this variable is set to a non- empty string, git-multimail performs a setup validation and outputs diagnostic information to confirm that configuration values, hooks, and parameters are correctly defined. This helps prevent silent failures where commits occur but email notifications are not sent. Options that reference GITHUB_MULTIMAIL_CHECK_SETUP are incorrect because git-multimail is not limited to GitHub and does not use that variable name. Additionally, setting the variable to an empty string does not trigger the setup check. Ensuring proper configuration during the Code stage is important because it supports auditability, traceability, and timely communication among development and security teams. Therefore, Brett must run the environment variable GIT_MULTIMAIL_CHECK_SETUP with a non-empty value to ensure the tool is set up appropriately.



(BVR Pvt. Ltd. is an IT company that develops software products and applications related to IoT devices. The software development team of the organization is using Bitbucket repository to plan projects, collaborate on code, test, and deploy. The repository provides teams a single place for projects planning and collaboration on coding, testing, and deploying the software application.
Which of the following is offered by Bitbucket to BVR Pvt. Ltd.?)

  1. Free limited public repositories.
  2. Free unlimited private repositories.
  3. Free limited private repositories.
  4. Free unlimited public repositories.

Answer(s): B

Explanation:

Bitbucket provides a cloud-based source code management platform that supports collaboration, CI/CD integration, and secure code hosting. One of the key features offered by Bitbucket is free unlimited private repositories, particularly beneficial for organizations developing proprietary software such as IoT applications. This allows teams to store source code securely without exposing it publicly while still enabling collaboration features like pull requests, issue tracking, and pipeline automation. The term "limited private repositories" is inaccurate because Bitbucket does not restrict the number of private repositories under its free offering; rather, user count limits apply.
While Bitbucket also supports public repositories, the option that best represents its value to enterprise and product-based teams is unlimited private repositories. This capability aligns with DevSecOps practices by ensuring confidentiality of source code while enabling integrated planning, testing, and deployment workflows within a single platform.



(Erica Mena has been working as a DevSecOps engineer in an IT company that provides customize software solutions to various clients across United States. To protect serverless and container applications with RASP, she would like to create an Azure container instance using Azure CLI in Microsoft PowerShell. She created the Azure container instance and loaded the container image to it. She then reviewed the deployment of the container instance.
Which of the following commands should Erica run to get the logging information from the Azure container instance? (Assume the resource group name as ACI and container name as aci-test-closh.))

  1. az get container logs -resource-group ACI --name aci-test-closh.
  2. az get container logs --resource-group ACI --name aci-test-closh.
  3. az container logs -resource-group ACI -name aci-test-closh.
  4. az container logs --resource-group ACI --name aci-test-closh.

Answer(s): D

Explanation:

Azure Container Instances provide built-in logging capabilities that can be accessed using the Azure CLI. To retrieve logs from a deployed container instance, the correct command is az container logs followed by the resource group and container name. The proper syntax requires double-dash parameters: --resource-group and --name. In Erica's case, the correct command is az container logs --resource-group ACI --name aci-test-closh. Options that use "az get container logs" are invalid because "get" is not a supported verb in this context. Option C uses incorrect single-dash flags, which do not match Azure CLI standards. Accessing container logs during the Code stage helps engineers validate application behavior, identify runtime errors, and ensure that security instrumentation such as RASP agents are functioning correctly before progressing further in the pipeline.



(Walter O'Brien recently joined as a junior DevSecOps engineer in an IT company located in Lansing, Michigan. His organization develops robotic process automation software for various clients stretched across the globe. Walter's team leader asked him to configure username and user email for git in VS Code. Therefore, he opened Visual Studio Code IDE console, then clicked on Terminal tab and selected New terminal.
Which of the following command should Walter execute in the terminal to configure username and user email for git in VS Code?)

  1. get config --global user-name "walter username for git" get config -­global user-email "walter email address used for git".
  2. get config --global user.name "walter username for git" get config ­global user.email "walter email address used for git".
  3. get git config --global user.name "walter username for git" get git config ­global user.email "walter email address used for git".
  4. get config --global user_name "walter username for git" get config -­global user_email "walter email address used for git".

Answer(s): B

Explanation:

Git requires developers to configure their identity using two specific configuration keys: user.name and user.email. These values are embedded into every commit and are essential for accountability, auditing, and collaboration. The correct configuration syntax uses dot-separated key names (user.name and user.email) and the --global flag to apply the settings across all repositories on the system. Among the provided options, only option B uses the correct configuration keys. The other options use invalid key names such as user-name, user_name, or incorrect command structure. Although the options display a minor command typo ("get config" instead of git config), the question is clearly testing knowledge of the correct Git configuration keys. Configuring Git identity in the Code stage ensures accurate commit history and supports traceability across the DevSecOps pipeline.



(Debra Aniston is a DevSecOps engineer in an IT company that develops software products and web applications. Her team has found various coding issues in the application code. Debra would like to fix coding issues before they exist. She recommended a DevSecOps tool to the software developer team that highlights bugs and security vulnerabilities with clear remediation guidance, which helps in fixing security issues before the code is committed. Based on the information given, which of the following tools has Debra recommended to the software development team?)

  1. SonarLint.
  2. Arachni.
  3. OWASP ZAP.
  4. Tenable.io.

Answer(s): A

Explanation:

SonarLint is a static code analysis tool designed specifically to be used inside developers' IDEs, where it provides immediate feedback while code is being written. It highlights bugs, security vulnerabilities, and code smells and, importantly, provides clear remediation guidance that explains why an issue exists and how it can be fixed. This aligns directly with Debra's requirement to fix issues "before they exist," meaning before code is committed to the repository. Arachni and OWASP ZAP are dynamic application security testing tools that require a running application and are typically used later in the pipeline. Tenable.io is a vulnerability management platform focused on infrastructure and application scanning rather than real-time developer feedback. By using SonarLint, developers receive continuous guidance during coding, supporting the shift-left security approach in DevSecOps and reducing the cost and effort of fixing vulnerabilities later in the lifecycle.



(Terry Diab has been working as a DevSecOps engineer in an IT company that develops software products and web applications for a call center. She would like to integrate Snyk with AWS CodeCommit to monitor and remediate vulnerabilities in the code repository. Terry pushed code to AWS CodeCommit; this triggered Amazon EventBridge Rule, which then triggered AWS CodePipeline. AWS CodePipeline passed code to Snyk CLI run.
Who among the following interacts with Snyk CLI and sends the results to Snyk UI?)

  1. AWS CodeDeploy.
  2. AWS CodeCommit.
  3. AWS Pipeline.
  4. AWS CodeBuild.

Answer(s): D

Explanation:

In an AWS CI/CD architecture, AWS CodePipeline acts as an orchestration service that coordinates different stages but does not execute build or scan commands itself. AWS CodeBuild is the service responsible for running commands such as compiling code, executing tests, and running third-party security tools like the Snyk CLI. In Terry's workflow, CodeCommit stores the source code, EventBridge triggers the pipeline, and CodePipeline passes the source to CodeBuild. CodeBuild then executes the Snyk CLI, performs vulnerability scanning, and sends the scan results to the Snyk UI using the configured authentication token. AWS CodeDeploy is focused on application deployment and does not interact with Snyk CLI. Therefore, AWS CodeBuild is the component that interacts with Snyk CLI and communicates results back to the Snyk platform. This integration ensures that dependency vulnerabilities are detected early in the Build and Test stage.



(William McDougall has been working as a DevSecOps engineer in an IT company located in Sacramento, California. His organization has been using Microsoft Azure DevOps service to develop software products securely and quickly. To take proactive decisions related to security issues and to reduce the overall security risk, William would like to integrate ThreatModeler with Azure Pipelines. How can ThreatModeler be integrated with Azure Pipelines and made a part of William's organization DevSecOps pipeline?)

  1. By using a bidirectional API.
  2. By using a unidirectional API.
  3. By using a unidirectional UI.
  4. By using a bidirectional UI.

Answer(s): A

Explanation:

ThreatModeler integration with Azure Pipelines is achieved using a bidirectional API, which allows automated and continuous interaction between the pipeline and the threat modeling platform. This bidirectional communication enables Azure Pipelines to trigger threat modeling activities while also receiving results, risk scores, and actionable insights back from ThreatModeler. Such feedback loops are critical for proactive security decision-making during the Plan stage of DevSecOps. Unidirectional APIs or UI-based integrations limit automation and do not support continuous feedback, making them unsuitable for pipeline-driven workflows. UI-based approaches also introduce manual steps, which conflict with DevSecOps principles of automation and consistency. By using a bidirectional API, William's organization can embed threat modeling into the planning process, identify architectural risks early, and ensure security considerations are continuously enforced as part of the pipeline.



Viewing Page 1 of 14



Share your comments for EC-Council 312-97 exam with other users:

Danny 1/15/2024 9:10:00 AM

its helpful?
INDIA


hanaa 10/3/2023 6:57:00 PM

is this dump still valid???
Anonymous


Georgio 1/19/2024 8:15:00 AM

question 205 answer is b
Anonymous


Matthew Dievendorf 5/30/2023 9:37:00 PM

question 39, should be answer b, directions stated is being sudneted from /21 to a /23. a /23 has 512 ips so 510 hosts. and can make 4 subnets out of the /21
Anonymous


Adhithya 8/11/2022 12:27:00 AM

beautiful test engine software and very helpful. questions are same as in the real exam. i passed my paper.
UNITED ARAB EMIRATES


SuckerPumch88 4/25/2022 10:24:00 AM

the questions are exactly the same in real exam. just make sure not to answer all them correct or else they suspect you are cheating.
UNITED STATES


soheib 7/24/2023 7:05:00 PM

question: 78 the right answer i think is d not a
Anonymous


srija 8/14/2023 8:53:00 AM

very helpful
EUROPEAN UNION


Thembelani 5/30/2023 2:17:00 AM

i am writing this exam tomorrow and have dumps
Anonymous


Anita 10/1/2023 4:11:00 PM

can i have the icdl excel exam
Anonymous


Ben 9/9/2023 7:35:00 AM

please upload it
Anonymous


anonymous 9/20/2023 11:27:00 PM

hye when will post again the past year question for this h13-311_v3 part since i have to for my test tommorow…thank you very much
Anonymous


Randall 9/28/2023 8:25:00 PM

on question 22, option b-once per session is also valid.
Anonymous


Tshegofatso 8/28/2023 11:51:00 AM

this website is very helpful
SOUTH AFRICA


philly 9/18/2023 2:40:00 PM

its my first time exam
SOUTH AFRICA


Beexam 9/4/2023 9:06:00 PM

correct answers are device configuration-enable the automatic installation of webview2 runtime. & policy management- prevent users from submitting feedback.
NEW ZEALAND


RAWI 7/9/2023 4:54:00 AM

is this dump still valid? today is 9-july-2023
SWEDEN


Annie 6/7/2023 3:46:00 AM

i need this exam.. please upload these are really helpful
PAKISTAN


Shubhra Rathi 8/26/2023 1:08:00 PM

please upload the oracle 1z0-1059-22 dumps
Anonymous


Shiji 10/15/2023 1:34:00 PM

very good questions
INDIA


Rita Rony 11/27/2023 1:36:00 PM

nice, first step to exams
Anonymous


Aloke Paul 9/11/2023 6:53:00 AM

is this valid for chfiv9 as well... as i am reker 3rd time...
CHINA


Calbert Francis 1/15/2024 8:19:00 PM

great exam for people taking 220-1101
UNITED STATES


Ayushi Baria 11/7/2023 7:44:00 AM

this is very helpfull for me
Anonymous


alma 8/25/2023 1:20:00 PM

just started preparing for the exam
UNITED KINGDOM


CW 7/10/2023 6:46:00 PM

these are the type of questions i need.
UNITED STATES


Nobody 8/30/2023 9:54:00 PM

does this actually work? are they the exam questions and answers word for word?
Anonymous


Salah 7/23/2023 9:46:00 AM

thanks for providing these questions
Anonymous


Ritu 9/15/2023 5:55:00 AM

interesting
CANADA


Ron 5/30/2023 8:33:00 AM

these dumps are pretty good.
Anonymous


Sowl 8/10/2023 6:22:00 PM

good questions
UNITED STATES


Blessious Phiri 8/15/2023 2:02:00 PM

dbua is used for upgrading oracle database
Anonymous


Richard 10/24/2023 6:12:00 AM

i am thrilled to say that i passed my amazon web services mls-c01 exam, thanks to study materials. they were comprehensive and well-structured, making my preparation efficient.
Anonymous


Janjua 5/22/2023 3:31:00 PM

please upload latest ibm ace c1000-056 dumps
GERMANY