Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. EC-Council
  3. 312-97

EC-Council 312-97 Exam (page: 2)
EC-Council Certified DevSecOps Engineer (ECDE)
Updated on: 06-Apr-2026

Viewing Page 2 of 14
312-97 PDF 100 Questions

(Peter Dinklage has been working as a senior DevSecOps engineer at SacramentSoft Solution Pvt. Ltd. He has deployed applications in docker containers. His team leader asked him to check the exposure of unnecessary ports.
Which of the following commands should Peter use to check all the containers and the exposed ports?)

  1. docker ps --quiet | xargs docker inspect --all --format : Ports=.
  2. docker ps --quiet | xargs docker inspect --format ': Ports='.
  3. docker ps --quiet | xargs docker inspect --format : Ports.
  4. docker ps --quiet | xargs docker inspect --all --format ': Ports='.

Answer(s): B

Explanation:

To inspect exposed ports for running Docker containers, the recommended approach is to first retrieve container IDs using docker ps --quiet and then pass them to docker inspect. The --format option allows selective output of container configuration details, including port mappings. The command docker ps --quiet | xargs docker inspect --format ': Ports=' correctly extracts port information for each container. Options that include the --all flag or incorrect formatting are not valid for this inspection use case. Checking exposed ports is an important activity in the Operate and Monitor stage because unnecessary open ports increase the attack surface and may violate container security best practices. Regular inspection helps ensure that only required ports are exposed, supporting secure runtime operations.



(Jason Wylie has been working as a DevSecOps engineer in an IT company located in Sacramento, California. He would like to use Jenkins for CI and Azure Pipelines for CD to deploy a Spring Boot app to an Azure Container Service (AKS) Kubernetes cluster. He created a namespace for deploying the Jenkins in AKS, and then deployed the Jenkins app to the Pod.
Which of the following commands should Jason run to see the pods that have been spun up and running?)

  1. kubectl get pods -k Jenkins.
  2. kubectl get pods -s jenkins.
  3. kubectl get pods -n jenkins.
  4. kubectl get pods -p jenkins.

Answer(s): C

Explanation:

Kubernetes uses namespaces to logically isolate resources such as pods, services, and deployments.

When an application like Jenkins is deployed into a specific namespace, the correct way to view the pods running in that namespace is by using the -n (or --namespace) flag with the kubectl get pods command. The command kubectl get pods -n jenkins instructs Kubernetes to list all pods in the "jenkins" namespace. The other options use invalid or unrelated flags that are not supported for namespace selection. Verifying pod status during the Release and Deploy stage is essential to ensure that applications have been deployed successfully and are running as expected before exposing services or proceeding to monitoring. This step supports deployment validation and operational readiness in Kubernetes-based DevSecOps environments.



(Steven Smith has been working as a DevSecOps engineer in an IT company that develops software products related to the financial sector. His team leader asked him to integrate Conjur with Jenkins to secure the secret credentials. Therefore, Steven downloaded Conjur.hpi file and uploaded it in the Upload Plugin section of Jenkins. He declared host and layers, and declared the variables.
Which of the following commands should Steven use to set the value of variables?)

  1. $ conjur variable set -i < policy-path-of-variable-name > -v < secret-value >.
  2. $ conjur variable set -p < policy-path-of-variable-name > -s < secret-value >.
  3. $ conjur variable set -s < policy-path-of-variable-name > -p < secret-value >.
  4. $ conjur variable set -v < policy-path-of-variable-name > -i < secret-value >.

Answer(s): A

Explanation:

In Conjur secret management, variables are first declared in policy files and then populated with actual secret values using the Conjur CLI. The correct command to assign a value to a variable is conjur variable set, where the -i option specifies the fully qualified policy path of the variable name, and the -v option specifies the secret value to be stored securely. This command writes the secret into Conjur's encrypted vault and associates it with the declared variable so that Jenkins jobs can retrieve it securely at runtime. The other options misuse flags or reverse their meanings, which would result in invalid commands or incorrect secret handling. Integrating Conjur with Jenkins during the Build and Test stage ensures that sensitive credentials such as passwords, API keys, and tokens are never hard-coded in pipeline scripts or source code. Instead, secrets are dynamically fetched when required, supporting least-privilege access, auditability, and compliance requirements--critical for financial-sector applications.



(Charles Drew has been working as a DevSecOps team leader in an IT company located in Nashville, Tennessee. He would like to look at the applications from an attacker's perspective and make security a part of the organizations' culture. Imagine, you are working under Charles as a DevSecOps engineer. Charles has asked you to install ThreatPlaybook, which is a unified DevSecOps Framework that allows you to go from iterative, collaborative threat modeling to application security testing orchestration. After installation, you must configure ThreatPlaybook CLI; therefore, you have created a directory for the project and then you go to the current directory where you would like to configure ThreatPlaybook.
Which of the following commands will you use to configure ThreatPlaybook? (Here, < your-email > represents your email id; < host info > represents IP address; and < port > represents the nginx port.))

  1. playbook configure -e < your-email > -h < host-info > -p < port >.
  2. ThreatPlaybook configure -e < your-email > -u < host-info > -p < port >.
  3. ThreatPlaybook configure -e < your-email > -h < host-info > -p < port >.
  4. playbook configure -e < your-email > -u < host-info > -p < port >.

Answer(s): C

Explanation:

ThreatPlaybook CLI is configured using the ThreatPlaybook configure command, which initializes the CLI with the required connection and user details. The -e option is used to specify the user's email address, the -h option defines the host information such as IP address or hostname, and the -p option specifies the port number. This configuration enables the CLI to securely communicate with the ThreatPlaybook service for orchestrating threat modeling and application security testing workflows. Options that use playbook configure are incorrect because the executable name is explicitly ThreatPlaybook. Options using -u instead of -h do not correctly specify host information. Configuring ThreatPlaybook during the Plan stage helps teams adopt an attacker's mindset early, embedding security into the organization's culture and ensuring threats are identified and addressed before development and deployment activities begin.



(Brett Ryan has been working as a senior DevSecOps engineer in a multinational company that develops web applications. The team leader of the software development team requested Brett to detect insecure JavaScript libraries in the web application code. Brett would like to perform the vulnerability scanning on web application with grunt-retire.
Which of the following commands would enable grunt plugin?)

  1. grunt-loadNpmTasks('grunt-retire');.
  2. grunt-loadNpmTask('grunt-retire');.
  3. grunt.loadNpmTasks('grunt-retire');.
  4. grunt.loadNpmTask('grunt-retire');.

Answer(s): C

Explanation:

In Grunt, plugins installed via npm must be explicitly loaded in the Gruntfile to make their tasks available. This is done using the grunt.loadNpmTasks() function, which instructs Grunt to load tasks provided by a specific plugin package. For the grunt-retire plugin, which scans JavaScript libraries for known vulnerabilities, the correct command is grunt.loadNpmTasks('grunt-retire');. Options that omit the dot notation or use the singular form loadNpmTask are syntactically incorrect and will prevent the plugin from loading. Enabling grunt-retire during the Code stage allows developers to identify insecure third-party JavaScript libraries early, supporting software composition analysis and reducing the risk of introducing vulnerable dependencies into the application.



(Jayson Smith is working as a DevSecOps engineer in an MNC company located in Tampa, Florida. The senior software developer of his company, Sandra Oliver, has uploaded an application in her GitHub repository that might contain security vulnerabilities and has provided the URL to the DevSecOps team. Jayson would like to analyze the application developed by Sandra to detect and mitigate the security issues in the application code; therefore, he would like to clone Sandra's GitHub repository to his computer.
Which of the following commands should Jayson use to clone the repository of another user to his computer?)

  1. $ git clone https://github.com/REPOSITORY/USERNAME.git.
  2. $ git clone https://github.com/USERNAME/REPOSITORY.git.
  3. $ github clone https://github.com/USERNAME/REPOSITORY.git.
  4. $ github clone https://github.com/ REPOSITORY/USERNAME.git.

Answer(s): B

Explanation:

Cloning a GitHub repository requires the standard Git command git clone followed by the correct repository URL format. GitHub repositories are structured as https://github.com/USERNAME/REPOSITORY.git, where USERNAME represents the account or organization name and REPOSITORY represents the project name. Option B follows this exact structure. Options using github clone are invalid because github is not a Git CLI command. Options that reverse the order of USERNAME and REPOSITORY do not match GitHub's repository structure and will fail. Cloning repositories during the Code stage allows DevSecOps engineers to run static analysis, dependency scanning, and other security checks locally without modifying the original repository, supporting secure and controlled analysis workflows.



(Patricia Cornwell has been working as a DevSecOps engineer in an IT company that provides custom software solutions. She would like to use GitMiner to mine the secret credentials such as usernames and passwords, API credentials, and other sensitive data from GitHub. Therefore, to start the scanning, she cloned the repo to the local machine by using the git clone http://github.com/UnkL4b/GitMiner command; then, she moved to the current directory using $ cd GitMiner command.
Which of the following commands should Patricia use to install the dependencies?)

  1. pip3 install ­m requirement.txt.
  2. pip3 install ­d requirement.txt.
  3. pip3 install ­q requirement.txt.
  4. pip3 install ­r requirement.txt.

Answer(s): D

Explanation:

GitMiner is a Python-based tool, and like most Python projects, it manages its dependencies through a requirements file named requirements.txt. The correct way to install all dependencies listed in this file is by using the pip3 install -r requirements.txt command. The -r flag instructs pip to read package names and versions from the specified file and install them accordingly. The other flags shown in the options do not correspond to dependency installation from a requirements file and would result in command errors or unexpected behavior. Installing dependencies correctly is a prerequisite for running GitMiner successfully. During the Code stage, tools like GitMiner help identify hard-coded secrets and sensitive information early, reducing the risk of credential leakage and preventing security incidents later in the DevSecOps pipeline.



(Sandra Oliver joined SinClare Soft Pvt. Ltd. as a DevSecOps engineer in January of 2010. Her organization develops software and web applications related to the healthcare industry. Using IAST runtime security testing technology, she is detecting and diagnosing security issues in applications and APIs. The IAST solution used by Sandra encompasses a web scanner with an agent that works inside the server that hosts the application to provide additional analysis details such as the location of the vulnerability in the application code. Based on the given information, which of the following IAST solutions is Sandra using?)

  1. Active IAST.
  2. Semi-passive IAST.
  3. Semi-active IAST.
  4. Passive IAST.

Answer(s): C

Explanation:

Interactive Application Security Testing (IAST) solutions are classified based on how they interact with the application and runtime environment. In this scenario, the solution uses a web scanner to actively send requests to the application while also deploying an agent inside the application server to observe runtime behavior and map vulnerabilities directly to source code locations. This combined approach is known as semi-active IAST. It is considered "semi-active" because it actively drives traffic through the application using a scanner, while the agent passively observes execution paths, data flows, and method calls. Passive IAST solutions rely only on observing existing traffic and do not use scanners, while active IAST solutions do not typically rely on deep runtime agents in the same manner. Semi-active IAST significantly reduces false positives and provides precise remediation details, making it highly effective during the Build and Test stage, where applications are actively exercised and security issues can be identified and fixed before release.



Viewing Page 2 of 14



Share your comments for EC-Council 312-97 exam with other users:

Eduardo Ramírez 12/11/2023 9:55:00 PM

the correct answer for the question 29 is d.
Anonymous


Dass 11/2/2023 7:43:00 AM

question no 22: correct answers: bc, 1 per session 1 per page 1 per component always
UNITED STATES


Reddy 12/14/2023 2:42:00 AM

these are pretty useful
Anonymous


Daisy Delgado 1/9/2023 1:05:00 PM

awesome
UNITED STATES


Atif 6/13/2023 4:09:00 AM

yes please upload
UNITED STATES


Xunil 6/12/2023 3:04:00 PM

great job whoever put this together, for the greater good! thanks!
Anonymous


Lakshmi 10/2/2023 5:26:00 AM

just started to view all questions for the exam
NETHERLANDS


rani 1/19/2024 11:52:00 AM

helpful material
Anonymous


Greg 11/16/2023 6:59:00 AM

hope for the best
UNITED STATES


hi 10/5/2023 4:00:00 AM

will post exam has finished
UNITED STATES


Vmotu 8/24/2023 11:14:00 AM

really correct and good analyze!
AZERBAIJAN


hicham 5/30/2023 8:57:00 AM

excellent thanks a lot
FRANCE


Suman C 7/7/2023 8:13:00 AM

will post once pass the cka exam
INDIA


Ram 11/3/2023 5:10:00 AM

good content
Anonymous


Nagendra Pedipina 7/13/2023 2:12:00 AM

q:32 answer has to be option c
INDIA


Tamer Barakat 12/7/2023 5:17:00 PM

nice questions
Anonymous


Daryl 8/1/2022 11:33:00 PM

i really like the support team in this website. they are fast in communication and very helpful.
UNITED KINGDOM


Curtis Nakawaki 6/29/2023 9:13:00 PM

a good contemporary exam review
UNITED STATES


x-men 5/23/2023 1:02:00 AM

q23, its an array, isnt it? starts with [ and end with ]. its an array of objects, not object.
UNITED STATES


abuti 7/21/2023 6:24:00 PM

cool very helpfull
Anonymous


Krishneel 3/17/2023 10:34:00 AM

i just passed. this exam dumps is the same one from prepaway and examcollection. it has all the real test questions.
INDIA


Regor 12/4/2023 2:01:00 PM

is this a valid prince2 practitioner dumps?
UNITED KINGDOM


asl 9/14/2023 3:59:00 PM

all are relatable questions
CANADA


Siyya 1/19/2024 8:30:00 PM

might help me to prepare for the exam
Anonymous


Ted 6/21/2023 11:11:00 PM

just paid and downlaod the 2 exams using the 50% sale discount. so far i was able to download the pdf and the test engine. all looks good.
GERMANY


Paul K 11/27/2023 2:28:00 AM

i think it should be a,c. option d goes against the principle of building anything custom unless there are no work arounds available
INDIA


ph 6/16/2023 12:41:00 AM

very legible
Anonymous


sephs2001 7/31/2023 10:42:00 PM

is this exam accurate or helpful?
Anonymous


ash 7/11/2023 3:00:00 AM

please upload dump, i have exam in 2 days
INDIA


Sneha 8/17/2023 6:29:00 PM

this is useful
CANADA


sachin 12/27/2023 2:45:00 PM

question 232 answer should be perimeter not netowrk layer. wrong answer selected
Anonymous


tomAws 7/18/2023 5:05:00 AM

nice questions
BRAZIL


Rahul 6/11/2023 2:07:00 AM

hi team, could you please provide this dump ?
INDIA


TeamOraTech 12/5/2023 9:49:00 AM

very helpful to clear the exam and understand the concept.
Anonymous