Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. EC-Council
  3. 312-97

EC-Council 312-97 Exam (page: 2)
EC-Council Certified DevSecOps Engineer (ECDE)
Updated on: 19-Feb-2026

Viewing Page 2 of 14
312-97 PDF 100 Questions

(Peter Dinklage has been working as a senior DevSecOps engineer at SacramentSoft Solution Pvt. Ltd. He has deployed applications in docker containers. His team leader asked him to check the exposure of unnecessary ports.
Which of the following commands should Peter use to check all the containers and the exposed ports?)

  1. docker ps --quiet | xargs docker inspect --all --format : Ports=.
  2. docker ps --quiet | xargs docker inspect --format ': Ports='.
  3. docker ps --quiet | xargs docker inspect --format : Ports.
  4. docker ps --quiet | xargs docker inspect --all --format ': Ports='.

Answer(s): B

Explanation:

To inspect exposed ports for running Docker containers, the recommended approach is to first retrieve container IDs using docker ps --quiet and then pass them to docker inspect. The --format option allows selective output of container configuration details, including port mappings. The command docker ps --quiet | xargs docker inspect --format ': Ports=' correctly extracts port information for each container. Options that include the --all flag or incorrect formatting are not valid for this inspection use case. Checking exposed ports is an important activity in the Operate and Monitor stage because unnecessary open ports increase the attack surface and may violate container security best practices. Regular inspection helps ensure that only required ports are exposed, supporting secure runtime operations.



(Jason Wylie has been working as a DevSecOps engineer in an IT company located in Sacramento, California. He would like to use Jenkins for CI and Azure Pipelines for CD to deploy a Spring Boot app to an Azure Container Service (AKS) Kubernetes cluster. He created a namespace for deploying the Jenkins in AKS, and then deployed the Jenkins app to the Pod.
Which of the following commands should Jason run to see the pods that have been spun up and running?)

  1. kubectl get pods -k Jenkins.
  2. kubectl get pods -s jenkins.
  3. kubectl get pods -n jenkins.
  4. kubectl get pods -p jenkins.

Answer(s): C

Explanation:

Kubernetes uses namespaces to logically isolate resources such as pods, services, and deployments.

When an application like Jenkins is deployed into a specific namespace, the correct way to view the pods running in that namespace is by using the -n (or --namespace) flag with the kubectl get pods command. The command kubectl get pods -n jenkins instructs Kubernetes to list all pods in the "jenkins" namespace. The other options use invalid or unrelated flags that are not supported for namespace selection. Verifying pod status during the Release and Deploy stage is essential to ensure that applications have been deployed successfully and are running as expected before exposing services or proceeding to monitoring. This step supports deployment validation and operational readiness in Kubernetes-based DevSecOps environments.



(Steven Smith has been working as a DevSecOps engineer in an IT company that develops software products related to the financial sector. His team leader asked him to integrate Conjur with Jenkins to secure the secret credentials. Therefore, Steven downloaded Conjur.hpi file and uploaded it in the Upload Plugin section of Jenkins. He declared host and layers, and declared the variables.
Which of the following commands should Steven use to set the value of variables?)

  1. $ conjur variable set -i < policy-path-of-variable-name > -v < secret-value >.
  2. $ conjur variable set -p < policy-path-of-variable-name > -s < secret-value >.
  3. $ conjur variable set -s < policy-path-of-variable-name > -p < secret-value >.
  4. $ conjur variable set -v < policy-path-of-variable-name > -i < secret-value >.

Answer(s): A

Explanation:

In Conjur secret management, variables are first declared in policy files and then populated with actual secret values using the Conjur CLI. The correct command to assign a value to a variable is conjur variable set, where the -i option specifies the fully qualified policy path of the variable name, and the -v option specifies the secret value to be stored securely. This command writes the secret into Conjur's encrypted vault and associates it with the declared variable so that Jenkins jobs can retrieve it securely at runtime. The other options misuse flags or reverse their meanings, which would result in invalid commands or incorrect secret handling. Integrating Conjur with Jenkins during the Build and Test stage ensures that sensitive credentials such as passwords, API keys, and tokens are never hard-coded in pipeline scripts or source code. Instead, secrets are dynamically fetched when required, supporting least-privilege access, auditability, and compliance requirements--critical for financial-sector applications.



(Charles Drew has been working as a DevSecOps team leader in an IT company located in Nashville, Tennessee. He would like to look at the applications from an attacker's perspective and make security a part of the organizations' culture. Imagine, you are working under Charles as a DevSecOps engineer. Charles has asked you to install ThreatPlaybook, which is a unified DevSecOps Framework that allows you to go from iterative, collaborative threat modeling to application security testing orchestration. After installation, you must configure ThreatPlaybook CLI; therefore, you have created a directory for the project and then you go to the current directory where you would like to configure ThreatPlaybook.
Which of the following commands will you use to configure ThreatPlaybook? (Here, < your-email > represents your email id; < host info > represents IP address; and < port > represents the nginx port.))

  1. playbook configure -e < your-email > -h < host-info > -p < port >.
  2. ThreatPlaybook configure -e < your-email > -u < host-info > -p < port >.
  3. ThreatPlaybook configure -e < your-email > -h < host-info > -p < port >.
  4. playbook configure -e < your-email > -u < host-info > -p < port >.

Answer(s): C

Explanation:

ThreatPlaybook CLI is configured using the ThreatPlaybook configure command, which initializes the CLI with the required connection and user details. The -e option is used to specify the user's email address, the -h option defines the host information such as IP address or hostname, and the -p option specifies the port number. This configuration enables the CLI to securely communicate with the ThreatPlaybook service for orchestrating threat modeling and application security testing workflows. Options that use playbook configure are incorrect because the executable name is explicitly ThreatPlaybook. Options using -u instead of -h do not correctly specify host information. Configuring ThreatPlaybook during the Plan stage helps teams adopt an attacker's mindset early, embedding security into the organization's culture and ensuring threats are identified and addressed before development and deployment activities begin.



(Brett Ryan has been working as a senior DevSecOps engineer in a multinational company that develops web applications. The team leader of the software development team requested Brett to detect insecure JavaScript libraries in the web application code. Brett would like to perform the vulnerability scanning on web application with grunt-retire.
Which of the following commands would enable grunt plugin?)

  1. grunt-loadNpmTasks('grunt-retire');.
  2. grunt-loadNpmTask('grunt-retire');.
  3. grunt.loadNpmTasks('grunt-retire');.
  4. grunt.loadNpmTask('grunt-retire');.

Answer(s): C

Explanation:

In Grunt, plugins installed via npm must be explicitly loaded in the Gruntfile to make their tasks available. This is done using the grunt.loadNpmTasks() function, which instructs Grunt to load tasks provided by a specific plugin package. For the grunt-retire plugin, which scans JavaScript libraries for known vulnerabilities, the correct command is grunt.loadNpmTasks('grunt-retire');. Options that omit the dot notation or use the singular form loadNpmTask are syntactically incorrect and will prevent the plugin from loading. Enabling grunt-retire during the Code stage allows developers to identify insecure third-party JavaScript libraries early, supporting software composition analysis and reducing the risk of introducing vulnerable dependencies into the application.



(Jayson Smith is working as a DevSecOps engineer in an MNC company located in Tampa, Florida. The senior software developer of his company, Sandra Oliver, has uploaded an application in her GitHub repository that might contain security vulnerabilities and has provided the URL to the DevSecOps team. Jayson would like to analyze the application developed by Sandra to detect and mitigate the security issues in the application code; therefore, he would like to clone Sandra's GitHub repository to his computer.
Which of the following commands should Jayson use to clone the repository of another user to his computer?)

  1. $ git clone https://github.com/REPOSITORY/USERNAME.git.
  2. $ git clone https://github.com/USERNAME/REPOSITORY.git.
  3. $ github clone https://github.com/USERNAME/REPOSITORY.git.
  4. $ github clone https://github.com/ REPOSITORY/USERNAME.git.

Answer(s): B

Explanation:

Cloning a GitHub repository requires the standard Git command git clone followed by the correct repository URL format. GitHub repositories are structured as https://github.com/USERNAME/REPOSITORY.git, where USERNAME represents the account or organization name and REPOSITORY represents the project name. Option B follows this exact structure. Options using github clone are invalid because github is not a Git CLI command. Options that reverse the order of USERNAME and REPOSITORY do not match GitHub's repository structure and will fail. Cloning repositories during the Code stage allows DevSecOps engineers to run static analysis, dependency scanning, and other security checks locally without modifying the original repository, supporting secure and controlled analysis workflows.



(Patricia Cornwell has been working as a DevSecOps engineer in an IT company that provides custom software solutions. She would like to use GitMiner to mine the secret credentials such as usernames and passwords, API credentials, and other sensitive data from GitHub. Therefore, to start the scanning, she cloned the repo to the local machine by using the git clone http://github.com/UnkL4b/GitMiner command; then, she moved to the current directory using $ cd GitMiner command.
Which of the following commands should Patricia use to install the dependencies?)

  1. pip3 install ­m requirement.txt.
  2. pip3 install ­d requirement.txt.
  3. pip3 install ­q requirement.txt.
  4. pip3 install ­r requirement.txt.

Answer(s): D

Explanation:

GitMiner is a Python-based tool, and like most Python projects, it manages its dependencies through a requirements file named requirements.txt. The correct way to install all dependencies listed in this file is by using the pip3 install -r requirements.txt command. The -r flag instructs pip to read package names and versions from the specified file and install them accordingly. The other flags shown in the options do not correspond to dependency installation from a requirements file and would result in command errors or unexpected behavior. Installing dependencies correctly is a prerequisite for running GitMiner successfully. During the Code stage, tools like GitMiner help identify hard-coded secrets and sensitive information early, reducing the risk of credential leakage and preventing security incidents later in the DevSecOps pipeline.



(Sandra Oliver joined SinClare Soft Pvt. Ltd. as a DevSecOps engineer in January of 2010. Her organization develops software and web applications related to the healthcare industry. Using IAST runtime security testing technology, she is detecting and diagnosing security issues in applications and APIs. The IAST solution used by Sandra encompasses a web scanner with an agent that works inside the server that hosts the application to provide additional analysis details such as the location of the vulnerability in the application code. Based on the given information, which of the following IAST solutions is Sandra using?)

  1. Active IAST.
  2. Semi-passive IAST.
  3. Semi-active IAST.
  4. Passive IAST.

Answer(s): C

Explanation:

Interactive Application Security Testing (IAST) solutions are classified based on how they interact with the application and runtime environment. In this scenario, the solution uses a web scanner to actively send requests to the application while also deploying an agent inside the application server to observe runtime behavior and map vulnerabilities directly to source code locations. This combined approach is known as semi-active IAST. It is considered "semi-active" because it actively drives traffic through the application using a scanner, while the agent passively observes execution paths, data flows, and method calls. Passive IAST solutions rely only on observing existing traffic and do not use scanners, while active IAST solutions do not typically rely on deep runtime agents in the same manner. Semi-active IAST significantly reduces false positives and provides precise remediation details, making it highly effective during the Build and Test stage, where applications are actively exercised and security issues can be identified and fixed before release.



Viewing Page 2 of 14



Share your comments for EC-Council 312-97 exam with other users:

PiPi Li 12/12/2023 8:32:00 PM

nice questions
NETHERLANDS


Dan 8/10/2023 4:19:00 PM

question 129 is completely wrong.
UNITED STATES


gayathiri 7/6/2023 12:10:00 AM

i need dump
UNITED STATES


Deb 8/15/2023 8:28:00 PM

love the site.
UNITED STATES


Michelle 6/23/2023 4:08:00 AM

can you please upload it back?
Anonymous


Ajay 10/3/2023 12:17:00 PM

could you please re-upload this exam? thanks a lot!
Anonymous


him 9/30/2023 2:38:00 AM

great about shared quiz
Anonymous


San 11/14/2023 12:46:00 AM

goood helping
Anonymous


Wang 6/9/2022 10:05:00 PM

pay attention to questions. they are very tricky. i waould say about 80 to 85% of the questions are in this exam dump.
UNITED STATES


Mary 5/16/2023 4:50:00 AM

wish you would allow more free questions
Anonymous


thomas 9/12/2023 4:28:00 AM

great simulation
Anonymous


Sandhya 12/9/2023 12:57:00 AM

very g inood
Anonymous


Agathenta 12/16/2023 1:36:00 PM

q35 should be a
Anonymous


MD. SAIFUL ISLAM 6/22/2023 5:21:00 AM

sap c_ts450_2021
Anonymous


Satya 7/24/2023 3:18:00 AM

nice questions
UNITED STATES


sk 5/13/2023 2:10:00 AM

ecellent materil for unserstanding
INDIA


Gerard 6/29/2023 11:14:00 AM

good so far
Anonymous


Limbo 10/9/2023 3:08:00 AM

this is way too informative
BOTSWANA


Tejasree 8/26/2023 1:46:00 AM

very helpfull
UNITED STATES


Yolostar Again 10/12/2023 3:02:00 PM

q.189 - answers are incorrect.
Anonymous


Shikha Bakra 9/10/2023 5:16:00 PM

awesome job in getting these questions
AUSTRALIA


Kevin 10/20/2023 2:01:00 AM

i cant find aws certified practitioner clf-c01 exam in aws website but i found aws certified practitioner clf-c02 exam. can everyone please verify the difference between the two clf-c01 and clf-c02? thank you
UNITED STATES


D Mario 6/19/2023 10:38:00 PM

grazie mille. i got a satisfactory mark in my exam test today because of this exam dumps. sorry for my english.
ITALY


Bharat Kumar Saraf 10/31/2023 4:36:00 AM

some of the answers are incorrect. need to be reviewed.
HONG KONG


JP 7/13/2023 12:21:00 PM

so far so good
Anonymous


Kiky V 8/8/2023 6:32:00 PM

i am really liking it
Anonymous


trying 7/28/2023 12:37:00 PM

thanks good stuff
UNITED STATES


exampei 10/4/2023 2:40:00 PM

need dump c_tadm_23
Anonymous


Eman Sawalha 6/10/2023 6:18:00 AM

next time i will write a full review
GREECE


johnpaul 11/15/2023 7:55:00 AM

first time using this site
ROMANIA


omiornil@gmail.com 7/25/2023 9:36:00 AM

please sent me oracle 1z0-1105-22 pdf
BANGLADESH


John 8/29/2023 8:59:00 PM

very helpful
Anonymous


Kvana 9/28/2023 12:08:00 PM

good info about oml
UNITED STATES


Checo Lee 7/3/2023 5:45:00 PM

very useful to practice
UNITED STATES