Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. EC-Council
  5. 312-97

EC-Council 312-97 Exam
Certified DevSecOps Engineer (ECDE) (Page 4 )

Updated On: 7-Feb-2026
Page 4 of 21
PDF with 100 Questions

(Steven Smith has been working as a DevSecOps engineer in an IT company that develops software products related to the financial sector. His team leader asked him to integrate Conjur with Jenkins to secure the secret credentials. Therefore, Steven downloaded Conjur.hpi file and uploaded it in the Upload Plugin section of Jenkins. He declared host and layers, and declared the variables.
Which of the following commands should Steven use to set the value of variables?)

  1. $ conjur variable set -i < policy-path-of-variable-name > -v < secret-value >.
  2. $ conjur variable set -p < policy-path-of-variable-name > -s < secret-value >.
  3. $ conjur variable set -s < policy-path-of-variable-name > -p < secret-value >.
  4. $ conjur variable set -v < policy-path-of-variable-name > -i < secret-value >.

Answer(s): A

Explanation:

In Conjur secret management, variables are first declared in policy files and then populated with actual secret values using the Conjur CLI. The correct command to assign a value to a variable is conjur variable set, where the -i option specifies the fully qualified policy path of the variable name, and the -v option specifies the secret value to be stored securely. This command writes the secret into Conjur's encrypted vault and associates it with the declared variable so that Jenkins jobs can retrieve it securely at runtime. The other options misuse flags or reverse their meanings, which would result in invalid commands or incorrect secret handling. Integrating Conjur with Jenkins during the Build and Test stage ensures that sensitive credentials such as passwords, API keys, and tokens are never hard-coded in pipeline scripts or source code. Instead, secrets are dynamically fetched when required, supporting least-privilege access, auditability, and compliance requirements--critical for financial-sector applications.



(Charles Drew has been working as a DevSecOps team leader in an IT company located in Nashville, Tennessee. He would like to look at the applications from an attacker's perspective and make security a part of the organizations' culture. Imagine, you are working under Charles as a DevSecOps engineer. Charles has asked you to install ThreatPlaybook, which is a unified DevSecOps Framework that allows you to go from iterative, collaborative threat modeling to application security testing orchestration. After installation, you must configure ThreatPlaybook CLI; therefore, you have created a directory for the project and then you go to the current directory where you would like to configure ThreatPlaybook.
Which of the following commands will you use to configure ThreatPlaybook? (Here, < your-email > represents your email id; < host info > represents IP address; and < port > represents the nginx port.))

  1. playbook configure -e < your-email > -h < host-info > -p < port >.
  2. ThreatPlaybook configure -e < your-email > -u < host-info > -p < port >.
  3. ThreatPlaybook configure -e < your-email > -h < host-info > -p < port >.
  4. playbook configure -e < your-email > -u < host-info > -p < port >.

Answer(s): C

Explanation:

ThreatPlaybook CLI is configured using the ThreatPlaybook configure command, which initializes the CLI with the required connection and user details. The -e option is used to specify the user's email address, the -h option defines the host information such as IP address or hostname, and the -p option specifies the port number. This configuration enables the CLI to securely communicate with the ThreatPlaybook service for orchestrating threat modeling and application security testing workflows. Options that use playbook configure are incorrect because the executable name is explicitly ThreatPlaybook. Options using -u instead of -h do not correctly specify host information. Configuring ThreatPlaybook during the Plan stage helps teams adopt an attacker's mindset early, embedding security into the organization's culture and ensuring threats are identified and addressed before development and deployment activities begin.



(Brett Ryan has been working as a senior DevSecOps engineer in a multinational company that develops web applications. The team leader of the software development team requested Brett to detect insecure JavaScript libraries in the web application code. Brett would like to perform the vulnerability scanning on web application with grunt-retire.
Which of the following commands would enable grunt plugin?)

  1. grunt-loadNpmTasks('grunt-retire');.
  2. grunt-loadNpmTask('grunt-retire');.
  3. grunt.loadNpmTasks('grunt-retire');.
  4. grunt.loadNpmTask('grunt-retire');.

Answer(s): C

Explanation:

In Grunt, plugins installed via npm must be explicitly loaded in the Gruntfile to make their tasks available. This is done using the grunt.loadNpmTasks() function, which instructs Grunt to load tasks provided by a specific plugin package. For the grunt-retire plugin, which scans JavaScript libraries for known vulnerabilities, the correct command is grunt.loadNpmTasks('grunt-retire');. Options that omit the dot notation or use the singular form loadNpmTask are syntactically incorrect and will prevent the plugin from loading. Enabling grunt-retire during the Code stage allows developers to identify insecure third-party JavaScript libraries early, supporting software composition analysis and reducing the risk of introducing vulnerable dependencies into the application.



(Jayson Smith is working as a DevSecOps engineer in an MNC company located in Tampa, Florida. The senior software developer of his company, Sandra Oliver, has uploaded an application in her GitHub repository that might contain security vulnerabilities and has provided the URL to the DevSecOps team. Jayson would like to analyze the application developed by Sandra to detect and mitigate the security issues in the application code; therefore, he would like to clone Sandra's GitHub repository to his computer.
Which of the following commands should Jayson use to clone the repository of another user to his computer?)

  1. $ git clone https://github.com/REPOSITORY/USERNAME.git.
  2. $ git clone https://github.com/USERNAME/REPOSITORY.git.
  3. $ github clone https://github.com/USERNAME/REPOSITORY.git.
  4. $ github clone https://github.com/ REPOSITORY/USERNAME.git.

Answer(s): B

Explanation:

Cloning a GitHub repository requires the standard Git command git clone followed by the correct repository URL format. GitHub repositories are structured as https://github.com/USERNAME/REPOSITORY.git, where USERNAME represents the account or organization name and REPOSITORY represents the project name. Option B follows this exact structure. Options using github clone are invalid because github is not a Git CLI command. Options that reverse the order of USERNAME and REPOSITORY do not match GitHub's repository structure and will fail. Cloning repositories during the Code stage allows DevSecOps engineers to run static analysis, dependency scanning, and other security checks locally without modifying the original repository, supporting secure and controlled analysis workflows.



(Patricia Cornwell has been working as a DevSecOps engineer in an IT company that provides custom software solutions. She would like to use GitMiner to mine the secret credentials such as usernames and passwords, API credentials, and other sensitive data from GitHub. Therefore, to start the scanning, she cloned the repo to the local machine by using the git clone http://github.com/UnkL4b/GitMiner command; then, she moved to the current directory using $ cd GitMiner command.
Which of the following commands should Patricia use to install the dependencies?)

  1. pip3 install ­m requirement.txt.
  2. pip3 install ­d requirement.txt.
  3. pip3 install ­q requirement.txt.
  4. pip3 install ­r requirement.txt.

Answer(s): D

Explanation:

GitMiner is a Python-based tool, and like most Python projects, it manages its dependencies through a requirements file named requirements.txt. The correct way to install all dependencies listed in this file is by using the pip3 install -r requirements.txt command. The -r flag instructs pip to read package names and versions from the specified file and install them accordingly. The other flags shown in the options do not correspond to dependency installation from a requirements file and would result in command errors or unexpected behavior. Installing dependencies correctly is a prerequisite for running GitMiner successfully. During the Code stage, tools like GitMiner help identify hard-coded secrets and sensitive information early, reducing the risk of credential leakage and preventing security incidents later in the DevSecOps pipeline.






Post your Comments and Discuss EC-Council 312-97 exam prep with other Community members:

Join the 312-97 Discussion