An organization uses Cloud Build to build and deploy applications. They need to ensure that build secrets (e.g., API tokens) are securely injected into build steps without being exposed in the build logs. Which two actions should they take?
secretEnv injects the secret as an environment variable without logging it.
Why this answer
Option B is correct because the `secretEnv` field in a Cloud Build step allows you to inject a secret from Secret Manager into the build environment as an environment variable, without the secret value being written to build logs. This ensures the secret is available to the step at runtime but never exposed in log output.
Exam trap
Cisco often tests the misconception that encrypting the build configuration file or using plain environment variables is sufficient for secret management, when in fact only Secret Manager with `secretEnv` prevents log exposure.