An organization uses Artifact Registry to store Docker images. They want to enforce that only images that have passed vulnerability scanning and are signed can be deployed to GKE. Which two services should they use together?
Binary Authorization enforces signing; Container Analysis provides vulnerability scanning.
Why this answer
Binary Authorization enforces that only signed and verified container images can be deployed to GKE, while the Container Scanning API (now part of Artifact Analysis) performs vulnerability scanning on images stored in Artifact Registry. Together, they ensure that only images that have passed vulnerability scanning and are cryptographically signed can be deployed, meeting the organization's requirements.
Exam trap
Google often tests the distinction between services that perform an action (like scanning or signing) versus services that enforce a policy based on that action, so candidates mistakenly pick Cloud Build and Artifact Registry (Option B) because they handle scanning and storage, but they lack the enforcement mechanism that Binary Authorization provides.
How to eliminate wrong answers
Option A is wrong because Cloud Deploy is a continuous delivery service for deploying to GKE, Cloud Run, or GKE clusters, but it does not enforce vulnerability scanning or image signing; Cloud Run is a serverless compute platform, not a security enforcement service. Option B is wrong because Cloud Build is a CI/CD service that can build and push images to Artifact Registry, but it does not provide the enforcement of signed images or vulnerability scanning policies at deployment time; Artifact Registry is the storage repository, not a policy enforcement service. Option D is wrong because Security Command Center is a security and risk management platform for threat detection and compliance, and Cloud Asset Inventory provides asset metadata and history, but neither enforces image signing or vulnerability scanning policies on GKE deployments.