A company is adopting Azure DevOps and needs to ensure that all pipelines comply with regulatory standards. The security team wants to enforce that every build includes a security scan and that deployment to production requires approval from a compliance officer. Which TWO actions should the DevOps engineer take?
Required templates enforce consistent steps.
Why this answer
Option B is correct because creating a required template that includes the security scan task and mandating its use via a pipeline resource ensures that every pipeline inherits the security scan step, enforcing compliance at the pipeline definition level. Option D is correct because configuring a required reviewer approval on the production stage of the release pipeline enforces that a compliance officer must explicitly approve the deployment, meeting the regulatory requirement for production deployments.
Exam trap
The trap here is that candidates often confuse branch policies (Option A) with build-level enforcement, not realizing that branch policies only apply to pull request validation, not to all builds triggered by other events like CI or scheduled triggers.