Q53 of 60 — CCA Practice Exam

Code Generation with Claude Code

Your team has deployed a Claude Code agent to perform automated code reviews in a CI pipeline. The agent runs in Docker and mounts the repository read-only (-v /workspace/repo:/workspace:ro) so it can analyze code without modifying it. A security audit flags that secrets were exposed to the agent process — specifically, AWS credentials and a Kubernetes config file present in the developer's home directory, which was bind-mounted as part of the repository path. The code review capability itself is working correctly. What is the most effective fix for this exposure?

A. Switch from a bind mount to a Docker volume so the container runtime mediates access to the filesystem, preventing credential files from being visible inside the container.

B. Scope the Docker mount to copy only the source files required for code review — excluding credential files such as ~/.aws/credentials and ~/.kube/config — rather than mounting the full home directory path.

C. Add a system prompt instruction telling the agent to ignore any credential files it encounters and to not read files matching patterns like *.pem, *.key, or credentials.

D. Grant the agent read-only access to the entire home directory but enable audit logging so any credential file access is detected and alerted on after the fact.