Docker Certified Associate (DCA) Practice Questions: Security Domain

Docker Certified Associate (DCA) Practice Questions

Master the Security Domain

Test your knowledge in the Security domain with these 10 practice questions. Each question is designed to help you prepare for the DCA certification exam with detailed explanations to reinforce your learning.

Question 1

To prevent Docker containers from accessing specific sensitive files on the host, which Docker feature would you use?

A) Docker Swarm

B) Docker Compose

C) Docker Secrets

D) Docker Volumes

Show Answer & Explanation

Correct Answer: C

Explanation: Docker Secrets is the feature used to securely store and manage sensitive information, such as passwords or keys, and ensure containers have access only to the necessary secrets. Docker Swarm is for orchestration, Docker Compose is for defining multi-container applications, and Docker Volumes are for managing persistent data, not for securing sensitive files.

Question 2

Which Docker feature allows you to restrict the resources a container can use, such as CPU and memory, to enhance security and prevent denial of service attacks?

A) Docker Compose

B) Docker Swarm

C) Docker Resource Limits

D) Dockerfile

Show Answer & Explanation

Correct Answer: C

Explanation: Docker Resource Limits allow you to set constraints on the resources a container can use, such as CPU and memory. This is crucial for enhancing security by preventing any single container from consuming all resources and potentially causing a denial of service. Docker Compose is used for defining and running multi-container Docker applications, Docker Swarm is for orchestrating clusters of Docker engines, and Dockerfile is used for building Docker images.

Question 3

Which of the following commands would you use to set a default seccomp profile for all containers on a Docker host?

A) docker run --security-opt seccomp=default.json

B) docker daemon --seccomp-profile=default.json

C) docker swarm init --seccomp-profile=default.json

D) docker update --seccomp-profile=default.json

Show Answer & Explanation

Correct Answer: B

Explanation: The correct command to set a default seccomp profile for all containers on a Docker host is to specify the seccomp profile in the Docker daemon configuration. Option B is correct because it involves setting the seccomp profile at the daemon level. Option A is incorrect because it sets the seccomp profile for a single container. Option C is incorrect because Docker Swarm does not use the --seccomp-profile option. Option D is incorrect because the 'docker update' command does not have a --seccomp-profile option.

Question 4

Which of the following commands would you use to create a Docker container with a read-only root filesystem?

A) docker run --read-only myimage

B) docker run --readonly myimage

C) docker create --read-only myimage

D) docker create --readonly myimage

Show Answer & Explanation

Correct Answer: A

Explanation: The correct command to create a Docker container with a read-only root filesystem is 'docker run --read-only myimage'. The '--read-only' flag ensures that the root filesystem is mounted as read-only, enhancing security by preventing changes to the filesystem. Option B is incorrect because '--readonly' is not a valid flag. Options C and D are incorrect because the 'docker create' command does not support the '--read-only' or '--readonly' flags.

Question 5

What is the purpose of Docker Content Trust (DCT)?

A) To encrypt container images

B) To verify the authenticity of images

C) To provide a backup of container images

D) To improve the performance of image pulls

Show Answer & Explanation

Correct Answer: B

Explanation: Docker Content Trust (DCT) is used to verify the authenticity of images by enabling image signing and verification. It ensures that the images come from a trusted source. DCT does not encrypt images (A), provide a backup (C), or improve performance of image pulls (D).

Question 6

Which of the following commands is used to view the security options applied to a running container?

A) docker inspect --format='{{.HostConfig.SecurityOpt}}'

B) docker ps --security

C) docker security

D) docker logs --security

Show Answer & Explanation

Correct Answer: A

Explanation: Option A is correct because 'docker inspect' with the specified format option can be used to view the security options of a container. Options B, C, and D are incorrect because they are not valid Docker commands to retrieve security options.

Question 7

Which command would you use to enforce security policies on a Docker image before deployment?

A) docker scan

B) docker build

C) docker run

D) docker pull

Show Answer & Explanation

Correct Answer: A

Explanation: The 'docker scan' command is used to scan Docker images for vulnerabilities, enforcing security policies before deployment. 'docker build' (B) creates images, 'docker run' (C) starts containers, and 'docker pull' (D) downloads images.

Question 8

Which of the following commands would you use to create a Docker network with encryption enabled?

A) docker network create --driver overlay --opt encrypted my_network

B) docker network create --driver bridge --opt encrypted my_network

C) docker network create --driver host --opt encrypted my_network

D) docker network create --driver none --opt encrypted my_network

Show Answer & Explanation

Correct Answer: A

Explanation: Option A is correct because the 'overlay' driver supports encryption, and the '--opt encrypted' flag enables it. Options B, C, and D are incorrect because the 'bridge', 'host', and 'none' network drivers do not support encryption.

Question 9

What is the function of AppArmor in Docker?

A) To encrypt container images

B) To provide a firewall for Docker containers

C) To enforce security policies on containers

D) To manage container networking

Show Answer & Explanation

Correct Answer: C

Explanation: Option C is correct because AppArmor is a Linux kernel security module that enforces security policies on Docker containers. Option A is incorrect as AppArmor does not encrypt images. Option B is incorrect because AppArmor is not a firewall. Option D is incorrect as AppArmor does not manage networking.

Question 10

What is the recommended way to store sensitive data such as passwords or API keys in Docker?

A) Hardcoding them in the Dockerfile

B) Using Docker secrets

C) Storing them in environment variables

D) Including them in the container image

Show Answer & Explanation

Correct Answer: B

Explanation: The recommended way to store sensitive data like passwords or API keys in Docker is by using Docker secrets. This feature is specifically designed to securely manage sensitive information. Hardcoding them in the Dockerfile (A) or including them in the container image (D) exposes the sensitive data. Storing them in environment variables (C) is better than hardcoding but still carries security risks, as environment variables can be exposed.

Ready to Accelerate Your DCA Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

• ✅ Unlimited practice questions across all DCA domains

• ✅ Full-length exam simulations with real-time scoring

• ✅ AI-powered performance tracking and weak area identification

• ✅ Personalized study plans with adaptive learning

• ✅ Mobile-friendly platform for studying anywhere, anytime

• ✅ Expert explanations and study resources

Start Free Practice Now

Already have an account? Sign in here

About DCA Certification

The DCA certification validates your expertise in security and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

📚 More Docker Certified Associate (DCA) Practice Questions:

• DCA Storage and Volumes – Free Practice Questions (2025)
• DCA Networking – Free Practice Questions (2025)
• DCA Installation & Configuration – Free Practice Questions (2025)
• DCA Orchestration – Free Practice Questions (2025)