Question 18
Domain 6: Monitoring, Logging and Runtime SecurityWhat is the strongest reason to review transitive dependencies in your images, not just the top-level package list?
Correct answer: A
Explanation
Transitive dependencies are packages pulled in by other packages, so a top-level list can miss what is actually shipped in the image. Hidden downstream dependencies can still introduce vulnerabilities or license obligations, affecting the final artifact even if they are not directly installed by you.
Why each option is right or wrong
A. Hidden downstream dependencies can carry vulnerabilities or licenses that still affect the final artifact
Under common software supply-chain and open-source compliance rules, the relevant unit of review is the final distributed artifact, not just the explicitly requested packages. For example, SPDX and many enterprise SBOM policies treat all included components as part of the deliverable, so a dependency pulled in at depth 2 or 3 can still introduce a CVE or a copyleft license obligation that attaches to the image you ship. Reviewing only the top-level list misses those inherited components, even though they are present in the final artifact and can affect security and licensing exposure.
B. Transitive dependencies are never included in runtime images
Transitive dependencies are often installed and packaged into the final image through dependency resolution.
C. Kubernetes removes transitive packages automatically
Kubernetes orchestrates containers; it does not automatically remove dependency packages from images.
D. Only direct dependencies can execute code
Indirect libraries and tools can still be loaded, invoked, or expose vulnerable executable components.