Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
OCI Image Labels and Annotations: A Practical Guide to Provenance and SBOM Linkage
OCI defines 14 standard org.opencontainers.image.* annotation keys, but labels are unsigned metadata — anyone with build access can forge them.
Minimal, Non-Root Docker Images for Python: A Best-Practices Guide
CVE-2019-5736 let a malicious container overwrite the host runc binary via root access. Here's how multi-stage, non-root builds close that door for Python apps.
Container escape techniques and defense in depth
CVE-2024-21626 let a leaked file descriptor turn runc exec into host root. Here's how container escapes actually work — and the layers that stop them.
Container isolation mechanisms explained: namespaces, cgroups, seccomp, and gVisor
Docker's default seccomp profile blocks roughly 44 of the 300-plus Linux syscalls, yet a 2019 runc escape bypassed every default namespace boundary anyway.
Best practices for containerizing .NET applications securely
.NET 8 gave containers a built-in non-root user and chiseled images that cut one team's CVE count 92% — most Dockerfiles still don't use either.
Containerizing Node.js apps: an updated Docker best-practices guide
The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.
Docker image vulnerability scanning: best practices for CI/CD
Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.
Choosing a secure Node.js Docker base image
A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.
The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)
Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.
Securing a Dockerized Rails Local Dev Environment
A misplaced master.key or a permissive COPY . . can bake Rails credentials into an image layer forever — here's how to Dockerize Rails dev safely.
Minimal container images with ko: evaluating distroless Go builds
ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.
Container-handling security fundamentals: immutability, signing, and privilege drops
Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.