Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

OCI Image Labels and Annotations: A Practical Guide to Provenance and SBOM Linkage

OCI defines 14 standard org.opencontainers.image.* annotation keys, but labels are unsigned metadata — anyone with build access can forge them.

Jul 16, 20266 min read
Container Security

Minimal, Non-Root Docker Images for Python: A Best-Practices Guide

CVE-2019-5736 let a malicious container overwrite the host runc binary via root access. Here's how multi-stage, non-root builds close that door for Python apps.

Jul 16, 20266 min read
Container Security

Container escape techniques and defense in depth

CVE-2024-21626 let a leaked file descriptor turn runc exec into host root. Here's how container escapes actually work — and the layers that stop them.

Jul 15, 20266 min read
Container Security

Container isolation mechanisms explained: namespaces, cgroups, seccomp, and gVisor

Docker's default seccomp profile blocks roughly 44 of the 300-plus Linux syscalls, yet a 2019 runc escape bypassed every default namespace boundary anyway.

Jul 13, 20267 min read
Container Security

Best practices for containerizing .NET applications securely

.NET 8 gave containers a built-in non-root user and chiseled images that cut one team's CVE count 92% — most Dockerfiles still don't use either.

Jul 13, 20266 min read
Container Security

Containerizing Node.js apps: an updated Docker best-practices guide

The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.

Jul 13, 20267 min read
Container Security

Docker image vulnerability scanning: best practices for CI/CD

Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.

Jul 13, 20267 min read
Container Security

Choosing a secure Node.js Docker base image

A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.

Jul 12, 20267 min read
Container Security

The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)

Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.

Jul 12, 20266 min read
Container Security

Securing a Dockerized Rails Local Dev Environment

A misplaced master.key or a permissive COPY . . can bake Rails credentials into an image layer forever — here's how to Dockerize Rails dev safely.

Jul 12, 20266 min read
Container Security

Minimal container images with ko: evaluating distroless Go builds

ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.

Jul 12, 20267 min read
Container Security

Container-handling security fundamentals: immutability, signing, and privilege drops

Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.

Jul 11, 20267 min read
Container Security — Supply Chain Security Blog | Safeguard