Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Container Security vs Virtual Machine Security

Containers and VMs isolate workloads at different layers — kernel vs. hypervisor — which changes attack surface, blast radius, patch speed, and what your scanner actually needs to cover.

Mar 17, 20267 min read
Container Security

What is Helm Chart Security

Helm chart security means finding and fixing the RBAC, secrets, and supply chain risks baked into Kubernetes' most-used packaging format.

Mar 17, 20267 min read
Container Security

How to Choose a Secure Base Image

Base image choice sets your CVE floor before any scanner runs. Here's how to evaluate footprint, patch cadence, provenance, and rebuild cycle.

Mar 16, 20268 min read
Container Security

Chiseled / Distroless Image Rollout Program

What it takes to standardise on chiseled and distroless container images across an engineering organisation: which workloads benefit, which do not, and how to handle the operational quirks of imageless containers.

Mar 14, 20267 min read
Container Security

Service Mesh Supply Chain Policy 2026

Service meshes are a control plane and a data plane and a supply chain risk surface all at once. This post covers the policy controls that matter in 2026 for sidecars, control planes, and mesh-issued certificates.

Mar 9, 20267 min read
Container Security

Kubernetes Operator Supply Chain Controls

Operators are powerful, privileged, and often under-governed. This post covers the supply chain controls that keep operator installations from becoming the largest attack surface in your cluster.

Mar 4, 20267 min read
Container Security

Deploying Cilium Tetragon for eBPF Runtime Security in 2026

A practical guide to rolling out Tetragon for kernel-level runtime visibility, covering policy authoring, performance overhead, and integration with existing detection pipelines.

Mar 4, 20266 min read
Container Security

Cosign container signing

What is Cosign? A precise look at how this Sigstore tool signs and verifies container images, keyless signing, and how it compares to Notary v2.

Mar 4, 20267 min read
Container Security

The Minimal Base Image Myth: What Actually Reduces Attack Surface

Alpine, distroless, and scratch images don't automatically cut risk. The real attack-surface drivers are capabilities, root filesystem, network policies, and seccomp.

Mar 3, 20267 min read
Container Security

Helm Chart Supply Chain Defence Blueprint

Helm charts are the most common Kubernetes deployment artifact and the least scrutinised. This blueprint covers chart provenance, signing, value validation, and the runtime correspondence checks that close the loop.

Feb 27, 20267 min read
Container Security

Multi-Arch Image Builds and Attestation Pitfalls

Why multi-architecture container images break assumptions baked into signing, SBOM, and attestation tooling, and how to build a multi-arch pipeline that stays verifiable.

Feb 22, 20268 min read
Container Security

Container escape

A container escape lets attackers break out of a container into the host or other workloads. Learn how these attacks work, real CVEs, and Kubernetes risk.

Feb 22, 20267 min read
Container Security (Page 12) — Supply Chain Security Blog | Safeguard