Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Container Security vs Virtual Machine Security
Containers and VMs isolate workloads at different layers — kernel vs. hypervisor — which changes attack surface, blast radius, patch speed, and what your scanner actually needs to cover.
What is Helm Chart Security
Helm chart security means finding and fixing the RBAC, secrets, and supply chain risks baked into Kubernetes' most-used packaging format.
How to Choose a Secure Base Image
Base image choice sets your CVE floor before any scanner runs. Here's how to evaluate footprint, patch cadence, provenance, and rebuild cycle.
Chiseled / Distroless Image Rollout Program
What it takes to standardise on chiseled and distroless container images across an engineering organisation: which workloads benefit, which do not, and how to handle the operational quirks of imageless containers.
Service Mesh Supply Chain Policy 2026
Service meshes are a control plane and a data plane and a supply chain risk surface all at once. This post covers the policy controls that matter in 2026 for sidecars, control planes, and mesh-issued certificates.
Kubernetes Operator Supply Chain Controls
Operators are powerful, privileged, and often under-governed. This post covers the supply chain controls that keep operator installations from becoming the largest attack surface in your cluster.
Deploying Cilium Tetragon for eBPF Runtime Security in 2026
A practical guide to rolling out Tetragon for kernel-level runtime visibility, covering policy authoring, performance overhead, and integration with existing detection pipelines.
Cosign container signing
What is Cosign? A precise look at how this Sigstore tool signs and verifies container images, keyless signing, and how it compares to Notary v2.
The Minimal Base Image Myth: What Actually Reduces Attack Surface
Alpine, distroless, and scratch images don't automatically cut risk. The real attack-surface drivers are capabilities, root filesystem, network policies, and seccomp.
Helm Chart Supply Chain Defence Blueprint
Helm charts are the most common Kubernetes deployment artifact and the least scrutinised. This blueprint covers chart provenance, signing, value validation, and the runtime correspondence checks that close the loop.
Multi-Arch Image Builds and Attestation Pitfalls
Why multi-architecture container images break assumptions baked into signing, SBOM, and attestation tooling, and how to build a multi-arch pipeline that stays verifiable.
Container escape
A container escape lets attackers break out of a container into the host or other workloads. Learn how these attacks work, real CVEs, and Kubernetes risk.