Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

CIEM (Cloud Infrastructure Entitlement Management)

What is CIEM? A clear breakdown of Cloud Infrastructure Entitlement Management, how it differs from CSPM, and why excessive cloud permissions keep piling up.

Feb 22, 20267 min read
Container Security

Kubernetes admission controller

A Kubernetes admission controller intercepts API requests before they're persisted, enforcing policy on Pods, images, and configs before workloads ever run.

Feb 22, 20267 min read
Container Security

How to configure Kubernetes network policies

A step-by-step guide to configuring Kubernetes network policies: enabling Calico, building a default-deny baseline, allow-listing traffic, and verifying enforcement.

Feb 21, 20268 min read
Container Security

Distroless Node.js 20 on Debian 12 Image Deep Dive

A deep dive into the gcr.io/distroless/nodejs20-debian12 image: contents, attack surface, real-world CVE exposure, and where it fits in production.

Feb 19, 20265 min read
Container Security

How to scan container images for vulnerabilities with Trivy

Learn how to scan container images with Trivy: install it, run your first scan, filter by severity, and gate builds automatically in CI/CD pipelines.

Feb 19, 20267 min read
Container Security

How to implement Kubernetes Pod Security Standards

A step-by-step guide to implementing Kubernetes Pod Security Standards, from auditing pods to enforcing restricted mode and migrating off PSP.

Feb 19, 20268 min read
Container Security

Signing Container Images: Cosign, Notary, and Why It Matters

Signing container images cryptographically proves an image came from a trusted build and hasn't been tampered with since — here's how Cosign and Notary do it, and why registries alone can't guarantee that.

Feb 18, 20266 min read
Container Security

How to set up Kubernetes RBAC

A step-by-step kubernetes RBAC setup guide covering Roles, RoleBindings, service accounts, least-privilege patterns, and how to verify and troubleshoot access.

Feb 17, 20267 min read
Container Security

How to encrypt Kubernetes secrets at rest

A step-by-step guide to encrypting Kubernetes secrets at rest: choosing a KMS provider, configuring etcd encryption, re-encrypting existing secrets, and verifying it worked.

Feb 17, 20268 min read
Container Security

K8s RBAC Blast Radius in Supply Chain Attacks

How Kubernetes RBAC determines what a supply chain attack can actually do once a compromised workload runs, and the RBAC patterns that meaningfully reduce blast radius.

Feb 16, 20268 min read
Container Security

How to configure Falco for runtime security monitoring

A practical walkthrough to configure Falco runtime security in Kubernetes: install, customize rules, route alerts, tune noise, and verify detection end-to-end.

Feb 14, 20268 min read
Container Security

Container Breakout Class Vulnerabilities 2024-2025

A look at the container breakout vulnerabilities disclosed in 2024 and 2025, what they actually required to exploit, and what that pattern tells us about the defense model.

Feb 11, 20267 min read
Container Security (Page 13) — Supply Chain Security Blog | Safeguard