Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
CIEM (Cloud Infrastructure Entitlement Management)
What is CIEM? A clear breakdown of Cloud Infrastructure Entitlement Management, how it differs from CSPM, and why excessive cloud permissions keep piling up.
Kubernetes admission controller
A Kubernetes admission controller intercepts API requests before they're persisted, enforcing policy on Pods, images, and configs before workloads ever run.
How to configure Kubernetes network policies
A step-by-step guide to configuring Kubernetes network policies: enabling Calico, building a default-deny baseline, allow-listing traffic, and verifying enforcement.
Distroless Node.js 20 on Debian 12 Image Deep Dive
A deep dive into the gcr.io/distroless/nodejs20-debian12 image: contents, attack surface, real-world CVE exposure, and where it fits in production.
How to scan container images for vulnerabilities with Trivy
Learn how to scan container images with Trivy: install it, run your first scan, filter by severity, and gate builds automatically in CI/CD pipelines.
How to implement Kubernetes Pod Security Standards
A step-by-step guide to implementing Kubernetes Pod Security Standards, from auditing pods to enforcing restricted mode and migrating off PSP.
Signing Container Images: Cosign, Notary, and Why It Matters
Signing container images cryptographically proves an image came from a trusted build and hasn't been tampered with since — here's how Cosign and Notary do it, and why registries alone can't guarantee that.
How to set up Kubernetes RBAC
A step-by-step kubernetes RBAC setup guide covering Roles, RoleBindings, service accounts, least-privilege patterns, and how to verify and troubleshoot access.
How to encrypt Kubernetes secrets at rest
A step-by-step guide to encrypting Kubernetes secrets at rest: choosing a KMS provider, configuring etcd encryption, re-encrypting existing secrets, and verifying it worked.
K8s RBAC Blast Radius in Supply Chain Attacks
How Kubernetes RBAC determines what a supply chain attack can actually do once a compromised workload runs, and the RBAC patterns that meaningfully reduce blast radius.
How to configure Falco for runtime security monitoring
A practical walkthrough to configure Falco runtime security in Kubernetes: install, customize rules, route alerts, tune noise, and verify detection end-to-end.
Container Breakout Class Vulnerabilities 2024-2025
A look at the container breakout vulnerabilities disclosed in 2024 and 2025, what they actually required to exploit, and what that pattern tells us about the defense model.