Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Container Security Best Practices Checklist 2026
A practical container security checklist for 2026 covering base images, runtime controls, registry hygiene, and signing, with specific thresholds defenders can adopt.
Cosign for Container Signing: A Production Setup
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
How to enable and configure Amazon ECR image scanning for...
A step-by-step guide to enabling AWS ECR image scanning, from basic vs. enhanced scanning and scan-on-push to CI/CD gating, finding triage, and troubleshooting.
Hardening Amazon EKS clusters against common attack paths
A step-by-step guide to EKS security best practices: lock down IAM, enforce pod security standards, segment networks, and verify every control.
Signing container images with AWS Signer for supply chain...
A practical walkthrough for signing container images with AWS Signer, verifying them in ECR and EKS, and closing supply chain gaps with cryptographic trust.
Distroless vs. Chainguard vs. Wolfi: Real Differences
A working engineer's comparison of Google Distroless, Chainguard Images, and Wolfi as base images, covering what actually breaks in production and what does not.
Continuous container vulnerability scanning with Amazon I...
How Amazon Inspector's continuous container scanning actually works, where Inspector vs Trivy differs, and the ECR blind spots teams need to cover.
Detecting malware and runtime threats in ECR and EKS with...
How GuardDuty ECR malware protection and EKS runtime monitoring catch cryptominers and malicious images, where the coverage gaps are, and how Safeguard closes them.
Scanning Azure Container Registry images for vulnerabilities
A step-by-step guide to enabling Azure Container Registry vulnerability scanning with Microsoft Defender for Containers, plus troubleshooting and gating deployments on scan results.
How Microsoft Defender for Containers protects AKS and AC...
Defender for Containers scans ACR images and monitors AKS clusters in real time — but it can't see what happens before a build reaches the registry. Here's what it covers and what it misses.
K8s Admission Controllers for Supply Chain Policy
How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.
Security best practices for Azure Container Apps and secr...
A step-by-step guide to Azure Container Apps security best practices: managed identity, Key Vault-backed secrets, network ingress, and supply chain hardening.