Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Hardening Google Kubernetes Engine clusters against attacks
A step-by-step guide to GKE security best practices: private clusters, Workload Identity, Shielded Nodes, Binary Authorization, and verification checks for real audits.
Enforcing signed and attested container images with Binar...
A step-by-step guide to enforcing signed, attested container images in GKE with Binary Authorization — from attestor setup to policy enforcement and troubleshooting.
How Container Threat Detection identifies runtime attacks...
How Container Threat Detection GCP watches GKE kernels for reverse shells, added binaries, and privilege escalation—and why runtime signals catch what image scanning can't.
Comparing security models of GKE Autopilot versus Standar...
GKE Autopilot security vs Standard clusters draw the shared-responsibility line very differently. Here's what changes for pod security and hardening.
Implementing keyless container image signing with Cosign ...
A hands-on guide to Cosign keyless signing GCP setups with Sigstore, Workload Identity Federation, and Cloud Build — sign and verify images with no key management.
Scanning Oracle Cloud Infrastructure Registry images for ...
A step-by-step guide to OCIR vulnerability scanning: enabling OCI's Vulnerability Scanning Service, triggering push-time scans, triaging CVEs, and signing verified images.
Hardening Oracle Kubernetes Engine (OKE) clusters
A practical, command-by-command guide to OKE security best practices: locking down the API endpoint, network security lists, pod security policies, IAM, and image signing.
Detecting container threats in OCI with Cloud Guard
How OCI Cloud Guard detects container threats in OKE — detector recipes, responder rules, real blind spots, and where Safeguard adds runtime and supply-chain coverage.
Comparing container registry security features across maj...
A practical, no-fluff comparison of ECR vs ACR vs GAR vs OCIR on scanning depth, signing, IAM, and compliance — plus where Harbor fits and how Safeguard unifies them.
How Log4Shell exposed cloud container images and how to d...
Log4Shell (CVE-2021-44228) still hides in container images years later. Here's how it works, its CVSS/EPSS/KEV context, and how to detect and remediate it across ECR, ACR, and GAR.
A Practical Kubernetes Operator Security Checklist
Kubernetes operators run with broad cluster access. This checklist covers the controls that matter most in 2025, from RBAC scoping to image provenance.
The 2019 Docker Hub Database Breach Exposing User Credent...
In April 2019, Docker Hub exposed 190,000 accounts' credentials and GitHub/Bitbucket tokens. Here's what happened, what leaked, and why it still matters for supply chain security.