Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Prisma Cloud vs Wiz: Supply Chain Features
Both Prisma Cloud and Wiz have expanded into supply chain territory from cloud security origins. A head-to-head on what each actually delivers on the supply chain dimension.
How Snyk Container detects a Dockerfile's base image with...
Snyk Container identifies a Dockerfile's true base image by comparing layer digests against a registry database, no docker run required.
How Snyk Container maps vulnerabilities to specific image...
How Snyk Container uses OCI manifest metadata, diff_ids, and Dockerfile history to trace a vulnerable package to the exact layer and build instruction that introduced it.
How Snyk Container's Base Image filter isolates OS-level ...
How Snyk Container's Base Image filter separates OS-level vulnerabilities from application dependencies, how it identifies base images, and where attribution breaks down.
How Snyk Container scans distroless and minimal (Wolfi-st...
Distroless and Wolfi-style images strip out package managers, breaking traditional scanners. Here's how Snyk Container identifies vulnerable packages anyway.
How Snyk Container's static filesystem analysis avoids th...
How Snyk Container inspects image layers, package databases, and lockfiles without ever running the container — and where static filesystem analysis hits its limits.
How Snyk Container integrates with Kubernetes workloads f...
How Snyk Container's Kubernetes integration uses a read-only controller to continuously re-check running workload images as new CVEs are disclosed.
How Snyk Container handles multi-stage Docker builds duri...
How Snyk Container identifies base images, attributes vulnerabilities to Dockerfile instructions, and scopes scans across multi-stage Docker builds.
How Snyk Container's registry integrations authenticate a...
A technical walkthrough of how Snyk Container authenticates and pulls images from ECR, ACR, GCR, and Artifactory using IAM roles, service principals, and tokens.
How Snyk Broker's Container Registry Agent scans private,...
How Snyk's Broker Container Registry Agent scans private, self-hosted registries like Artifactory and Nexus without exposing credentials or images to the cloud.
How Snyk's Docker Desktop Extension scans images before t...
How Snyk's Docker Desktop extension scans local images for CVEs before push, what it can and can't detect, and where it fits with CI and registry scanning.
How Snyk Container's automatic base image remediation PRs...
How Snyk Container's automatic base image remediation PRs pick replacement tags, what triggers them, and what they actually change in a Dockerfile.