Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Container security: five best practices for provenance, runtime, and network

A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.

Jul 11, 20266 min read
Container Security

Hardening PHP-FPM and Apache Container Images

PHP containers ship with defaults built for compatibility, not security. Opcache settings, disabled functions, and process ownership close the gaps.

Jul 11, 20266 min read
Container Security

A Practical Container Security Checklist: From Base Image to Runtime

Standard Docker Hub images ship 50-60 known CVEs on average. Here's the checklist that gets containers from base image to runtime without carrying them along.

Jul 10, 20266 min read
Container Security

Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared

BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.

Jul 10, 20266 min read
Container Security

Building minimal, non-root Java containers with distroless and JVM hardening

A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.

Jul 10, 20266 min read
Container Security

Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick

Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.

Jul 8, 20265 min read
Container Security

Container Runtime Security Monitoring: Catching the Breach in Progress

Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.

Jul 8, 20265 min read
Container Security

Docker Layer Caching Security Risks (and How to Avoid Them)

Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.

Jul 8, 20266 min read
Container Security

eBPF Runtime Security for Kubernetes

eBPF lets you observe and enforce security at the kernel level — every syscall, network connection, and process exec — without kernel modules or instrumenting your apps. Here is how tools like Falco, Tetragon, and Cilium use it to catch what image scanning cannot.

Jul 8, 20266 min read
Container Security

Service Mesh Security: mTLS, Authorization, and Zero Trust

A service mesh can give you mutual TLS between every service, identity-based authorization, and encrypted traffic without touching application code — or it can become an over-privileged proxy layer you never locked down. Here is how to do it right.

Jul 8, 20265 min read
Container Security

Automating container image vulnerability scans in GitHub Actions

A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.

Jul 8, 20266 min read
Container Security

Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026

Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.

Jul 8, 20267 min read
Container Security (Page 2) — Supply Chain Security Blog | Safeguard