Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Container security: five best practices for provenance, runtime, and network
A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.
Hardening PHP-FPM and Apache Container Images
PHP containers ship with defaults built for compatibility, not security. Opcache settings, disabled functions, and process ownership close the gaps.
A Practical Container Security Checklist: From Base Image to Runtime
Standard Docker Hub images ship 50-60 known CVEs on average. Here's the checklist that gets containers from base image to runtime without carrying them along.
Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared
BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.
Building minimal, non-root Java containers with distroless and JVM hardening
A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.
Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick
Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.
Container Runtime Security Monitoring: Catching the Breach in Progress
Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.
Docker Layer Caching Security Risks (and How to Avoid Them)
Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.
eBPF Runtime Security for Kubernetes
eBPF lets you observe and enforce security at the kernel level — every syscall, network connection, and process exec — without kernel modules or instrumenting your apps. Here is how tools like Falco, Tetragon, and Cilium use it to catch what image scanning cannot.
Service Mesh Security: mTLS, Authorization, and Zero Trust
A service mesh can give you mutual TLS between every service, identity-based authorization, and encrypted traffic without touching application code — or it can become an over-privileged proxy layer you never locked down. Here is how to do it right.
Automating container image vulnerability scans in GitHub Actions
A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.
Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026
Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.