Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Sidecar Proxies and the Expanding Attack Surface of Servi...
Sidecar proxies like Envoy quietly double your cluster's attack surface. Real CVEs from 2023–2024 show how mesh sidecars get exploited — and how to actually secure them.
Runtime Detection vs Static Scanning: Closing the Cloud-t...
Static scanners miss what only shows up at runtime. See why the cloud-to-code visibility gap causes months-long breach dwell times, and how to close it.
The Cost Multiplier Effect of Fixing Vulnerabilities in P...
A misconfigured base image caught at build time costs minutes to fix. Found in production, the same CVE triggers incident response and audits.
Multi-Cloud Complexity as a Hidden Security Tax on Engine...
Multi-cloud isn't a strategy most teams chose — it's an accumulation. Here's where the hidden security tax of running AWS, Azure, and GCP together actually gets paid, and how to stop paying it.
Why Container Registries Are an Underexamined Supply Chai...
Registries decide what code actually runs in production, yet most security programs treat them as passive storage. Here's why that's a costly blind spot.
Kubernetes 1.33 Security Deep Dive
Kubernetes 1.33 shipped with meaningful security changes: stronger admission controls, expanded structured authorization, and several deprecations that will affect production clusters.
Service Mesh for Supply Chain Policy Enforcement
Using Istio, Linkerd, and Cilium service mesh to enforce signed-artifact, SPIFFE identity, and provenance-aware policy in production clusters.
eBPF Security Controls: A Production Experience Report
Field notes on running Tetragon, Falco, and Cilium eBPF controls in production Kubernetes clusters, with observed overhead, policy traps, and kernel constraints.
Kata Containers Security Model Review
Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.
GCP Binary Authorization Policy Patterns
Policy design patterns for GCP Binary Authorization that hold up in production: attestor topology, exception handling, continuous validation, and the shapes that stop a deploy-time compromise without blocking legitimate rollouts.
Kubernetes 1.30 and 1.31 Security Rundown
ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.
Kubernetes Service Mesh Policy Depth
Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deployments use one.