Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Sidecar Proxies and the Expanding Attack Surface of Servi...

Sidecar proxies like Envoy quietly double your cluster's attack surface. Real CVEs from 2023–2024 show how mesh sidecars get exploited — and how to actually secure them.

Aug 3, 20257 min read
Container Security

Runtime Detection vs Static Scanning: Closing the Cloud-t...

Static scanners miss what only shows up at runtime. See why the cloud-to-code visibility gap causes months-long breach dwell times, and how to close it.

Aug 3, 20257 min read
Container Security

The Cost Multiplier Effect of Fixing Vulnerabilities in P...

A misconfigured base image caught at build time costs minutes to fix. Found in production, the same CVE triggers incident response and audits.

Aug 3, 20258 min read
Container Security

Multi-Cloud Complexity as a Hidden Security Tax on Engine...

Multi-cloud isn't a strategy most teams chose — it's an accumulation. Here's where the hidden security tax of running AWS, Azure, and GCP together actually gets paid, and how to stop paying it.

Aug 3, 20258 min read
Container Security

Why Container Registries Are an Underexamined Supply Chai...

Registries decide what code actually runs in production, yet most security programs treat them as passive storage. Here's why that's a costly blind spot.

Aug 2, 20256 min read
Container Security

Kubernetes 1.33 Security Deep Dive

Kubernetes 1.33 shipped with meaningful security changes: stronger admission controls, expanded structured authorization, and several deprecations that will affect production clusters.

Jun 20, 20256 min read
Container Security

Service Mesh for Supply Chain Policy Enforcement

Using Istio, Linkerd, and Cilium service mesh to enforce signed-artifact, SPIFFE identity, and provenance-aware policy in production clusters.

May 24, 20255 min read
Container Security

eBPF Security Controls: A Production Experience Report

Field notes on running Tetragon, Falco, and Cilium eBPF controls in production Kubernetes clusters, with observed overhead, policy traps, and kernel constraints.

Dec 20, 20245 min read
Container Security

Kata Containers Security Model Review

Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.

Nov 14, 20246 min read
Container Security

GCP Binary Authorization Policy Patterns

Policy design patterns for GCP Binary Authorization that hold up in production: attestor topology, exception handling, continuous validation, and the shapes that stop a deploy-time compromise without blocking legitimate rollouts.

Sep 28, 20247 min read
Container Security

Kubernetes 1.30 and 1.31 Security Rundown

ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.

Sep 20, 20245 min read
Container Security

Kubernetes Service Mesh Policy Depth

Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deployments use one.

Sep 15, 20247 min read
Container Security (Page 20) — Supply Chain Security Blog | Safeguard