Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

CRI-O vs containerd: Security Comparison

Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.

Aug 22, 20246 min read
Container Security

Rancher Cluster Security Hardening

Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific work.

Jul 30, 20247 min read
Container Security

Azure Container Registry Trust Model

What Azure Container Registry actually guarantees about the images you pull — signing, attestation, content trust, and where the trust chain breaks in practice.

Jul 28, 20247 min read
Container Security

AWS ECR Image Signing in Production

Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.

Jul 22, 20247 min read
Container Security

External Secrets Operator: A Kubernetes Guide

A senior engineer's walkthrough of External Secrets Operator, covering architecture, SecretStore design, rotation, and the patterns that hold up in production.

Jul 18, 20247 min read
Container Security

Firecracker micro-VM Security Model

AWS built Firecracker to run Lambda. The security model is the entire value proposition, and it holds up under scrutiny.

Jun 28, 20246 min read
Container Security

How to Sign Container Images With Cosign: A Complete Guide

A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.

Jun 10, 20245 min read
Container Security

containerd Security Configuration Guide

containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.

May 12, 20246 min read
Container Security

BuildKit Cache Security Considerations for Container Builds

BuildKit's caching is what makes container builds fast. It is also a potential vector for cache poisoning attacks if not properly secured.

Apr 12, 20245 min read
Container Security

Kubernetes Network Policies: The Supply Chain Angle

Network policies are usually framed as a zero-trust tool. They are also one of the best defenses against a compromised dependency.

Apr 8, 20247 min read
Container Security

GCP Cloud Run Supply Chain Security

A practical playbook for protecting the supply chain of services running on Cloud Run: image provenance, Binary Authorization, runtime identity, and the gaps the default configuration leaves wide open.

Mar 25, 20247 min read
Container Security

Wolfi OS: The Linux Distribution Built for Secure Containers

Wolfi is not a general-purpose Linux distro. It exists to solve one problem: provide secure, minimal, up-to-date packages for container images. Here is why that matters and how to use it.

Mar 22, 20246 min read
Container Security (Page 21) — Supply Chain Security Blog | Safeguard