Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
VM to Container: Supply Chain Implications of the Migration
What changes in your software supply chain when you move from virtual machines to containers, and how to adapt governance, scanning, and provenance accordingly.
Kubernetes Secrets Encryption Providers Reviewed
etcd encryption at rest finally works out of the box. The question is which provider you use, and the trade-offs have sharpened in 2024.
gVisor Runtime Security Deep Dive
gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.
How to Enforce Cosign Signatures in Kubernetes Admission
A hands-on tutorial for blocking unsigned container images at the Kubernetes admission layer using Cosign, Sigstore policy-controller, and keyless verification.
Container Runtime Security Comparison: runc, gVisor, Kata, and Firecracker
Your container runtime determines the strength of your isolation boundary. Here is an honest comparison of runc, gVisor, Kata Containers, and Firecracker from a security perspective.
OpenShift Security Context Constraints: A Guide
SCCs predate Pod Security Admission by a decade and are more powerful. That power is also why OpenShift newcomers find them confusing.
Chainguard Images: The Zero-CVE Container Base Image Revolution
Chainguard ships container images with zero known CVEs. That sounds like marketing until you understand how they build them. Here is the technical reality behind the claim.
Container Escape Techniques in 2023: What's Changed and What Hasn't
Container escapes remain a real threat in multi-tenant environments. A look at the latest techniques, CVEs, and defenses as container security matures in 2023.
Trivy vs Grype: Container Scanning Head-to-Head
Compare Trivy and Grype on vulnerability database sources, scan speed, OS coverage, SBOM integration, and CI ergonomics to pick the right open source container scanner.
Scratch vs Distroless: Choosing the Right Minimal Container Image
Both scratch and distroless promise minimal attack surface. The right choice depends on your runtime, your debugging needs, and your tolerance for complexity.
Kubernetes 1.27 Security Highlights
Kubernetes 1.27 graduated seccomp default, introduced in-place pod resize, and cleaned up admission. Here is what actually matters for cluster security.
Distroless Container Images: Stripping the Attack Surface to Nothing
Distroless images remove the shell, package manager, and everything else an attacker needs post-exploitation. Here is how to use them, what breaks, and whether the security tradeoff is worth it.