Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

VM to Container: Supply Chain Implications of the Migration

What changes in your software supply chain when you move from virtual machines to containers, and how to adapt governance, scanning, and provenance accordingly.

Mar 8, 20247 min read
Container Security

Kubernetes Secrets Encryption Providers Reviewed

etcd encryption at rest finally works out of the box. The question is which provider you use, and the trade-offs have sharpened in 2024.

Mar 5, 20248 min read
Container Security

gVisor Runtime Security Deep Dive

gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.

Feb 18, 20247 min read
Container Security

How to Enforce Cosign Signatures in Kubernetes Admission

A hands-on tutorial for blocking unsigned container images at the Kubernetes admission layer using Cosign, Sigstore policy-controller, and keyless verification.

Feb 15, 20245 min read
Container Security

Container Runtime Security Comparison: runc, gVisor, Kata, and Firecracker

Your container runtime determines the strength of your isolation boundary. Here is an honest comparison of runc, gVisor, Kata Containers, and Firecracker from a security perspective.

Dec 12, 20237 min read
Container Security

OpenShift Security Context Constraints: A Guide

SCCs predate Pod Security Admission by a decade and are more powerful. That power is also why OpenShift newcomers find them confusing.

Dec 6, 20237 min read
Container Security

Chainguard Images: The Zero-CVE Container Base Image Revolution

Chainguard ships container images with zero known CVEs. That sounds like marketing until you understand how they build them. Here is the technical reality behind the claim.

Nov 22, 20236 min read
Container Security

Container Escape Techniques in 2023: What's Changed and What Hasn't

Container escapes remain a real threat in multi-tenant environments. A look at the latest techniques, CVEs, and defenses as container security matures in 2023.

Nov 5, 20235 min read
Container Security

Trivy vs Grype: Container Scanning Head-to-Head

Compare Trivy and Grype on vulnerability database sources, scan speed, OS coverage, SBOM integration, and CI ergonomics to pick the right open source container scanner.

Oct 20, 20235 min read
Container Security

Scratch vs Distroless: Choosing the Right Minimal Container Image

Both scratch and distroless promise minimal attack surface. The right choice depends on your runtime, your debugging needs, and your tolerance for complexity.

Oct 12, 20236 min read
Container Security

Kubernetes 1.27 Security Highlights

Kubernetes 1.27 graduated seccomp default, introduced in-place pod resize, and cleaned up admission. Here is what actually matters for cluster security.

Aug 11, 20235 min read
Container Security

Distroless Container Images: Stripping the Attack Surface to Nothing

Distroless images remove the shell, package manager, and everything else an attacker needs post-exploitation. Here is how to use them, what breaks, and whether the security tradeoff is worth it.

Jul 28, 20236 min read
Container Security (Page 22) — Supply Chain Security Blog | Safeguard