Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Container Base Image Selection: A Security-First Decision Framework
Your base image choice determines your container security baseline. Most teams pick based on size or familiarity, not security properties.
Container Vulnerability Scanning: Comparing the Top Tools in 2023
Not all container scanners are equal. We compared Trivy, Grype, Snyk Container, and others on accuracy, speed, and coverage.
Running Containers in Rootless Mode: A Practical Security Guide
Root in the container often means root on the host. Rootless mode breaks that assumption. Here is how to run Docker and Podman without root and why it matters more than you think.
BuildKit and Buildah: Building Containers Without Giving Away the Keys
Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer security features that most teams ignore. Here is what to use and why.
Kubernetes RBAC Security Best Practices for Supply Chain Protection
Misconfigured Kubernetes RBAC is a common path to supply chain compromise. Here's how to lock down permissions in your clusters.
Alpine APK Security Model: Small Footprint, Big Trust Decisions
Alpine Linux is the default choice for minimal containers. Its APK package manager has a different security model than apt or dnf, and the tradeoffs matter.
Docker Desktop WSL2 Security Changes in 2022
Docker Desktop's WSL2 backend reshaped container security on Windows. Here is what changed in 2022 and the defects that forced those changes.
Podman vs Docker Security: What Actually Changes When You Drop the Daemon
Podman is daemonless, rootless by default, and fork-exec instead of client-server. Here is what those architectural differences mean for container security in practice.
Runtime vs Static Container Analysis: Complementary, Not Competing
Static scanning finds known vulnerabilities. Runtime analysis finds actual exploitation. Using only one gives you half the picture.
Container Image Signing with Cosign: A Practical Deep Dive
Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.
Kubernetes Admission Controllers for Supply Chain Policy
Admission controllers are the only Kubernetes enforcement point that sees every workload before it runs. That makes them the right place to enforce image provenance, signing, and SBOM policies.
Docker Image Layer Security Analysis: What Lurks Beneath Your Containers
Every Docker image is a stack of layers, and each one can introduce vulnerabilities. Learn how to dissect image layers for security risks and what tools actually help.