Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Container Base Image Selection: A Security-First Decision Framework

Your base image choice determines your container security baseline. Most teams pick based on size or familiarity, not security properties.

Jun 12, 20236 min read
Container Security

Container Vulnerability Scanning: Comparing the Top Tools in 2023

Not all container scanners are equal. We compared Trivy, Grype, Snyk Container, and others on accuracy, speed, and coverage.

May 10, 20236 min read
Container Security

Running Containers in Rootless Mode: A Practical Security Guide

Root in the container often means root on the host. Rootless mode breaks that assumption. Here is how to run Docker and Podman without root and why it matters more than you think.

Apr 5, 20237 min read
Container Security

BuildKit and Buildah: Building Containers Without Giving Away the Keys

Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer security features that most teams ignore. Here is what to use and why.

Mar 12, 20236 min read
Container Security

Kubernetes RBAC Security Best Practices for Supply Chain Protection

Misconfigured Kubernetes RBAC is a common path to supply chain compromise. Here's how to lock down permissions in your clusters.

Mar 5, 20236 min read
Container Security

Alpine APK Security Model: Small Footprint, Big Trust Decisions

Alpine Linux is the default choice for minimal containers. Its APK package manager has a different security model than apt or dnf, and the tradeoffs matter.

Feb 12, 20236 min read
Container Security

Docker Desktop WSL2 Security Changes in 2022

Docker Desktop's WSL2 backend reshaped container security on Windows. Here is what changed in 2022 and the defects that forced those changes.

Nov 18, 20226 min read
Container Security

Podman vs Docker Security: What Actually Changes When You Drop the Daemon

Podman is daemonless, rootless by default, and fork-exec instead of client-server. Here is what those architectural differences mean for container security in practice.

Nov 15, 20227 min read
Container Security

Runtime vs Static Container Analysis: Complementary, Not Competing

Static scanning finds known vulnerabilities. Runtime analysis finds actual exploitation. Using only one gives you half the picture.

Nov 12, 20226 min read
Container Security

Container Image Signing with Cosign: A Practical Deep Dive

Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.

Nov 8, 20226 min read
Container Security

Kubernetes Admission Controllers for Supply Chain Policy

Admission controllers are the only Kubernetes enforcement point that sees every workload before it runs. That makes them the right place to enforce image provenance, signing, and SBOM policies.

Sep 18, 20226 min read
Container Security

Docker Image Layer Security Analysis: What Lurks Beneath Your Containers

Every Docker image is a stack of layers, and each one can introduce vulnerabilities. Learn how to dissect image layers for security risks and what tools actually help.

Aug 12, 20227 min read
Container Security (Page 23) — Supply Chain Security Blog | Safeguard