Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Securing Containerized AI Workloads: Base Images, GPU Drivers, and Runtime Policy

A CVSS 9.0 flaw in NVIDIA's Container Toolkit let any GPU container escape to the host — and its first patch didn't fully close it. Here's how to defend AI infrastructure.

Jul 8, 20265 min read
Container Security

CTF Writeup: Container SETUID Escape Techniques

A container-local root shell is not the flag. CVE-2019-5736 and CVE-2021-4034 both show how a SETUID binary inside a container can become a host compromise.

Jul 8, 20266 min read
Container Security

Docker best practices for Node.js developers in 2026

Multi-stage builds can cut a Node.js image from 1GB+ down to under 150MB — but most teams still ship dev dependencies, root shells, and unscanned base layers to production.

Jul 8, 20267 min read
Container Security

Using jlink to Build Minimal, Lower-Attack-Surface Java Docker Images

jlink has shipped with every JDK since Java 9 in 2017, yet most Spring Boot images still ship a full 300MB+ JDK. Here's how to fix that.

Jul 8, 20266 min read
Container Security

Building a minimal, multi-stage, non-root Dockerfile for PHP

The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.

Jul 8, 20267 min read
Container Security

Kubernetes Admission Controllers for Security

Admission controllers are the policy chokepoint between a validated API request and a running workload. Used well, they enforce your entire security posture. Here is how validating webhooks, Kyverno, OPA, and the new CEL-based policies fit together.

Jul 7, 20265 min read
Container Security

Kubernetes Supply Chain Security: Trusting What You Deploy

The path from a git commit to a running pod crosses a dozen systems, each a place to inject malicious code. Here is how to build a chain of custody Kubernetes will actually verify.

Jul 7, 20265 min read
Container Security

Docker Secrets Management: Stop Baking Credentials Into Images

A secret written into a Docker layer is recoverable forever, even after you delete it. Learn the build-time and runtime patterns that keep credentials out of your images entirely.

Jul 6, 20266 min read
Container Security

Image Signing with Cosign and Sigstore

A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.

Jul 6, 20265 min read
Container Security

Minimal Base Images for Security: A Practical Guide

Minimal base images cut CVE counts by up to 95% by shipping only what your app needs. Here is how to choose between distroless, Wolfi, Alpine, and scratch — and build on each safely.

Jul 6, 20265 min read
Container Security

Alpine vs Debian Base Image Security: Which Is Safer?

Alpine is tiny and dodged the xz backdoor; Debian has deeper security tracking and broader compatibility. Here is how the two base images actually compare on security — and how to harden either one.

Jul 5, 20265 min read
Container Security

Container Escape Vulnerabilities: How They Work and How to Stop Them

A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.

Jul 5, 20265 min read
Container Security (Page 3) — Supply Chain Security Blog | Safeguard