Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Securing Containerized AI Workloads: Base Images, GPU Drivers, and Runtime Policy
A CVSS 9.0 flaw in NVIDIA's Container Toolkit let any GPU container escape to the host — and its first patch didn't fully close it. Here's how to defend AI infrastructure.
CTF Writeup: Container SETUID Escape Techniques
A container-local root shell is not the flag. CVE-2019-5736 and CVE-2021-4034 both show how a SETUID binary inside a container can become a host compromise.
Docker best practices for Node.js developers in 2026
Multi-stage builds can cut a Node.js image from 1GB+ down to under 150MB — but most teams still ship dev dependencies, root shells, and unscanned base layers to production.
Using jlink to Build Minimal, Lower-Attack-Surface Java Docker Images
jlink has shipped with every JDK since Java 9 in 2017, yet most Spring Boot images still ship a full 300MB+ JDK. Here's how to fix that.
Building a minimal, multi-stage, non-root Dockerfile for PHP
The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.
Kubernetes Admission Controllers for Security
Admission controllers are the policy chokepoint between a validated API request and a running workload. Used well, they enforce your entire security posture. Here is how validating webhooks, Kyverno, OPA, and the new CEL-based policies fit together.
Kubernetes Supply Chain Security: Trusting What You Deploy
The path from a git commit to a running pod crosses a dozen systems, each a place to inject malicious code. Here is how to build a chain of custody Kubernetes will actually verify.
Docker Secrets Management: Stop Baking Credentials Into Images
A secret written into a Docker layer is recoverable forever, even after you delete it. Learn the build-time and runtime patterns that keep credentials out of your images entirely.
Image Signing with Cosign and Sigstore
A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.
Minimal Base Images for Security: A Practical Guide
Minimal base images cut CVE counts by up to 95% by shipping only what your app needs. Here is how to choose between distroless, Wolfi, Alpine, and scratch — and build on each safely.
Alpine vs Debian Base Image Security: Which Is Safer?
Alpine is tiny and dodged the xz backdoor; Debian has deeper security tracking and broader compatibility. Here is how the two base images actually compare on security — and how to harden either one.
Container Escape Vulnerabilities: How They Work and How to Stop Them
A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.