Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Helm Chart Security Best Practices

Helm charts template every RBAC binding, image reference, and secret your cluster runs. Here is how to harden charts, verify provenance, and stop a templating tool from quietly shipping cluster-admin.

Jul 1, 20266 min read
Container Security

How to Containerize a Node.js App Securely

The default Node.js Dockerfile runs as root, ships dev dependencies, and bakes secrets into layers. Here is a secure, multi-stage build you can copy, step by step.

Jul 1, 20266 min read
Container Security

Kubernetes Network Policies: A Practical Guide

By default every pod in a Kubernetes cluster can talk to every other pod. NetworkPolicies are how you replace that flat network with least-privilege segmentation — here is how to design and roll them out without breaking traffic.

Jul 1, 20265 min read
Container Security

Kubernetes Security Best Practices for 2026

A default Kubernetes cluster trusts too much: root pods, flat networking, and readable secrets. Here are the hardening practices that actually move the needle in 2026.

Jul 1, 20265 min read
Container Security

10 Docker image security best practices

Ten concrete Docker image security practices — minimal base images, secret handling, reachability-based scanning, non-root runtimes, and SBOMs — with real CVEs and data.

Jun 28, 202610 min read
Container Security

Top Docker security vulnerabilities to watch

Runc escapes, exposed Docker APIs, malicious registry images: the Docker vulnerabilities actually driving incidents in 2024-2025, and how to triage what's exploitable.

Jun 28, 20267 min read
Container Security

Choosing secure base images for containers

Base image choice drives most of your container's attack surface. Here's what secure Docker base images actually require, with concrete CVE data.

Jun 28, 20267 min read
Container Security

Distroless container images explained

Distroless images cut container size by up to 90% and eliminate OS-level CVEs, but they don't secure app dependencies. Here's how they work and where they fall short.

Jun 27, 20267 min read
Container Security

Alpine vs distroless: which base image is more secure

Alpine and distroless both shrink attack surface differently. We compare real CVEs, musl risks, and patch tradeoffs to settle which base image actually wins.

Jun 27, 20267 min read
Container Security

Scanning container images in CI/CD pipelines

Where to put container image scanning in your CI/CD pipeline, what it actually catches, and how to stop CVE floods from blocking every build.

Jun 27, 20267 min read
Container Security

Container isolation with namespaces, cgroups, and seccomp

Namespaces, cgroups, and seccomp each isolate a different layer of a container — and a single misconfigured one, like CVE-2024-21626 showed, breaks all three.

Jun 27, 20266 min read
Container Security

Kubernetes Pod Security Standards explained

A breakdown of Kubernetes' Privileged, Baseline, and Restricted Pod Security Standards, how they replaced PodSecurityPolicy, and where enforcement typically fails.

Jun 26, 20267 min read
Container Security (Page 5) — Supply Chain Security Blog | Safeguard