Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Minimizing container attack surface

Container images ship 400+ CVEs on average but under 15% are reachable. Learn concrete, numbers-backed steps to cut container attack surface.

Jun 23, 20266 min read
Container Security

Signing and verifying container images with Sigstore/cosign

How cosign and Sigstore replace long-lived signing keys with short-lived, identity-based certificates and a public transparency log for containers.

Jun 23, 20267 min read
Container Security

Detecting cryptomining malware in container images

Cryptomining malware like Kinsing and TeamTNT quietly hijacks container CPU cycles to mine Monero. Here's how it gets in, how to spot it, and how to stop it.

Jun 23, 20267 min read
Container Security

EKS vs GKE vs AKS: managed Kubernetes security compared

A technical breakdown of EKS, GKE, and AKS security: default hardening gaps, IAM models, real CVEs, and audit logging differences teams must know.

Jun 22, 20268 min read
Container Security

Security implications of Kubernetes operators

Kubernetes Operators run with elevated, cluster-wide privilege by design. IngressNightmare, Argo CD, and cert-manager CVEs show what happens when that trust is abused.

Jun 22, 20267 min read
Container Security

OCI image vulnerability scanning explained

A concrete breakdown of how OCI image vulnerability scanning works, where scanners miss real risk, and how to build a scan workflow that doesn't drown teams in noise.

Jun 22, 20267 min read
Container Security

Container escape vulnerabilities explained

Container escape vulnerabilities let attackers break out of isolation and reach the host kernel. Here's how CVE-2024-21626 and CVE-2019-5736 actually work.

Jun 22, 20267 min read
Container Security

Docker Hub malicious image detection

Docker Hub's open upload model has enabled real cryptojacking and phishing campaigns — here's how attackers hide malware in images and how to detect them.

Jun 21, 20267 min read
Container Security

Securing serverless containers on Fargate and Cloud Run

No SSH, no DaemonSets, no host agents. Here's how Firecracker and gVisor isolation change container security on Fargate and Cloud Run — and what still gets you breached.

Jun 21, 20267 min read
Container Security

Reducing CVEs in container base images

Base images inherit hundreds of OS-level CVEs your app never touches. Here's how reachability analysis and minimal bases cut real risk, not just counts.

Jun 21, 20267 min read
Container Security

Deep visibility into hardened/minimal container images (d...

Distroless images strip the package managers most scanners rely on. Here's how Safeguard achieves deep visibility into hardened images, compared to Black Duck's SCA heritage.

Jun 15, 20268 min read
Container Security

Top container security tools to evaluate

Comparing Safeguard and Mend.io on the dimensions that actually matter for container security: scanning engine transparency, air-gapped support, registry coverage, and product origin.

May 25, 20268 min read
Container Security (Page 7) — Supply Chain Security Blog | Safeguard