Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

CVE-2026-42945: A Buffer Overflow in NGINX's Rewrite Module Reaches Into Your Kubernetes Clusters (May 2026)

Disclosed May 17, 2026 with public PoC and in-the-wild activity, CVE-2026-42945 is a buffer overflow in NGINX's ngx_http_rewrite_module. It affects core NGINX and the ingress controllers that wrap it, putting cluster ingress in scope.

May 18, 202612 min read
Container Security

OSS container image scanning tools compared

Trivy finds CVEs fast and free. Safeguard compares how each handles fleet-wide inventory, triage, policy enforcement, and audit evidence at scale.

Apr 29, 20267 min read
Container Security

Container image scanning: how it works and best tools

A practical guide to container image scanning: how layer-by-layer CVE detection works, how Trivy stacks up, and where Safeguard adds deeper coverage.

Apr 26, 20267 min read
Container Security

Container security best practices checklist

A practical container security checklist covering base images, scanning limits, runtime risk, and why CVE scans like Trivy alone miss most real supply chain threats.

Apr 26, 20267 min read
Container Security

Docker CIS Benchmark: what it checks and how to pass it

A practical breakdown of what the CIS Docker Benchmark actually checks, why Trivy alone only covers part of it, and how to remediate and stay compliant.

Apr 26, 20268 min read
Container Security

Container escape attacks: how they happen and how to prev...

Container escapes rarely need a zero-day — privileged flags, mounted sockets, and excess capabilities do the job. Here's how they happen, real CVEs, and how to stop them.

Apr 26, 20269 min read
Container Security

Announcing Kubernetes workload protection in Snyk Container

Snyk added Kubernetes workload protection to Snyk Container. Here's what it does, why it matters now, and what security teams should ask before relying on it.

Apr 22, 20267 min read
Container Security

Multi-Stage Docker Build Security in 2026

Multi-stage builds are the right way to ship secure container images, but the security benefits depend on getting the stage boundaries right. A guide for 2026.

Apr 21, 20267 min read
Container Security

Image Scanning

How container image scanning works, where tools like Aqua Security's Trivy fall short on noise and reachability, and what modern scanning workflows require.

Apr 16, 20268 min read
Container Security

Container Registry Scanning

How container registry scanning actually works, why Aqua's Trivy isn't enough on its own, what the xz-utils backdoor exposed, and how Safeguard prioritizes findings that matter.

Apr 16, 20268 min read
Container Security

Docker CIS Benchmark

A practical breakdown of the Docker CIS Benchmark's 100+ controls, the checks teams fail most, how Aqua Security handles compliance, and what audit failures actually cost.

Apr 16, 20267 min read
Container Security

Kubernetes CIS Benchmark

CIS Kubernetes Benchmark controls, common failure patterns, how Aqua Security's kube-bench fits in, and how continuous, supply-chain-aware scanning closes the gaps a point-in-time scan leaves open.

Apr 15, 20267 min read
Container Security (Page 8) — Supply Chain Security Blog | Safeguard