Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
CVE-2026-42945: A Buffer Overflow in NGINX's Rewrite Module Reaches Into Your Kubernetes Clusters (May 2026)
Disclosed May 17, 2026 with public PoC and in-the-wild activity, CVE-2026-42945 is a buffer overflow in NGINX's ngx_http_rewrite_module. It affects core NGINX and the ingress controllers that wrap it, putting cluster ingress in scope.
OSS container image scanning tools compared
Trivy finds CVEs fast and free. Safeguard compares how each handles fleet-wide inventory, triage, policy enforcement, and audit evidence at scale.
Container image scanning: how it works and best tools
A practical guide to container image scanning: how layer-by-layer CVE detection works, how Trivy stacks up, and where Safeguard adds deeper coverage.
Container security best practices checklist
A practical container security checklist covering base images, scanning limits, runtime risk, and why CVE scans like Trivy alone miss most real supply chain threats.
Docker CIS Benchmark: what it checks and how to pass it
A practical breakdown of what the CIS Docker Benchmark actually checks, why Trivy alone only covers part of it, and how to remediate and stay compliant.
Container escape attacks: how they happen and how to prev...
Container escapes rarely need a zero-day — privileged flags, mounted sockets, and excess capabilities do the job. Here's how they happen, real CVEs, and how to stop them.
Announcing Kubernetes workload protection in Snyk Container
Snyk added Kubernetes workload protection to Snyk Container. Here's what it does, why it matters now, and what security teams should ask before relying on it.
Multi-Stage Docker Build Security in 2026
Multi-stage builds are the right way to ship secure container images, but the security benefits depend on getting the stage boundaries right. A guide for 2026.
Image Scanning
How container image scanning works, where tools like Aqua Security's Trivy fall short on noise and reachability, and what modern scanning workflows require.
Container Registry Scanning
How container registry scanning actually works, why Aqua's Trivy isn't enough on its own, what the xz-utils backdoor exposed, and how Safeguard prioritizes findings that matter.
Docker CIS Benchmark
A practical breakdown of the Docker CIS Benchmark's 100+ controls, the checks teams fail most, how Aqua Security handles compliance, and what audit failures actually cost.
Kubernetes CIS Benchmark
CIS Kubernetes Benchmark controls, common failure patterns, how Aqua Security's kube-bench fits in, and how continuous, supply-chain-aware scanning closes the gaps a point-in-time scan leaves open.