Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
Kubernetes Secrets
Kubernetes Secrets are base64, not encrypted, by default. Here is how they actually leak, why scanners like Aqua fall short, and how to fix it.
eBPF in Kubernetes
eBPF gives Kubernetes deep runtime visibility, but it only sees what a container does after it starts. Here's what Aqua's Tracee gets right, and where supply chain gaps remain.
Rolling Out Zero-CVE Base Images Org-Wide
A pragmatic playbook for migrating an entire engineering organisation onto zero-CVE base images, covering pilot selection, registry mirroring, drift control, and the hard people-side of the rollout.
Container Vulnerability Scanner Buyer Guide 2026
A practical 2026 buyer guide for container vulnerability scanners: detection accuracy, reachability, signed advisories, runtime correlation, and the questions that separate vendors.
Ignoring Docker Registry Certificates: A Security Anti-Pattern
Telling Docker to ignore certificate errors fixes the immediate pull failure but quietly disables the check that confirms you're actually talking to your registry and not an attacker.
How to secure Kubernetes secrets and sensitive data
Kubernetes secrets are base64, not encrypted, by default. Here's how they actually leak, where Prisma Cloud's CNAPP approach falls short, and how to fix rotation, RBAC, and encryption gaps.
Container Supply Chain Defence: Build To Run
An end-to-end view of container supply chain controls from source through registry to runtime, covering signing, attestation, admission policy, and runtime drift, with concrete checkpoints at each stage.
Kubernetes Admission Policy Real-World Deployment
What it actually takes to put Kubernetes admission policy into enforcement mode without breaking deployments: phased rollout, exception workflows, audit-mode hygiene, and policy authoring conventions that survive contact with engineers.
Container Registry Security Hardening Checklist for 2026
A concrete hardening checklist for container registries in 2026, covering authentication, signing, scanning, retention, and the operational details that actually matter.
gVisor vs Firecracker in 2026: Choosing a Sandbox for Untrusted Workloads
A side-by-side comparison of gVisor and Firecracker for sandboxing untrusted code in 2026, covering security model, performance, and operational complexity.
Docker BuildKit Security Best Practices for 2026
BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.
Container Image Supply Chain: From Dockerfile to Production
Every container pulled in production is a trust decision. Here's how to secure the chain from base image selection through Dockerfile to admission control.