Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Kubernetes Secrets

Kubernetes Secrets are base64, not encrypted, by default. Here is how they actually leak, why scanners like Aqua fall short, and how to fix it.

Apr 15, 20268 min read
Container Security

eBPF in Kubernetes

eBPF gives Kubernetes deep runtime visibility, but it only sees what a container does after it starts. Here's what Aqua's Tracee gets right, and where supply chain gaps remain.

Apr 15, 20267 min read
Container Security

Rolling Out Zero-CVE Base Images Org-Wide

A pragmatic playbook for migrating an entire engineering organisation onto zero-CVE base images, covering pilot selection, registry mirroring, drift control, and the hard people-side of the rollout.

Apr 11, 20267 min read
Container Security

Container Vulnerability Scanner Buyer Guide 2026

A practical 2026 buyer guide for container vulnerability scanners: detection accuracy, reachability, signed advisories, runtime correlation, and the questions that separate vendors.

Apr 9, 20265 min read
Container Security

Ignoring Docker Registry Certificates: A Security Anti-Pattern

Telling Docker to ignore certificate errors fixes the immediate pull failure but quietly disables the check that confirms you're actually talking to your registry and not an attacker.

Apr 9, 20266 min read
Container Security

How to secure Kubernetes secrets and sensitive data

Kubernetes secrets are base64, not encrypted, by default. Here's how they actually leak, where Prisma Cloud's CNAPP approach falls short, and how to fix rotation, RBAC, and encryption gaps.

Apr 9, 20267 min read
Container Security

Container Supply Chain Defence: Build To Run

An end-to-end view of container supply chain controls from source through registry to runtime, covering signing, attestation, admission policy, and runtime drift, with concrete checkpoints at each stage.

Apr 7, 20267 min read
Container Security

Kubernetes Admission Policy Real-World Deployment

What it actually takes to put Kubernetes admission policy into enforcement mode without breaking deployments: phased rollout, exception workflows, audit-mode hygiene, and policy authoring conventions that survive contact with engineers.

Apr 3, 20267 min read
Container Security

Container Registry Security Hardening Checklist for 2026

A concrete hardening checklist for container registries in 2026, covering authentication, signing, scanning, retention, and the operational details that actually matter.

Apr 2, 20265 min read
Container Security

gVisor vs Firecracker in 2026: Choosing a Sandbox for Untrusted Workloads

A side-by-side comparison of gVisor and Firecracker for sandboxing untrusted code in 2026, covering security model, performance, and operational complexity.

Apr 2, 20266 min read
Container Security

Docker BuildKit Security Best Practices for 2026

BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.

Apr 2, 20266 min read
Container Security

Container Image Supply Chain: From Dockerfile to Production

Every container pulled in production is a trust decision. Here's how to secure the chain from base image selection through Dockerfile to admission control.

Mar 30, 20268 min read
Container Security (Page 9) — Supply Chain Security Blog | Safeguard