Containers
In-depth guides and analysis on containers from the Safeguard engineering team.
45 articles
Docker Scanners: Comparing the Image-Scanning Options
A docker scanner has to check three separate layers — base OS packages, application dependencies, and the Dockerfile itself — and most tools are genuinely strong at only one or two.
Scanning Docker Images for Vulnerabilities: How To
Knowing how to scan Docker images for vulnerabilities before they ship is the difference between catching a known CVE in CI and finding it in an incident report.
Choosing a Container Security Scanner
A practical checklist for choosing a container security scanner, covering base-image coverage, registry integration, runtime relevance, and how scan noise actually gets managed.
Docker Privileged Mode: What It Unlocks and Why to Avoid It
One flag, --privileged, hands a container almost the same power as root on the host. Here is exactly what it turns on, why it breaks isolation, and the narrow capabilities that replace it.
Docker Image Labels: Metadata That Actually Matters
Docker image labels are free-form key-value metadata that, used well, drive SBOM generation, ownership tracing, and vulnerability triage — used poorly, they're just clutter in the Dockerfile.
Docker Image for Node: Choosing Slim vs Full Builds
The default node image on Docker Hub ships a full Debian userland most services never touch — knowing when slim, alpine, or distroless actually pays off keeps builds smaller without breaking native modules.
Container Image Security Tools, Compared
A container image security tool scans layers, packages, and configuration inside an image before and after it ships — here's how the major approaches differ and what actually matters when picking one.
Container Security Testing Methods, Compared
Image scanning, runtime monitoring, and configuration auditing all count as container security testing, but they catch different things at different stages — here's how to combine them.
Kubernetes securityContext, Explained From Scratch
How security context in kubernetes actually works at the pod and container level, what kubernetes runasuser and capability drops do, and a sane default policy to start from.
Kubernetes Security Breaches: What Actually Happened in Real Incidents
Real Kubernetes security breaches rarely start with an exotic zero-day — exposed dashboards, misconfigured RBAC, and default credentials show up again and again.
Docker Rebuild Strategies: Cache and Layers Done Right
Docker rebuild speed and security both come down to how you order layers and invalidate cache — get it wrong and you either wait ten minutes per build or ship stale, unpatched images.
Dockerizing Node.js and PHP Apps: A Practical Guide
Writing a node js dockerfile and learning how to dockerize php application deployments both hinge on the same handful of decisions — base image, layer order, and what you leave out of the final image.