Safeguard
Topic

Containers

In-depth guides and analysis on containers from the Safeguard engineering team.

45 articles

Containers

Docker Scanners: Comparing the Image-Scanning Options

A docker scanner has to check three separate layers — base OS packages, application dependencies, and the Dockerfile itself — and most tools are genuinely strong at only one or two.

Sep 17, 20255 min read
Containers

Scanning Docker Images for Vulnerabilities: How To

Knowing how to scan Docker images for vulnerabilities before they ship is the difference between catching a known CVE in CI and finding it in an incident report.

Sep 16, 20255 min read
Containers

Choosing a Container Security Scanner

A practical checklist for choosing a container security scanner, covering base-image coverage, registry integration, runtime relevance, and how scan noise actually gets managed.

Sep 16, 20255 min read
Containers

Docker Privileged Mode: What It Unlocks and Why to Avoid It

One flag, --privileged, hands a container almost the same power as root on the host. Here is exactly what it turns on, why it breaks isolation, and the narrow capabilities that replace it.

Sep 16, 20256 min read
Containers

Docker Image Labels: Metadata That Actually Matters

Docker image labels are free-form key-value metadata that, used well, drive SBOM generation, ownership tracing, and vulnerability triage — used poorly, they're just clutter in the Dockerfile.

Sep 3, 20255 min read
Containers

Docker Image for Node: Choosing Slim vs Full Builds

The default node image on Docker Hub ships a full Debian userland most services never touch — knowing when slim, alpine, or distroless actually pays off keeps builds smaller without breaking native modules.

Sep 3, 20256 min read
Containers

Container Image Security Tools, Compared

A container image security tool scans layers, packages, and configuration inside an image before and after it ships — here's how the major approaches differ and what actually matters when picking one.

Aug 22, 20255 min read
Containers

Container Security Testing Methods, Compared

Image scanning, runtime monitoring, and configuration auditing all count as container security testing, but they catch different things at different stages — here's how to combine them.

Aug 14, 20255 min read
Containers

Kubernetes securityContext, Explained From Scratch

How security context in kubernetes actually works at the pod and container level, what kubernetes runasuser and capability drops do, and a sane default policy to start from.

Jul 3, 20255 min read
Containers

Kubernetes Security Breaches: What Actually Happened in Real Incidents

Real Kubernetes security breaches rarely start with an exotic zero-day — exposed dashboards, misconfigured RBAC, and default credentials show up again and again.

Jul 2, 20254 min read
Containers

Docker Rebuild Strategies: Cache and Layers Done Right

Docker rebuild speed and security both come down to how you order layers and invalidate cache — get it wrong and you either wait ten minutes per build or ship stale, unpatched images.

Jun 25, 20255 min read
Containers

Dockerizing Node.js and PHP Apps: A Practical Guide

Writing a node js dockerfile and learning how to dockerize php application deployments both hinge on the same handful of decisions — base image, layer order, and what you leave out of the final image.

Jun 23, 20255 min read
Containers (Page 2) — Supply Chain Security Blog | Safeguard