Containers
In-depth guides and analysis on containers from the Safeguard engineering team.
45 articles
Rebuilding Docker Images: When and How
Knowing how to rebuild a Docker image correctly — and when a cached layer is silently serving stale, vulnerable code — matters more than most teams realize until a patch doesn't actually land.
Docker Scratch Images: When (and When Not) to Use Them
A docker scratch image starts from nothing — no shell, no package manager, no OS layer — which makes it the smallest possible attack surface, but only for binaries built to run without one.
Kubernetes SecurityContext, Field by Field
SecurityContext in Kubernetes is where pod and container hardening actually lives — here's what each field controls and which defaults you should never leave in place.
Docker Container Security: A Hardening Checklist
Most container breaches trace back to a handful of avoidable mistakes — root users, bloated images, exposed sockets, unscanned dependencies. This checklist closes them, image to runtime.
Docker Node Alpine: When to Use the Slim Image
Node Alpine Docker images cut attack surface and pull times dramatically, but musl libc compatibility gaps mean they're not a drop-in replacement for every Node project.
Node Docker Images: Picking the Right Base for Production
The node docker image you pick as a base determines most of your container's attack surface and size. Here's how to choose between full, slim, and alpine variants for production.
Kubernetes SecurityContext Capabilities: Drop vs Add
Kubernetes securityContext capabilities let you strip Linux kernel privileges from a container instead of accepting the runtime default set — here's when to drop, when to add back, and why dropping ALL first is the right starting point.
Docker Privileged Containers: `docker run` and Compose Risks
docker run privileged and docker compose privileged both hand a container root-equivalent access to the host — here's exactly what that means and when, if ever, it's justified.
Kubernetes securityContext: fsGroup and the Fields People Skip
A field-by-field walkthrough of Kubernetes securityContext — fsGroup, runAsNonRoot, and the settings teams leave at their insecure defaults.
Container Vulnerability Management: The Full Lifecycle
Container vulnerability management is a lifecycle, not a scan — here's what happens from base image selection through runtime, and where most programs quietly fall apart.
Secure Docker Images: A Practical Checklist
A working checklist for building secure Docker images, from base image choice through image scanning, that you can actually apply to an existing Dockerfile this week.
Docker Image Scanning: How It Works and What It Finds
Scanners don't run your container — they unpack it. How docker image scanning inventories layers, matches CVEs, handles distro backports, and where it belongs in your pipeline.