Safeguard
Topic

Containers

In-depth guides and analysis on containers from the Safeguard engineering team.

45 articles

Containers

Rebuilding Docker Images: When and How

Knowing how to rebuild a Docker image correctly — and when a cached layer is silently serving stale, vulnerable code — matters more than most teams realize until a patch doesn't actually land.

Jun 18, 20256 min read
Containers

Docker Scratch Images: When (and When Not) to Use Them

A docker scratch image starts from nothing — no shell, no package manager, no OS layer — which makes it the smallest possible attack surface, but only for binaries built to run without one.

Jun 17, 20255 min read
Containers

Kubernetes SecurityContext, Field by Field

SecurityContext in Kubernetes is where pod and container hardening actually lives — here's what each field controls and which defaults you should never leave in place.

Jun 11, 20255 min read
Containers

Docker Container Security: A Hardening Checklist

Most container breaches trace back to a handful of avoidable mistakes — root users, bloated images, exposed sockets, unscanned dependencies. This checklist closes them, image to runtime.

Jun 10, 20257 min read
Containers

Docker Node Alpine: When to Use the Slim Image

Node Alpine Docker images cut attack surface and pull times dramatically, but musl libc compatibility gaps mean they're not a drop-in replacement for every Node project.

Jun 5, 20256 min read
Containers

Node Docker Images: Picking the Right Base for Production

The node docker image you pick as a base determines most of your container's attack surface and size. Here's how to choose between full, slim, and alpine variants for production.

May 27, 20255 min read
Containers

Kubernetes SecurityContext Capabilities: Drop vs Add

Kubernetes securityContext capabilities let you strip Linux kernel privileges from a container instead of accepting the runtime default set — here's when to drop, when to add back, and why dropping ALL first is the right starting point.

May 14, 20255 min read
Containers

Docker Privileged Containers: `docker run` and Compose Risks

docker run privileged and docker compose privileged both hand a container root-equivalent access to the host — here's exactly what that means and when, if ever, it's justified.

May 9, 20255 min read
Containers

Kubernetes securityContext: fsGroup and the Fields People Skip

A field-by-field walkthrough of Kubernetes securityContext — fsGroup, runAsNonRoot, and the settings teams leave at their insecure defaults.

May 6, 20255 min read
Containers

Container Vulnerability Management: The Full Lifecycle

Container vulnerability management is a lifecycle, not a scan — here's what happens from base image selection through runtime, and where most programs quietly fall apart.

May 6, 20256 min read
Containers

Secure Docker Images: A Practical Checklist

A working checklist for building secure Docker images, from base image choice through image scanning, that you can actually apply to an existing Dockerfile this week.

May 6, 20255 min read
Containers

Docker Image Scanning: How It Works and What It Finds

Scanners don't run your container — they unpack it. How docker image scanning inventories layers, matches CVEs, handles distro backports, and where it belongs in your pipeline.

Apr 29, 20256 min read
Containers (Page 3) — Supply Chain Security Blog | Safeguard