buildkit
Safeguard articles tagged "buildkit" — guides, analysis, and best practices for software supply chain and application security.
11 articles
Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared
BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.
Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick
Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.
Docker Layer Caching Security Risks (and How to Avoid Them)
Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.
Docker Secrets Management: Stop Baking Credentials Into Images
A secret written into a Docker layer is recoverable forever, even after you delete it. Learn the build-time and runtime patterns that keep credentials out of your images entirely.
Docker BuildKit Security Best Practices for 2026
BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.
BuildKit Privileged Entitlement Check Bypass Enabling Hos...
CVE-2024-23653 lets malicious Dockerfiles bypass BuildKit's privileged entitlement check via the interactive containers API, escaping to the host.
BuildKit Build-Time Container Teardown Arbitrary File Del...
A malicious Dockerfile can exploit CVE-2024-23652 to make BuildKit delete arbitrary host files during build teardown. Here's what's affected and how to fix it.
BuildKit Mount Cache Race Condition Vulnerability (CVE-20...
CVE-2024-23651 is a high-severity BuildKit race condition that can expose host files to build containers via shared cache mounts. Here's the full breakdown.
Dagger.io Supply Chain Pipelines
Dagger programmatic pipelines offer genuine supply chain benefits when used well. Here are the patterns and pitfalls from running Dagger in production.
BuildKit Cache Security Considerations for Container Builds
BuildKit's caching is what makes container builds fast. It is also a potential vector for cache poisoning attacks if not properly secured.
BuildKit and Buildah: Building Containers Without Giving Away the Keys
Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer security features that most teams ignore. Here is what to use and why.