Safeguard
Tag

buildkit

Safeguard articles tagged "buildkit" — guides, analysis, and best practices for software supply chain and application security.

11 articles

Container Security

Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared

BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.

Jul 10, 20266 min read
Container Security

Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick

Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.

Jul 8, 20265 min read
Container Security

Docker Layer Caching Security Risks (and How to Avoid Them)

Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.

Jul 8, 20266 min read
Container Security

Docker Secrets Management: Stop Baking Credentials Into Images

A secret written into a Docker layer is recoverable forever, even after you delete it. Learn the build-time and runtime patterns that keep credentials out of your images entirely.

Jul 6, 20266 min read
Container Security

Docker BuildKit Security Best Practices for 2026

BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.

Apr 2, 20266 min read
Vulnerability Analysis

BuildKit Privileged Entitlement Check Bypass Enabling Hos...

CVE-2024-23653 lets malicious Dockerfiles bypass BuildKit's privileged entitlement check via the interactive containers API, escaping to the host.

Nov 20, 20258 min read
Vulnerability Analysis

BuildKit Build-Time Container Teardown Arbitrary File Del...

A malicious Dockerfile can exploit CVE-2024-23652 to make BuildKit delete arbitrary host files during build teardown. Here's what's affected and how to fix it.

Nov 20, 20257 min read
Vulnerability Analysis

BuildKit Mount Cache Race Condition Vulnerability (CVE-20...

CVE-2024-23651 is a high-severity BuildKit race condition that can expose host files to build containers via shared cache mounts. Here's the full breakdown.

Nov 20, 20258 min read
DevSecOps

Dagger.io Supply Chain Pipelines

Dagger programmatic pipelines offer genuine supply chain benefits when used well. Here are the patterns and pitfalls from running Dagger in production.

Sep 18, 20246 min read
Container Security

BuildKit Cache Security Considerations for Container Builds

BuildKit's caching is what makes container builds fast. It is also a potential vector for cache poisoning attacks if not properly secured.

Apr 12, 20245 min read
Container Security

BuildKit and Buildah: Building Containers Without Giving Away the Keys

Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer security features that most teams ignore. Here is what to use and why.

Mar 12, 20236 min read
buildkit — Safeguard Blog