container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
How to reduce alert fatigue from vulnerability scanners
Container scanners like Trivy can return thousands of CVE findings per scan. Here's why most are noise, and how reachability and exploit data cut the list to what matters.
Open Source Container Security: A Practical Guide
You can build a solid container security stack entirely from open source tools — here's which ones cover which layer, and where the gaps show up at scale.
Announcing Kubernetes workload protection in Snyk Container
Snyk added Kubernetes workload protection to Snyk Container. Here's what it does, why it matters now, and what security teams should ask before relying on it.
SBOM for Containers: 2026 Buyer's Guide
How to generate, manage, and act on SBOMs for containers in 2026: tool comparison, layered SBOMs, signing, and runtime drift detection.
Image Scanning
How container image scanning works, where tools like Aqua Security's Trivy fall short on noise and reachability, and what modern scanning workflows require.
Container Registry Scanning
How container registry scanning actually works, why Aqua's Trivy isn't enough on its own, what the xz-utils backdoor exposed, and how Safeguard prioritizes findings that matter.
Docker CIS Benchmark
A practical breakdown of the Docker CIS Benchmark's 100+ controls, the checks teams fail most, how Aqua Security handles compliance, and what audit failures actually cost.
Kubernetes CIS Benchmark
CIS Kubernetes Benchmark controls, common failure patterns, how Aqua Security's kube-bench fits in, and how continuous, supply-chain-aware scanning closes the gaps a point-in-time scan leaves open.
Kubernetes Secrets
Kubernetes Secrets are base64, not encrypted, by default. Here is how they actually leak, why scanners like Aqua fall short, and how to fix it.
eBPF in Kubernetes
eBPF gives Kubernetes deep runtime visibility, but it only sees what a container does after it starts. Here's what Aqua's Tracee gets right, and where supply chain gaps remain.
Tracking Kubernetes CVEs in 2026: A Practical Method
Kubernetes CVE news moves fast across control plane, kubelet, and CNI components — here's a repeatable method for tracking what actually applies to your cluster.
Trivy (Open Source Scanner)
Trivy is free and fast, but Aqua Security built it as a funnel to its paid CNAPP. Here's what the open-source scanner misses and how Safeguard closes the gap.