container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
A guide to modern vulnerability scanning
Scanners disagree, CVE volume is exploding, and hardened base images solve only one layer. Here's how modern vulnerability scanning actually works — and where prioritization beats raw CVE counts.
gVisor vs Firecracker in 2026: Choosing a Sandbox for Untrusted Workloads
A side-by-side comparison of gVisor and Firecracker for sandboxing untrusted code in 2026, covering security model, performance, and operational complexity.
Streamlining the vulnerability management lifecycle
Most teams find CVEs fast but fix them slowly. Here's why the vulnerability management lifecycle breaks down after scanning — and how to close the gap.
How to lower FedRAMP certification costs
FedRAMP authorizations cost $250K-$3M and take 12-18 months. See where that spend actually goes, how Chainguard's hardened images fit in, and how to cut costs.
FedRAMP vulnerability scanning requirements explained
FedRAMP mandates monthly vulnerability scans and 30-day remediation windows. Here's what Rev 5 requires, and why minimal images like Chainguard's don't exempt you.
Simplify PCI DSS 4.0 compliance with hardened containers
PCI DSS 4.0's 30-day patch clock is brutal for container-heavy CDEs. Here's how hardened, minimal images cut CVE noise and make audits defensible.
CMMC 2.0 compliance for containerized workloads
CMMC 2.0 enforcement is phasing in through 2028. Hardened container images help, but 35+ of 110 NIST 800-171 controls need continuous evidence Chainguard's approach doesn't cover.
SOC 2 and the hardened software supply chain
SOC 2 attests to internal controls, not to whether a hardened image or build pipeline is secure. Here is how Chainguard's approach fits, and what it does not cover.
Wolfi: the community Linux 'undistro'
Wolfi calls itself an "undistro," not a distro — and it's the open-source foundation under Chainguard Images. Here's what that actually means, and where the gaps are.
Container Image Supply Chain: From Dockerfile to Production
Every container pulled in production is a trust decision. Here's how to secure the chain from base image selection through Dockerfile to admission control.
apko and melange: declarative container build tools
How Chainguard's apko and melange replace Dockerfiles with declarative, reproducible builds — and where the security claims need independent verification.
How Syft scans software to generate SBOMs (under-the-hood...
A deep look at Syft's under-the-hood scanning mechanics — catalogers, binary classifiers, layer squashing, and SBOM formats — and where the single-scan model breaks down at fleet scale.