container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Scanning Azure Container Registry images for vulnerabilities
A step-by-step guide to enabling Azure Container Registry vulnerability scanning with Microsoft Defender for Containers, plus troubleshooting and gating deployments on scan results.
Signing container images and generating SBOMs in Azure pi...
A practical walkthrough for Azure container image signing with Notation and ACR content trust, plus generating SBOMs inside Azure DevOps pipelines.
Security best practices for Azure Container Apps and secr...
A step-by-step guide to Azure Container Apps security best practices: managed identity, Key Vault-backed secrets, network ingress, and supply chain hardening.
Hardening Google Kubernetes Engine clusters against attacks
A step-by-step guide to GKE security best practices: private clusters, Workload Identity, Shielded Nodes, Binary Authorization, and verification checks for real audits.
Enforcing signed and attested container images with Binar...
A step-by-step guide to enforcing signed, attested container images in GKE with Binary Authorization — from attestor setup to policy enforcement and troubleshooting.
How Container Threat Detection identifies runtime attacks...
How Container Threat Detection GCP watches GKE kernels for reverse shells, added binaries, and privilege escalation—and why runtime signals catch what image scanning can't.
Dirty Pipe Linux kernel arbitrary write (CVE-2022-0847)
Dirty Pipe (CVE-2022-0847) lets local attackers overwrite read-only files via a pipe buffer flaw, enabling fast, reliable root escalation on Linux and Android.
Kubernetes API server privilege escalation via aggregated API (CVE-2018-1002105)
A critical flaw in Kubernetes' aggregated API let unauthenticated users gain full admin privileges. Here's how it worked and how to fix it.
Comparing security models of GKE Autopilot versus Standar...
GKE Autopilot security vs Standard clusters draw the shared-responsibility line very differently. Here's what changes for pod security and hardening.
runc container escape via file descriptor overwrite (CVE-2019-5736)
CVE-2019-5736 let malicious containers overwrite the host runc binary and gain root — here's the mechanism, affected versions, and how to remediate it.
Implementing keyless container image signing with Cosign ...
A hands-on guide to Cosign keyless signing GCP setups with Sigstore, Workload Identity Federation, and Cloud Build — sign and verify images with no key management.
Scanning Oracle Cloud Infrastructure Registry images for ...
A step-by-step guide to OCIR vulnerability scanning: enabling OCI's Vulnerability Scanning Service, triggering push-time scans, triaging CVEs, and signing verified images.