Safeguard
Tag

container-security

Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.

385 articles

Container Security

Container-handling security fundamentals: immutability, signing, and privilege drops

Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.

Jul 11, 20267 min read
Container Security

Container security: five best practices for provenance, runtime, and network

A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.

Jul 11, 20266 min read
Container Security

A Practical Container Security Checklist: From Base Image to Runtime

Standard Docker Hub images ship 50-60 known CVEs on average. Here's the checklist that gets containers from base image to runtime without carrying them along.

Jul 10, 20266 min read
Container Security

Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared

BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.

Jul 10, 20266 min read
Container Security

Building minimal, non-root Java containers with distroless and JVM hardening

A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.

Jul 10, 20266 min read
Kubernetes Security

Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries

Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.

Jul 10, 20267 min read
Container Security

Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick

Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.

Jul 8, 20265 min read
Buyer's Guides

Aqua Security vs Prisma Cloud: A Neutral Comparison for 2026

Aqua Security and Prisma Cloud both secure cloud-native workloads, but one grew from container and runtime defense and the other from a broad platform. An honest side-by-side, plus where a third option fits.

Jul 8, 20266 min read
Container Security

Container Runtime Security Monitoring: Catching the Breach in Progress

Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.

Jul 8, 20265 min read
Container Security

Docker Layer Caching Security Risks (and How to Avoid Them)

Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.

Jul 8, 20266 min read
Container Security

Automating container image vulnerability scans in GitHub Actions

A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.

Jul 8, 20266 min read
Best Practices

The code-to-cloud AppSec checklist: unifying code, dependency, container, and config security

Log4Shell and the XZ Utils backdoor both proved the same thing: a flaw in one layer is only as contained as your weakest disconnected tool.

Jul 8, 20267 min read
container-security (Page 2) — Safeguard Blog