container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Container-handling security fundamentals: immutability, signing, and privilege drops
Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.
Container security: five best practices for provenance, runtime, and network
A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.
A Practical Container Security Checklist: From Base Image to Runtime
Standard Docker Hub images ship 50-60 known CVEs on average. Here's the checklist that gets containers from base image to runtime without carrying them along.
Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared
BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.
Building minimal, non-root Java containers with distroless and JVM hardening
A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.
Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries
Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.
Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick
Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.
Aqua Security vs Prisma Cloud: A Neutral Comparison for 2026
Aqua Security and Prisma Cloud both secure cloud-native workloads, but one grew from container and runtime defense and the other from a broad platform. An honest side-by-side, plus where a third option fits.
Container Runtime Security Monitoring: Catching the Breach in Progress
Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.
Docker Layer Caching Security Risks (and How to Avoid Them)
Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.
Automating container image vulnerability scans in GitHub Actions
A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.
The code-to-cloud AppSec checklist: unifying code, dependency, container, and config security
Log4Shell and the XZ Utils backdoor both proved the same thing: a flaw in one layer is only as contained as your weakest disconnected tool.