container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Secrets leakage in Docker images explained
How credentials get baked into Docker image layers, real incidents that exposed them, and how to detect and stop secrets leakage in container images.
A Practical Kubernetes Operator Security Checklist
Kubernetes operators run with broad cluster access. This checklist covers the controls that matter most in 2025, from RBAC scoping to image provenance.
Helm 2 Tiller's Default Unauthenticated gRPC Endpoint (CV...
CVE-2019-18658 shows how Helm 2's Tiller ran an unauthenticated gRPC endpoint by default, letting network-adjacent attackers seize cluster-admin control.
Project Quay Improper Access Control Exposing Private Ima...
CVE-2020-27838 exposed private container images in Project Quay due to improper access control. Here's what happened, who's affected, and how to remediate it.
Docker Vulnerability Scanners: What They Catch and Miss
Image scanners are excellent at matching OS packages and language dependencies against CVE databases — and structurally blind to config flaws, runtime behavior, and code you compiled yourself. Where the line sits.
BuildKit Build-Time Container Teardown Arbitrary File Del...
A malicious Dockerfile can exploit CVE-2024-23652 to make BuildKit delete arbitrary host files during build teardown. Here's what's affected and how to fix it.
BuildKit Mount Cache Race Condition Vulnerability (CVE-20...
CVE-2024-23651 is a high-severity BuildKit race condition that can expose host files to build containers via shared cache mounts. Here's the full breakdown.
Kubernetes and Go supply chain risk report
Kubernetes leans on thousands of Go modules. New analysis shows how typosquats and vendored code turn that dependency into real supply chain risk.
The 2019 Docker Hub Database Breach Exposing User Credent...
In April 2019, Docker Hub exposed 190,000 accounts' credentials and GitHub/Bitbucket tokens. Here's what happened, what leaked, and why it still matters for supply chain security.
Cloud-native Go services vulnerability landscape
A runc escape trilogy, a gRPC-Go bypass, and a lingering SSH auth flaw reveal how concentrated risk in Go now shapes the cloud native vulnerability landscape.
Docker Hub malicious image report
Researchers estimate roughly 3% of public Docker Hub images carry malicious payloads. Here's what's inside them, how they spread, and how to defend your pipeline.
Top vulnerable base images on Docker Hub
A look at why Docker Hub's most-pulled base images still ship hundreds of known CVEs, and how reachability analysis cuts the noise down to what's actually exploitable.