Safeguard
Tag

container-security

Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.

385 articles

Buyer's Guides

Best container base image hardening tools

A buyer's guide to container base image hardening tools -- comparing Chainguard, Distroless, DockerSlim, Red Hat UBI, Wolfi, and Bitnami on real strengths and limitations.

Nov 8, 20259 min read
Incident Analysis

Docker Hub cryptojacking campaign analysis

Safeguard tracked a six-week Docker Hub cryptojacking campaign using 41 trojanized images, delayed payloads, and base-image laundering to evade scanners.

Nov 5, 20257 min read
Buyer's Guides

Best container registry vulnerability scanning tools

A practical look at container registry scanning tools — evaluation criteria, six real vendors compared fairly, and how Safeguard closes the supply-chain gaps scanning alone leaves open.

Nov 4, 20258 min read
Containers

Golang Docker Images: Building Them Right

How to build Golang Docker images that stay small, patch cleanly, and don't ship a compiler toolchain into production, using multi-stage builds done properly.

Nov 4, 20256 min read
Containers

Writing a Container Security Policy That Actually Holds

Most container security policies get written once, ignored during the next sprint, and rediscovered during an audit — here's how to write one that engineers actually follow.

Nov 3, 20255 min read
Industry Analysis

Race Conditions (TOCTOU) in Application Code

From Dirty COW to runc's CVE-2021-30465, TOCTOU race conditions keep slipping past code review. Here's why they're invisible to standard tooling — and how to catch them.

Oct 29, 20257 min read
Container Security

Containers Not Dropping Default Linux Capabilities

Docker grants every container 14 Linux capabilities by default. Here's why NET_RAW, SYS_CHROOT, and friends turn contained compromises into breakouts—and how to drop them safely.

Oct 28, 20257 min read
Container Security

Containers Running in Privileged Mode: Risks and Fixes

Docker's --privileged flag strips seccomp, AppArmor, and capability limits in one line. Here's how attackers exploit it, real CVEs, and how to lock it down.

Oct 28, 20257 min read
Vulnerability Analysis

CVE-2024-21626: runc process.cwd Container Breakout Deep ...

A technical breakdown of CVE-2024-21626, the runc process.cwd() flaw enabling container breakout to host access, with detection and remediation guidance.

Oct 28, 20257 min read
Containers

Kubernetes SecurityContext: The Settings That Matter

A pod's securityContext decides whether a compromised container is contained or a launchpad. Here are the fields that actually reduce blast radius — and the copy-paste block that sets a hardened baseline.

Oct 21, 20256 min read
Containers

Docker Scanners: Comparing the Image-Scanning Options

A docker scanner has to check three separate layers — base OS packages, application dependencies, and the Dockerfile itself — and most tools are genuinely strong at only one or two.

Sep 17, 20255 min read
Containers

Scanning Docker Images for Vulnerabilities: How To

Knowing how to scan Docker images for vulnerabilities before they ship is the difference between catching a known CVE in CI and finding it in an incident report.

Sep 16, 20255 min read
container-security (Page 23) — Safeguard Blog