container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Best container base image hardening tools
A buyer's guide to container base image hardening tools -- comparing Chainguard, Distroless, DockerSlim, Red Hat UBI, Wolfi, and Bitnami on real strengths and limitations.
Docker Hub cryptojacking campaign analysis
Safeguard tracked a six-week Docker Hub cryptojacking campaign using 41 trojanized images, delayed payloads, and base-image laundering to evade scanners.
Best container registry vulnerability scanning tools
A practical look at container registry scanning tools — evaluation criteria, six real vendors compared fairly, and how Safeguard closes the supply-chain gaps scanning alone leaves open.
Golang Docker Images: Building Them Right
How to build Golang Docker images that stay small, patch cleanly, and don't ship a compiler toolchain into production, using multi-stage builds done properly.
Writing a Container Security Policy That Actually Holds
Most container security policies get written once, ignored during the next sprint, and rediscovered during an audit — here's how to write one that engineers actually follow.
Race Conditions (TOCTOU) in Application Code
From Dirty COW to runc's CVE-2021-30465, TOCTOU race conditions keep slipping past code review. Here's why they're invisible to standard tooling — and how to catch them.
Containers Not Dropping Default Linux Capabilities
Docker grants every container 14 Linux capabilities by default. Here's why NET_RAW, SYS_CHROOT, and friends turn contained compromises into breakouts—and how to drop them safely.
Containers Running in Privileged Mode: Risks and Fixes
Docker's --privileged flag strips seccomp, AppArmor, and capability limits in one line. Here's how attackers exploit it, real CVEs, and how to lock it down.
CVE-2024-21626: runc process.cwd Container Breakout Deep ...
A technical breakdown of CVE-2024-21626, the runc process.cwd() flaw enabling container breakout to host access, with detection and remediation guidance.
Kubernetes SecurityContext: The Settings That Matter
A pod's securityContext decides whether a compromised container is contained or a launchpad. Here are the fields that actually reduce blast radius — and the copy-paste block that sets a hardened baseline.
Docker Scanners: Comparing the Image-Scanning Options
A docker scanner has to check three separate layers — base OS packages, application dependencies, and the Dockerfile itself — and most tools are genuinely strong at only one or two.
Scanning Docker Images for Vulnerabilities: How To
Knowing how to scan Docker images for vulnerabilities before they ship is the difference between catching a known CVE in CI and finding it in an incident report.