Safeguard
Tag

container-security

Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.

385 articles

Containers

Docker Privileged Mode: What It Unlocks and Why to Avoid It

One flag, --privileged, hands a container almost the same power as root on the host. Here is exactly what it turns on, why it breaks isolation, and the narrow capabilities that replace it.

Sep 16, 20256 min read
Container Security

How Snyk Container detects a Dockerfile's base image with...

Snyk Container identifies a Dockerfile's true base image by comparing layer digests against a registry database, no docker run required.

Sep 8, 20258 min read
Buyer's Guides

How Snyk Container recommends minor, major, and alternati...

A mechanical look at how Snyk Container ranks minor, major, and alternative base image upgrades using vulnerability counts and registry metadata.

Sep 7, 20256 min read
Container Security

How Snyk Container maps vulnerabilities to specific image...

How Snyk Container uses OCI manifest metadata, diff_ids, and Dockerfile history to trace a vulnerable package to the exact layer and build instruction that introduced it.

Sep 7, 20258 min read
Container Security

How Snyk Container's Base Image filter isolates OS-level ...

How Snyk Container's Base Image filter separates OS-level vulnerabilities from application dependencies, how it identifies base images, and where attribution breaks down.

Sep 7, 20257 min read
Container Security

How Snyk Container scans distroless and minimal (Wolfi-st...

Distroless and Wolfi-style images strip out package managers, breaking traditional scanners. Here's how Snyk Container identifies vulnerable packages anyway.

Sep 7, 20258 min read
Container Security

How Snyk Container's static filesystem analysis avoids th...

How Snyk Container inspects image layers, package databases, and lockfiles without ever running the container — and where static filesystem analysis hits its limits.

Sep 6, 20258 min read
Open Source Security

How Snyk Container detects application-level dependencies...

A mechanical look at how Snyk Container scans image filesystems to detect npm, pip, Maven, and other application dependencies bundled inside containers.

Sep 6, 20257 min read
Container Security

How Snyk Container integrates with Kubernetes workloads f...

How Snyk Container's Kubernetes integration uses a read-only controller to continuously re-check running workload images as new CVEs are disclosed.

Sep 6, 20257 min read
Container Security

How Snyk Container handles multi-stage Docker builds duri...

How Snyk Container identifies base images, attributes vulnerabilities to Dockerfile instructions, and scopes scans across multi-stage Docker builds.

Sep 6, 20257 min read
Cloud Security

CNAPPs in 2025: What Cloud-Native Application Protection Platforms Actually Protect

CNAPP has become the dominant category in cloud security. But the label covers wildly different capabilities. A clear-eyed look at what CNAPPs do, where they fall short, and how supply chain security fits in.

Sep 5, 20257 min read
SBOM

How Snyk Container generates a Software Bill of Materials...

How Snyk Container statically scans image layers, parses OS package databases and lockfiles, and exports CycloneDX/SPDX SBOMs — mechanically explained.

Sep 5, 20257 min read
container-security (Page 24) — Safeguard Blog