container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
How Snyk Container's registry integrations authenticate a...
A technical walkthrough of how Snyk Container authenticates and pulls images from ECR, ACR, GCR, and Artifactory using IAM roles, service principals, and tokens.
How Snyk Broker's Container Registry Agent scans private,...
How Snyk's Broker Container Registry Agent scans private, self-hosted registries like Artifactory and Nexus without exposing credentials or images to the cloud.
How Snyk Container prioritizes OS package vulnerabilities...
A technical look at how Snyk Container ranks OS package vulnerabilities using exploit maturity signals, CVSS, and EPSS instead of severity alone.
How Snyk's Docker Desktop Extension scans images before t...
How Snyk's Docker Desktop extension scans local images for CVEs before push, what it can and can't detect, and where it fits with CI and registry scanning.
How Snyk Container parses apk, deb, and rpm package datab...
How Snyk Container reads apk, dpkg, and rpm databases inside image layers to detect OS package vulnerabilities without ever running the container.
How Snyk Container's automatic base image remediation PRs...
How Snyk Container's automatic base image remediation PRs pick replacement tags, what triggers them, and what they actually change in a Dockerfile.
How image digest pinning strengthens container supply cha...
How SHA-256 image digests, unlike mutable tags, anchor Snyk container scans to the exact artifact that ships—and why that distinction matters for supply chain integrity.
Docker Image Labels: Metadata That Actually Matters
Docker image labels are free-form key-value metadata that, used well, drive SBOM generation, ownership tracing, and vulnerability triage — used poorly, they're just clutter in the Dockerfile.
How Snyk Container's exclude and allow policies reduce no...
Snyk Container's exclude and allow policies scope ignore rules to specific paths and layers, filtering base-image noise without hiding real application risk.
Docker Image for Node: Choosing Slim vs Full Builds
The default node image on Docker Hub ships a full Debian userland most services never touch — knowing when slim, alpine, or distroless actually pays off keeps builds smaller without breaking native modules.
How Snyk IaC scans Kubernetes manifests and Helm charts f...
A technical walkthrough of how Snyk IaC parses Kubernetes manifests, renders Helm charts, and checks them against CIS benchmarks before deployment.
How Snyk IaC's admission-time Kubernetes scanning differs...
How Snyk IaC's static manifest scanning, the Snyk Controller's in-cluster monitoring, and true Kubernetes admission control mechanically differ — and why the gap between them matters.