Safeguard
Tag

container-security

Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.

385 articles

Containers

Docker Node Alpine: When to Use the Slim Image

Node Alpine Docker images cut attack surface and pull times dramatically, but musl libc compatibility gaps mean they're not a drop-in replacement for every Node project.

Jun 5, 20256 min read
Containers

Node Docker Images: Picking the Right Base for Production

The node docker image you pick as a base determines most of your container's attack surface and size. Here's how to choose between full, slim, and alpine variants for production.

May 27, 20255 min read
Containers

Docker Privileged Containers: `docker run` and Compose Risks

docker run privileged and docker compose privileged both hand a container root-equivalent access to the host — here's exactly what that means and when, if ever, it's justified.

May 9, 20255 min read
Containers

Kubernetes securityContext: fsGroup and the Fields People Skip

A field-by-field walkthrough of Kubernetes securityContext — fsGroup, runAsNonRoot, and the settings teams leave at their insecure defaults.

May 6, 20255 min read
Containers

Docker Image Scanning: How It Works and What It Finds

Scanners don't run your container — they unpack it. How docker image scanning inventories layers, matches CVEs, handles distro backports, and where it belongs in your pipeline.

Apr 29, 20256 min read
Containers

Docker Security Concerns: The Real List

Docker security concerns that actually cause incidents are narrower than most checklists suggest — root-by-default containers, exposed daemon sockets, and unpatched base images account for most real-world breaches.

Apr 23, 20255 min read
Containers

Dockerfile Best Practices: Security, Size, and Build Speed

Most Dockerfiles are copy-pasted from a tutorial and never revisited. Here's what actually shrinks image size, closes the common security holes, and speeds up rebuilds.

Apr 14, 20255 min read
Containers

cAdvisor: Container Resource Monitoring, Explained

cAdvisor gives you per-container CPU, memory, network, and filesystem metrics out of the box — here's what it actually measures, how it fits with Prometheus and Kubernetes, and where its limits show up.

Mar 18, 20255 min read
Containers

Docker and Container Security Best Practices: A Combined Checklist

A single, practical checklist covering dockers and containers together — image build, runtime config, and CI gates — instead of treating Docker security and container security as separate problems.

Mar 18, 20255 min read
Containers

Node.js in Docker: Choosing and Securing Your Base Image

The Docker Node base image you pick decides your CVE count before you write a line of code. Here is how to choose between Debian, slim, and Alpine — and harden whichever you pick.

Mar 12, 20257 min read
Containers

"New Tag Scanned": What Container Registries Mean By It

A plain explanation of what the "new tag scanned" event actually means in registries like GHCR, ECR, and Docker Hub, and what to do when it flags a vulnerability.

Mar 11, 20255 min read
Engineering

Container Image Digests vs Tags: Why Pinning Matters

A tag is a mutable pointer; a digest is the image. Pinning by digest is the difference between deploying what you tested and deploying whatever the registry says today.

Feb 16, 20256 min read
container-security (Page 28) — Safeguard Blog