container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Docker Node Alpine: When to Use the Slim Image
Node Alpine Docker images cut attack surface and pull times dramatically, but musl libc compatibility gaps mean they're not a drop-in replacement for every Node project.
Node Docker Images: Picking the Right Base for Production
The node docker image you pick as a base determines most of your container's attack surface and size. Here's how to choose between full, slim, and alpine variants for production.
Docker Privileged Containers: `docker run` and Compose Risks
docker run privileged and docker compose privileged both hand a container root-equivalent access to the host — here's exactly what that means and when, if ever, it's justified.
Kubernetes securityContext: fsGroup and the Fields People Skip
A field-by-field walkthrough of Kubernetes securityContext — fsGroup, runAsNonRoot, and the settings teams leave at their insecure defaults.
Docker Image Scanning: How It Works and What It Finds
Scanners don't run your container — they unpack it. How docker image scanning inventories layers, matches CVEs, handles distro backports, and where it belongs in your pipeline.
Docker Security Concerns: The Real List
Docker security concerns that actually cause incidents are narrower than most checklists suggest — root-by-default containers, exposed daemon sockets, and unpatched base images account for most real-world breaches.
Dockerfile Best Practices: Security, Size, and Build Speed
Most Dockerfiles are copy-pasted from a tutorial and never revisited. Here's what actually shrinks image size, closes the common security holes, and speeds up rebuilds.
cAdvisor: Container Resource Monitoring, Explained
cAdvisor gives you per-container CPU, memory, network, and filesystem metrics out of the box — here's what it actually measures, how it fits with Prometheus and Kubernetes, and where its limits show up.
Docker and Container Security Best Practices: A Combined Checklist
A single, practical checklist covering dockers and containers together — image build, runtime config, and CI gates — instead of treating Docker security and container security as separate problems.
Node.js in Docker: Choosing and Securing Your Base Image
The Docker Node base image you pick decides your CVE count before you write a line of code. Here is how to choose between Debian, slim, and Alpine — and harden whichever you pick.
"New Tag Scanned": What Container Registries Mean By It
A plain explanation of what the "new tag scanned" event actually means in registries like GHCR, ECR, and Docker Hub, and what to do when it flags a vulnerability.
Container Image Digests vs Tags: Why Pinning Matters
A tag is a mutable pointer; a digest is the image. Pinning by digest is the difference between deploying what you tested and deploying whatever the registry says today.