container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Container Security Best Practices for 2025: Beyond Image Scanning
Container security has evolved far past vulnerability scanning. Here is what mature container security programs look like heading into 2025.
Kata Containers Security Model Review
Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.
GCP Binary Authorization Policy Patterns
Policy design patterns for GCP Binary Authorization that hold up in production: attestor topology, exception handling, continuous validation, and the shapes that stop a deploy-time compromise without blocking legitimate rollouts.
Kubernetes 1.30 and 1.31 Security Rundown
ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.
CRI-O vs containerd: Security Comparison
Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.
Kubernetes 1.31 Security Improvements: What You Need to Know
Kubernetes 1.31 'Elli' shipped in August 2024 with significant security improvements including AppArmor GA support, refined pod security controls, and better secret management.
Deep Dive: Safeguard Container Scanning
Container images are supply chain artifacts. Safeguard's container scanning analyzes every layer -- base images, OS packages, and application dependencies -- for a complete risk picture.
Cosign Verification Policies in Production
Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.
Rancher Cluster Security Hardening
Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific work.
AWS ECR Image Signing in Production
Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.
Firecracker micro-VM Security Model
AWS built Firecracker to run Lambda. The security model is the entire value proposition, and it holds up under scrutiny.
containerd Security Configuration Guide
containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.