Safeguard
Tag

container-security

Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.

385 articles

Best Practices

Container Security Best Practices for 2025: Beyond Image Scanning

Container security has evolved far past vulnerability scanning. Here is what mature container security programs look like heading into 2025.

Dec 1, 20247 min read
Container Security

Kata Containers Security Model Review

Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.

Nov 14, 20246 min read
Container Security

GCP Binary Authorization Policy Patterns

Policy design patterns for GCP Binary Authorization that hold up in production: attestor topology, exception handling, continuous validation, and the shapes that stop a deploy-time compromise without blocking legitimate rollouts.

Sep 28, 20247 min read
Container Security

Kubernetes 1.30 and 1.31 Security Rundown

ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.

Sep 20, 20245 min read
Container Security

CRI-O vs containerd: Security Comparison

Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.

Aug 22, 20246 min read
Cloud Security

Kubernetes 1.31 Security Improvements: What You Need to Know

Kubernetes 1.31 'Elli' shipped in August 2024 with significant security improvements including AppArmor GA support, refined pod security controls, and better secret management.

Aug 15, 20247 min read
Product

Deep Dive: Safeguard Container Scanning

Container images are supply chain artifacts. Safeguard's container scanning analyzes every layer -- base images, OS packages, and application dependencies -- for a complete risk picture.

Aug 15, 20246 min read
SBOM & Compliance

Cosign Verification Policies in Production

Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.

Jul 30, 20246 min read
Container Security

Rancher Cluster Security Hardening

Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific work.

Jul 30, 20247 min read
Container Security

AWS ECR Image Signing in Production

Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.

Jul 22, 20247 min read
Container Security

Firecracker micro-VM Security Model

AWS built Firecracker to run Lambda. The security model is the entire value proposition, and it holds up under scrutiny.

Jun 28, 20246 min read
Container Security

containerd Security Configuration Guide

containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.

May 12, 20246 min read
container-security (Page 29) — Safeguard Blog