Safeguard
Tag

container-security

Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.

385 articles

Container Security

Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026

Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.

Jul 8, 20267 min read
Container Security

Securing Containerized AI Workloads: Base Images, GPU Drivers, and Runtime Policy

A CVSS 9.0 flaw in NVIDIA's Container Toolkit let any GPU container escape to the host — and its first patch didn't fully close it. Here's how to defend AI infrastructure.

Jul 8, 20265 min read
Container Security

CTF Writeup: Container SETUID Escape Techniques

A container-local root shell is not the flag. CVE-2019-5736 and CVE-2021-4034 both show how a SETUID binary inside a container can become a host compromise.

Jul 8, 20266 min read
Container Security

Docker best practices for Node.js developers in 2026

Multi-stage builds can cut a Node.js image from 1GB+ down to under 150MB — but most teams still ship dev dependencies, root shells, and unscanned base layers to production.

Jul 8, 20267 min read
Container Security

Using jlink to Build Minimal, Lower-Attack-Surface Java Docker Images

jlink has shipped with every JDK since Java 9 in 2017, yet most Spring Boot images still ship a full 300MB+ JDK. Here's how to fix that.

Jul 8, 20266 min read
DevSecOps

Protect the Environment: How Env-Var Leakage Happens in CI/CD

One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.

Jul 8, 20266 min read
Container Security

Building a minimal, multi-stage, non-root Dockerfile for PHP

The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.

Jul 8, 20267 min read
Kubernetes Security

Hardening Amazon EKS With Native AWS Controls

AWS secures the EKS control plane and etcd — everything else, from IAM to security groups to node OS patching, is on you under the shared responsibility model.

Jul 8, 20267 min read
FAQ

Auto-Fix Vulnerabilities FAQ: Patching Code and Containers Automatically

How automated vulnerability fixing works across source code and container images — direct and transitive dependencies, breaking-change safety, and where human review belongs.

Jul 7, 20265 min read
Concepts

Container Security Fundamentals

Containers made shipping software faster, but every image is a stack of inherited software with its own attack surface. This guide covers the fundamentals: what a container really is, where the risks live, and the practices that keep images and runtimes safe.

Jul 7, 20266 min read
Security Guides

Node.js Docker Security Best Practices

A Node.js container is only as secure as its base image, its user, and its dependency layer. This is a Dockerfile-by-Dockerfile walkthrough of hardening a Node app image — multi-stage builds, non-root, distroless, and layer hygiene.

Jul 7, 20265 min read
Vulnerability Guides

What Is Privilege Escalation? A 2026 Explainer

Privilege escalation is how a limited foothold becomes full control. This explainer covers vertical vs. horizontal paths across Linux, containers, and cloud IAM.

Jul 7, 20265 min read
container-security (Page 3) — Safeguard Blog