container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026
Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.
Securing Containerized AI Workloads: Base Images, GPU Drivers, and Runtime Policy
A CVSS 9.0 flaw in NVIDIA's Container Toolkit let any GPU container escape to the host — and its first patch didn't fully close it. Here's how to defend AI infrastructure.
CTF Writeup: Container SETUID Escape Techniques
A container-local root shell is not the flag. CVE-2019-5736 and CVE-2021-4034 both show how a SETUID binary inside a container can become a host compromise.
Docker best practices for Node.js developers in 2026
Multi-stage builds can cut a Node.js image from 1GB+ down to under 150MB — but most teams still ship dev dependencies, root shells, and unscanned base layers to production.
Using jlink to Build Minimal, Lower-Attack-Surface Java Docker Images
jlink has shipped with every JDK since Java 9 in 2017, yet most Spring Boot images still ship a full 300MB+ JDK. Here's how to fix that.
Protect the Environment: How Env-Var Leakage Happens in CI/CD
One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.
Building a minimal, multi-stage, non-root Dockerfile for PHP
The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.
Hardening Amazon EKS With Native AWS Controls
AWS secures the EKS control plane and etcd — everything else, from IAM to security groups to node OS patching, is on you under the shared responsibility model.
Auto-Fix Vulnerabilities FAQ: Patching Code and Containers Automatically
How automated vulnerability fixing works across source code and container images — direct and transitive dependencies, breaking-change safety, and where human review belongs.
Container Security Fundamentals
Containers made shipping software faster, but every image is a stack of inherited software with its own attack surface. This guide covers the fundamentals: what a container really is, where the risks live, and the practices that keep images and runtimes safe.
Node.js Docker Security Best Practices
A Node.js container is only as secure as its base image, its user, and its dependency layer. This is a Dockerfile-by-Dockerfile walkthrough of hardening a Node app image — multi-stage builds, non-root, distroless, and layer hygiene.
What Is Privilege Escalation? A 2026 Explainer
Privilege escalation is how a limited foothold becomes full control. This explainer covers vertical vs. horizontal paths across Linux, containers, and cloud IAM.