container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Container Security Scanning in 2024: Benchmarks, Tools, and What Actually Matters
Container image scanning tools vary widely in detection rates, false positive rates, and coverage. Here is a practical assessment of the container security scanning landscape in 2024.
Kubernetes Network Policies: The Supply Chain Angle
Network policies are usually framed as a zero-trust tool. They are also one of the best defenses against a compromised dependency.
GCP Cloud Run Supply Chain Security
A practical playbook for protecting the supply chain of services running on Cloud Run: image provenance, Binary Authorization, runtime identity, and the gaps the default configuration leaves wide open.
Wolfi OS: The Linux Distribution Built for Secure Containers
Wolfi is not a general-purpose Linux distro. It exists to solve one problem: provide secure, minimal, up-to-date packages for container images. Here is why that matters and how to use it.
Prisma Cloud Container Security: Palo Alto's Cloud Native Play
A review of Prisma Cloud's container and cloud workload security features, covering image scanning, runtime protection, compliance, and the Twistlock heritage.
What Is a Docker Container? A Practical Explanation
A Docker container is a lightweight, isolated unit that packages an app with everything it needs to run — here's what that actually means under the hood and why it matters for security.
Kubernetes CVE-2024-3177: Bypassing Mountable Secrets Policy
A medium-severity Kubernetes vulnerability allowed pods to access secrets they should not have been able to mount, undermining RBAC-based secret isolation in multi-tenant clusters.
Kubernetes Secrets Encryption Providers Reviewed
etcd encryption at rest finally works out of the box. The question is which provider you use, and the trade-offs have sharpened in 2024.
gVisor Runtime Security Deep Dive
gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.
Multi-Stage Docker Builds: The Security Implications Nobody Talks About
Multi-stage builds reduce image size, but they also introduce security considerations around build secrets, layer caching, and dependency leakage.
Multi-Cloud Container Security: Building a Unified Strategy
How to maintain consistent container security across AWS, Azure, and GCP without drowning in tool sprawl and fragmented visibility.
OpenShift Security Context Constraints: A Guide
SCCs predate Pod Security Admission by a decade and are more powerful. That power is also why OpenShift newcomers find them confusing.