container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Docker Desktop WSL2 Security Changes in 2022
Docker Desktop's WSL2 backend reshaped container security on Windows. Here is what changed in 2022 and the defects that forced those changes.
Podman vs Docker Security: What Actually Changes When You Drop the Daemon
Podman is daemonless, rootless by default, and fork-exec instead of client-server. Here is what those architectural differences mean for container security in practice.
Runtime vs Static Container Analysis: Complementary, Not Competing
Static scanning finds known vulnerabilities. Runtime analysis finds actual exploitation. Using only one gives you half the picture.
Tern: Container SBOM Generation Through Layer Analysis
A review of Tern, the open source tool that generates SBOMs by inspecting container image layers, including its strengths, limitations, and where it fits in your toolchain.
Kubernetes Admission Controllers for Supply Chain Policy
Admission controllers are the only Kubernetes enforcement point that sees every workload before it runs. That makes them the right place to enforce image provenance, signing, and SBOM policies.
Trivy vs Grype: Open Source Vulnerability Scanners Compared
A practical comparison of Trivy and Grype for vulnerability scanning, covering detection accuracy, performance, SBOM support, and real-world usage patterns.
Docker Image Layer Security Analysis: What Lurks Beneath Your Containers
Every Docker image is a stack of layers, and each one can introduce vulnerabilities. Learn how to dissect image layers for security risks and what tools actually help.
Docker Scout for Container Security Analysis: A Practical Guide
Docker Scout brings vulnerability scanning directly into the Docker CLI. Here is what it actually catches, where it falls short, and how to integrate it into your workflow.
Container Runtime Security Monitoring: Catching What Scanners Miss
Image scanning finds known vulnerabilities before deployment. Runtime monitoring catches actual exploitation, zero-days, and behavioral anomalies after deployment. You need both.
Docker Container Escape Vulnerabilities: Techniques and Defenses
Containers are not VMs. When an attacker escapes a container, they own the host — and potentially every other container running on it. Here are the escape techniques you need to defend against.
Generating SBOMs with Syft: The Complete Guide
Syft is the most popular open-source SBOM generator. Here's how to use it effectively for containers, directories, archives, and CI/CD pipelines.
Kubernetes Supply Chain Security: Best Practices for 2022
Kubernetes does not run your code — it runs container images built from layers of dependencies you may not control. Securing the K8s supply chain requires thinking beyond pod security policies.