Safeguard
Tag

container-security

Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.

385 articles

Container Security

Alpine vs distroless: which base image is more secure

Alpine and distroless both shrink attack surface differently. We compare real CVEs, musl risks, and patch tradeoffs to settle which base image actually wins.

Jun 27, 20267 min read
Container Security

Scanning container images in CI/CD pipelines

Where to put container image scanning in your CI/CD pipeline, what it actually catches, and how to stop CVE floods from blocking every build.

Jun 27, 20267 min read
Container Security

Container isolation with namespaces, cgroups, and seccomp

Namespaces, cgroups, and seccomp each isolate a different layer of a container — and a single misconfigured one, like CVE-2024-21626 showed, breaks all three.

Jun 27, 20266 min read
Container Security

Kubernetes Pod Security Standards explained

A breakdown of Kubernetes' Privileged, Baseline, and Restricted Pod Security Standards, how they replaced PodSecurityPolicy, and where enforcement typically fails.

Jun 26, 20267 min read
Container Security

Kubernetes securityContext settings guide

A field-by-field guide to Kubernetes securityContext: which settings stop container breakouts, how to enforce them cluster-wide, and how to audit gaps.

Jun 26, 20266 min read
Container Security

Kubernetes RBAC best practices

RBAC drift and over-broad bindings are the top cause of Kubernetes lateral movement. Six concrete, question-first practices to lock down access before it's exploited.

Jun 26, 20267 min read
Container Security

Kubernetes network policies for zero trust

Kubernetes network policies default to allow-all. Here is how default-deny rules, CNI enforcement, and policy testing build real zero-trust segmentation.

Jun 26, 20267 min read
Container Security

Securing Kubernetes Secrets management

Base64 isn't encryption. Here's how Kubernetes Secrets actually get exposed, and the encryption, RBAC, and rotation controls that fix it.

Jun 25, 20266 min read
Container Security

Kubernetes admission controllers for security

How Kubernetes admission controllers work, why defaults leave clusters exposed, and how Pod Security Admission, OPA Gatekeeper, and Kyverno close the gap.

Jun 25, 20266 min read
Container Security

Lessons from the CNCF Kubernetes security audit

The 2019 CNCF Kubernetes security audit found 37 issues rooted in insecure defaults. Here's what it uncovered and what still applies today.

Jun 25, 20267 min read
Container Security

Runtime security tools for Kubernetes clusters

A concrete look at Kubernetes runtime security tools — Falco, Tetragon, Tracee, eBPF, and recent CVEs — and what to check before you buy one.

Jun 25, 20267 min read
Container Security

Helm chart security scanning

Helm charts can render insecure RBAC, network policies, and default passwords even when the container image itself passes every vulnerability scan cleanly.

Jun 24, 20267 min read
container-security (Page 6) — Safeguard Blog