container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Alpine vs distroless: which base image is more secure
Alpine and distroless both shrink attack surface differently. We compare real CVEs, musl risks, and patch tradeoffs to settle which base image actually wins.
Scanning container images in CI/CD pipelines
Where to put container image scanning in your CI/CD pipeline, what it actually catches, and how to stop CVE floods from blocking every build.
Container isolation with namespaces, cgroups, and seccomp
Namespaces, cgroups, and seccomp each isolate a different layer of a container — and a single misconfigured one, like CVE-2024-21626 showed, breaks all three.
Kubernetes Pod Security Standards explained
A breakdown of Kubernetes' Privileged, Baseline, and Restricted Pod Security Standards, how they replaced PodSecurityPolicy, and where enforcement typically fails.
Kubernetes securityContext settings guide
A field-by-field guide to Kubernetes securityContext: which settings stop container breakouts, how to enforce them cluster-wide, and how to audit gaps.
Kubernetes RBAC best practices
RBAC drift and over-broad bindings are the top cause of Kubernetes lateral movement. Six concrete, question-first practices to lock down access before it's exploited.
Kubernetes network policies for zero trust
Kubernetes network policies default to allow-all. Here is how default-deny rules, CNI enforcement, and policy testing build real zero-trust segmentation.
Securing Kubernetes Secrets management
Base64 isn't encryption. Here's how Kubernetes Secrets actually get exposed, and the encryption, RBAC, and rotation controls that fix it.
Kubernetes admission controllers for security
How Kubernetes admission controllers work, why defaults leave clusters exposed, and how Pod Security Admission, OPA Gatekeeper, and Kyverno close the gap.
Lessons from the CNCF Kubernetes security audit
The 2019 CNCF Kubernetes security audit found 37 issues rooted in insecure defaults. Here's what it uncovered and what still applies today.
Runtime security tools for Kubernetes clusters
A concrete look at Kubernetes runtime security tools — Falco, Tetragon, Tracee, eBPF, and recent CVEs — and what to check before you buy one.
Helm chart security scanning
Helm charts can render insecure RBAC, network policies, and default passwords even when the container image itself passes every vulnerability scan cleanly.