container-security
Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.
385 articles
Docker Hub malicious image detection
Docker Hub's open upload model has enabled real cryptojacking and phishing campaigns — here's how attackers hide malware in images and how to detect them.
Securing serverless containers on Fargate and Cloud Run
No SSH, no DaemonSets, no host agents. Here's how Firecracker and gVisor isolation change container security on Fargate and Cloud Run — and what still gets you breached.
Reducing CVEs in container base images
Base images inherit hundreds of OS-level CVEs your app never touches. Here's how reachability analysis and minimal bases cut real risk, not just counts.
Deep visibility into hardened/minimal container images (d...
Distroless images strip the package managers most scanners rely on. Here's how Safeguard achieves deep visibility into hardened images, compared to Black Duck's SCA heritage.
Best CNAPP Platforms in 2026: An Honest Buyer's Guide
An honest, opinionated guide to the best CNAPP platforms in 2026 — Wiz, Prisma Cloud, Microsoft Defender for Cloud, CrowdStrike, Aqua, Orca, and Sysdig — plus where the cloud-native security category is heading on AI-SPM, runtime, and supply chain.
Best Container Scanning Tools in 2026: An Honest Buyer's Guide
An honest guide to the best container scanning tools in 2026 — from open-source scanners like Trivy and Grype to cloud-context platforms like Wiz and Aqua — with clear guidance on which fits your CI/CD pipeline, registry, and runtime.
Best Container Base Images for Security in 2026
Chainguard, distroless, Alpine, UBI micro, Ubuntu chiseled, and scratch, compared on CVE counts, size, libc, and the operational costs nobody puts in the marketing.
Vulnerability scanning tools and techniques compared
A verifiable comparison of Safeguard and JFrog Xray on scan coverage, data sourcing, reachability analysis, and CI/CD integration for vulnerability scanning.
Top container security tools to evaluate
Comparing Safeguard and Mend.io on the dimensions that actually matter for container security: scanning engine transparency, air-gapped support, registry coverage, and product origin.
CVE-2026-42945: A Buffer Overflow in NGINX's Rewrite Module Reaches Into Your Kubernetes Clusters (May 2026)
Disclosed May 17, 2026 with public PoC and in-the-wild activity, CVE-2026-42945 is a buffer overflow in NGINX's ngx_http_rewrite_module. It affects core NGINX and the ingress controllers that wrap it, putting cluster ingress in scope.
The 4 best DevSecOps tools for a secure DevOps workflow
The 4 DevSecOps tool categories a secure pipeline needs — SCA, SAST, container/IaC scanning, secrets scanning — with real incidents and fixes.
CNAPP Security: What It Actually Covers
CNAPP bundles CSPM, CWPP, and vulnerability scanning under one label, but the exact scope varies widely by vendor — here's what a genuine CNAPP platform actually needs to cover.