Safeguard
Tag

containers

Safeguard articles tagged "containers" — guides, analysis, and best practices for software supply chain and application security.

66 articles

Container Security

Kubernetes Secrets Management Done Right

A Kubernetes Secret is base64, not encryption — and by default it sits in etcd in plaintext. Here is how to actually protect credentials with encryption at rest, external secret stores, and tight RBAC.

Jul 2, 20265 min read
Container Security

Helm Chart Security Best Practices

Helm charts template every RBAC binding, image reference, and secret your cluster runs. Here is how to harden charts, verify provenance, and stop a templating tool from quietly shipping cluster-admin.

Jul 1, 20266 min read
Container Security

Kubernetes Network Policies: A Practical Guide

By default every pod in a Kubernetes cluster can talk to every other pod. NetworkPolicies are how you replace that flat network with least-privilege segmentation — here is how to design and roll them out without breaking traffic.

Jul 1, 20265 min read
Container Security

Multi-Stage Docker Build Security in 2026

Multi-stage builds are the right way to ship secure container images, but the security benefits depend on getting the stage boundaries right. A guide for 2026.

Apr 21, 20267 min read
Guides

How to Harden a Dockerfile in 10 Practical Steps

Ten concrete Dockerfile changes — digest pinning, multi-stage builds, non-root users, BuildKit secrets, SBOM attestations — that remove whole classes of container risk.

Apr 20, 20266 min read
Container Security

Rolling Out Zero-CVE Base Images Org-Wide

A pragmatic playbook for migrating an entire engineering organisation onto zero-CVE base images, covering pilot selection, registry mirroring, drift control, and the hard people-side of the rollout.

Apr 11, 20267 min read
Container Security

Container Supply Chain Defence: Build To Run

An end-to-end view of container supply chain controls from source through registry to runtime, covering signing, attestation, admission policy, and runtime drift, with concrete checkpoints at each stage.

Apr 7, 20267 min read
Container Security

Kubernetes Admission Policy Real-World Deployment

What it actually takes to put Kubernetes admission policy into enforcement mode without breaking deployments: phased rollout, exception workflows, audit-mode hygiene, and policy authoring conventions that survive contact with engineers.

Apr 3, 20267 min read
Container Security

Container Registry Security Hardening Checklist for 2026

A concrete hardening checklist for container registries in 2026, covering authentication, signing, scanning, retention, and the operational details that actually matter.

Apr 2, 20265 min read
Container Security

Docker BuildKit Security Best Practices for 2026

BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.

Apr 2, 20266 min read
Container Security

Pod Supply Chain Attestation Validation

How to validate supply chain attestations at pod admission time without grinding deployments to a halt: which attestation types actually matter, how to chain verifications, and how to fail useful.

Mar 29, 20267 min read
Container Security

OCI Artifact Signing Rollout Program

A program plan for getting OCI artifact signing across an organisation: trust roots, key custody, build integrations, registry policy, and the inevitable cleanup of unsigned legacy content.

Mar 24, 20267 min read
containers (Page 2) — Safeguard Blog