containers
Safeguard articles tagged "containers" — guides, analysis, and best practices for software supply chain and application security.
66 articles
Kubernetes Secrets Management Done Right
A Kubernetes Secret is base64, not encryption — and by default it sits in etcd in plaintext. Here is how to actually protect credentials with encryption at rest, external secret stores, and tight RBAC.
Helm Chart Security Best Practices
Helm charts template every RBAC binding, image reference, and secret your cluster runs. Here is how to harden charts, verify provenance, and stop a templating tool from quietly shipping cluster-admin.
Kubernetes Network Policies: A Practical Guide
By default every pod in a Kubernetes cluster can talk to every other pod. NetworkPolicies are how you replace that flat network with least-privilege segmentation — here is how to design and roll them out without breaking traffic.
Multi-Stage Docker Build Security in 2026
Multi-stage builds are the right way to ship secure container images, but the security benefits depend on getting the stage boundaries right. A guide for 2026.
How to Harden a Dockerfile in 10 Practical Steps
Ten concrete Dockerfile changes — digest pinning, multi-stage builds, non-root users, BuildKit secrets, SBOM attestations — that remove whole classes of container risk.
Rolling Out Zero-CVE Base Images Org-Wide
A pragmatic playbook for migrating an entire engineering organisation onto zero-CVE base images, covering pilot selection, registry mirroring, drift control, and the hard people-side of the rollout.
Container Supply Chain Defence: Build To Run
An end-to-end view of container supply chain controls from source through registry to runtime, covering signing, attestation, admission policy, and runtime drift, with concrete checkpoints at each stage.
Kubernetes Admission Policy Real-World Deployment
What it actually takes to put Kubernetes admission policy into enforcement mode without breaking deployments: phased rollout, exception workflows, audit-mode hygiene, and policy authoring conventions that survive contact with engineers.
Container Registry Security Hardening Checklist for 2026
A concrete hardening checklist for container registries in 2026, covering authentication, signing, scanning, retention, and the operational details that actually matter.
Docker BuildKit Security Best Practices for 2026
BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.
Pod Supply Chain Attestation Validation
How to validate supply chain attestations at pod admission time without grinding deployments to a halt: which attestation types actually matter, how to chain verifications, and how to fail useful.
OCI Artifact Signing Rollout Program
A program plan for getting OCI artifact signing across an organisation: trust roots, key custody, build integrations, registry policy, and the inevitable cleanup of unsigned legacy content.