containers
Safeguard articles tagged "containers" — guides, analysis, and best practices for software supply chain and application security.
66 articles
AI-Generated Dockerfile Vulnerability Patterns
LLM-generated Dockerfiles repeat the same six or seven mistakes. Here is the pattern catalog and how to catch them before they ship.
Container Breakout Class Vulnerabilities 2024-2025
A look at the container breakout vulnerabilities disclosed in 2024 and 2025, what they actually required to exploit, and what that pattern tells us about the defense model.
Fargate/ECS Container Supply Chain Pitfalls
The parts of container supply chain that break differently on AWS Fargate and ECS compared to Kubernetes, and what to do about each one in production.
Container Runtime Showdown: runc vs crun vs gVisor in 2026
A practical comparison of runc, crun, and gVisor across performance, isolation, and operational fit, with concrete guidance on when each runtime earns its place in production.
OCI + CNCF Image Supply Chain: 2026 Snapshot
Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.
Sandboxing LLM Agent Code Execution: Patterns
If your agent can execute code, something it reads from the internet can execute code. Pick your sandbox before the agent picks one for you.
Cilium Tetragon Runtime Security with eBPF
A practical look at Cilium Tetragon for Kubernetes runtime security, what eBPF gives you that audit logs do not, and where Tetragon fits in a real stack.
Container Security Best Practices Checklist 2026
A practical container security checklist for 2026 covering base images, runtime controls, registry hygiene, and signing, with specific thresholds defenders can adopt.
Cosign for Container Signing: A Production Setup
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
Distroless vs. Chainguard vs. Wolfi: Real Differences
A working engineer's comparison of Google Distroless, Chainguard Images, and Wolfi as base images, covering what actually breaks in production and what does not.
CVE-2025-31133 in runc: Patch Posture & SBOM Response
runc container-escape via /proc mount manipulation affects Docker, Kubernetes, and every CRI runtime. Defender playbook below.
Container SBOM Generation: Best Practices for 2025
Container images are multi-layered artifacts that challenge SBOM generators. Here is how to generate comprehensive, accurate SBOMs for containerized applications.