Safeguard
Tag

containers

Safeguard articles tagged "containers" — guides, analysis, and best practices for software supply chain and application security.

66 articles

AI Security

AI-Generated Dockerfile Vulnerability Patterns

LLM-generated Dockerfiles repeat the same six or seven mistakes. Here is the pattern catalog and how to catch them before they ship.

Feb 18, 20267 min read
Container Security

Container Breakout Class Vulnerabilities 2024-2025

A look at the container breakout vulnerabilities disclosed in 2024 and 2025, what they actually required to exploit, and what that pattern tells us about the defense model.

Feb 11, 20267 min read
Container Security

Fargate/ECS Container Supply Chain Pitfalls

The parts of container supply chain that break differently on AWS Fargate and ECS compared to Kubernetes, and what to do about each one in production.

Feb 6, 20267 min read
Container Security

Container Runtime Showdown: runc vs crun vs gVisor in 2026

A practical comparison of runc, crun, and gVisor across performance, isolation, and operational fit, with concrete guidance on when each runtime earns its place in production.

Feb 4, 20265 min read
Container Security

OCI + CNCF Image Supply Chain: 2026 Snapshot

Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.

Feb 3, 20267 min read
AI Security

Sandboxing LLM Agent Code Execution: Patterns

If your agent can execute code, something it reads from the internet can execute code. Pick your sandbox before the agent picks one for you.

Jan 29, 20267 min read
Container Security

Cilium Tetragon Runtime Security with eBPF

A practical look at Cilium Tetragon for Kubernetes runtime security, what eBPF gives you that audit logs do not, and where Tetragon fits in a real stack.

Jan 26, 20267 min read
Container Security

Container Security Best Practices Checklist 2026

A practical container security checklist for 2026 covering base images, runtime controls, registry hygiene, and signing, with specific thresholds defenders can adopt.

Jan 22, 20265 min read
Container Security

Cosign for Container Signing: A Production Setup

A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.

Jan 22, 20267 min read
Container Security

Distroless vs. Chainguard vs. Wolfi: Real Differences

A working engineer's comparison of Google Distroless, Chainguard Images, and Wolfi as base images, covering what actually breaks in production and what does not.

Jan 19, 20266 min read
Vulnerability Response

CVE-2025-31133 in runc: Patch Posture & SBOM Response

runc container-escape via /proc mount manipulation affects Docker, Kubernetes, and every CRI runtime. Defender playbook below.

Nov 19, 20257 min read
SBOM

Container SBOM Generation: Best Practices for 2025

Container images are multi-layered artifacts that challenge SBOM generators. Here is how to generate comprehensive, accurate SBOMs for containerized applications.

Oct 1, 20256 min read
containers (Page 4) — Safeguard Blog