Safeguard
Tag

docker

Safeguard articles tagged "docker" — guides, analysis, and best practices for software supply chain and application security.

60 articles

Container Security

Best practices for containerizing .NET applications securely

.NET 8 gave containers a built-in non-root user and chiseled images that cut one team's CVE count 92% — most Dockerfiles still don't use either.

Jul 13, 20266 min read
Container Security

Containerizing Node.js apps: an updated Docker best-practices guide

The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.

Jul 13, 20267 min read
Container Security

Docker image vulnerability scanning: best practices for CI/CD

Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.

Jul 13, 20267 min read
Container Security

Choosing a secure Node.js Docker base image

A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.

Jul 12, 20267 min read
Container Security

The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)

Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.

Jul 12, 20266 min read
Container Security

Securing a Dockerized Rails Local Dev Environment

A misplaced master.key or a permissive COPY . . can bake Rails credentials into an image layer forever — here's how to Dockerize Rails dev safely.

Jul 12, 20266 min read
Container Security

Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared

BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.

Jul 10, 20266 min read
Container Security

Building minimal, non-root Java containers with distroless and JVM hardening

A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.

Jul 10, 20266 min read
Container Security

Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick

Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.

Jul 8, 20265 min read
Container Security

Docker best practices for Node.js developers in 2026

Multi-stage builds can cut a Node.js image from 1GB+ down to under 150MB — but most teams still ship dev dependencies, root shells, and unscanned base layers to production.

Jul 8, 20267 min read
Container Security

Using jlink to Build Minimal, Lower-Attack-Surface Java Docker Images

jlink has shipped with every JDK since Java 9 in 2017, yet most Spring Boot images still ship a full 300MB+ JDK. Here's how to fix that.

Jul 8, 20266 min read
Concepts

Container Security Fundamentals

Containers made shipping software faster, but every image is a stack of inherited software with its own attack surface. This guide covers the fundamentals: what a container really is, where the risks live, and the practices that keep images and runtimes safe.

Jul 7, 20266 min read
docker — Safeguard Blog