docker-security
Safeguard articles tagged "docker-security" — guides, analysis, and best practices for software supply chain and application security.
33 articles
Minimal, Non-Root Docker Images for Python: A Best-Practices Guide
CVE-2019-5736 let a malicious container overwrite the host runc binary via root access. Here's how multi-stage, non-root builds close that door for Python apps.
Docker Layer Caching Security Risks (and How to Avoid Them)
Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.
Minimal Base Images for Security: A Practical Guide
Minimal base images cut CVE counts by up to 95% by shipping only what your app needs. Here is how to choose between distroless, Wolfi, Alpine, and scratch — and build on each safely.
Alpine vs Debian Base Image Security: Which Is Safer?
Alpine is tiny and dodged the xz backdoor; Debian has deeper security tracking and broader compatibility. Here is how the two base images actually compare on security — and how to harden either one.
Scanning Docker Images in CI/CD Pipelines
Scanning a container after it deploys is an incident report. Scanning it in the pipeline is a one-line diff. Here is how to gate builds on image scans without drowning developers in false positives.
Reducing the Attack Surface of Your Docker Images
Every binary, library, and shell in a Docker image is attack surface. Here is how to strip an image down to the bytes your app actually needs — and cut your CVE count by up to 95%.
Docker Security Pro Tips: Hardening Beyond the Basics
You already use a non-root user and a slim base. These are the pro-level Docker hardening tips — read-only filesystems, dropped capabilities, and the docker.sock trap — that actually stop breakouts.
Docker Image Security Best Practices
Every Docker layer you ship is attack surface you have to defend. Learn how to build lean, non-root, secret-free images that survive a registry scan and a real audit.
How to Containerize a Node.js App Securely
The default Node.js Dockerfile runs as root, ships dev dependencies, and bakes secrets into layers. Here is a secure, multi-stage build you can copy, step by step.
10 Docker image security best practices
Ten concrete Docker image security practices — minimal base images, secret handling, reachability-based scanning, non-root runtimes, and SBOMs — with real CVEs and data.
Detecting vulnerabilities in multi-stage Docker builds
Multi-stage Docker builds hide vulnerabilities, leaked secrets, and untracked dependencies in discarded layers. Here's what final-image scans miss and how to catch it.
Keeping Docker secrets secure without Kubernetes
Docker ships with tmpfs-backed Swarm secrets, BuildKit secret mounts, and Compose file secrets — here's how to use them without Kubernetes.