docker-security
Safeguard articles tagged "docker-security" — guides, analysis, and best practices for software supply chain and application security.
33 articles
Detecting cryptomining malware in container images
Cryptomining malware like Kinsing and TeamTNT quietly hijacks container CPU cycles to mine Monero. Here's how it gets in, how to spot it, and how to stop it.
Container security for Kubernetes and Docker
A practical glossary breakdown of container security for Kubernetes and Docker: the real risks, key benchmarks, and where code-scanning tools like Checkmarx fall short.
Critical RCE via ImageMagick: hacking Docker containers
ImageTragick and CVE-2022-44268 show how one image-processing library keeps handing attackers shells and secrets inside Docker containers.
Docker CIS Benchmark: what it checks and how to pass it
A practical breakdown of what the CIS Docker Benchmark actually checks, why Trivy alone only covers part of it, and how to remediate and stay compliant.
Docker CIS Benchmark
A practical breakdown of the Docker CIS Benchmark's 100+ controls, the checks teams fail most, how Aqua Security handles compliance, and what audit failures actually cost.
What is Docker Security
Docker security spans image scanning, SBOMs, and runtime controls — see the CVEs, misconfigurations, and real breaches that show why each layer matters.
Top 5 Docker Security Vulnerabilities
Runc escapes, exposed daemons, stale base images, privileged containers, and leaked secrets: the five Docker vulnerabilities behind most real container breaches.
Docker Compliance and Scanning for Regulated Teams
Regulated teams can't treat container scanning as a one-time gate — auditors want a documented, continuous process tied to actual docker vulnerability news, not a clean scan from six months ago.
Container escape
A container escape lets attackers break out of a container into the host or other workloads. Learn how these attacks work, real CVEs, and Kubernetes risk.
Docker symlink race condition escape (CVE-2018-15664)
A TOCTOU race in Docker's docker cp symlink resolution let malicious containers write to host files as root. Impact, CVSS, and fixes inside.
runc Container Breakout via /proc/self/exe Overwrite (CVE...
CVE-2019-5736 let a malicious container overwrite the host runc binary, escaping isolation to gain root on the Docker or Kubernetes host.
Containers Not Dropping Default Linux Capabilities
Docker grants every container 14 Linux capabilities by default. Here's why NET_RAW, SYS_CHROOT, and friends turn contained compromises into breakouts—and how to drop them safely.