docker-security
Safeguard articles tagged "docker-security" — guides, analysis, and best practices for software supply chain and application security.
33 articles
Containers Running in Privileged Mode: Risks and Fixes
Docker's --privileged flag strips seccomp, AppArmor, and capability limits in one line. Here's how attackers exploit it, real CVEs, and how to lock it down.
Docker Privileged Mode: What It Unlocks and Why to Avoid It
One flag, --privileged, hands a container almost the same power as root on the host. Here is exactly what it turns on, why it breaks isolation, and the narrow capabilities that replace it.
How Snyk Container detects a Dockerfile's base image with...
Snyk Container identifies a Dockerfile's true base image by comparing layer digests against a registry database, no docker run required.
How Snyk's Docker Desktop Extension scans images before t...
How Snyk's Docker Desktop extension scans local images for CVEs before push, what it can and can't detect, and where it fits with CI and registry scanning.
Docker Image for Node: Choosing Slim vs Full Builds
The default node image on Docker Hub ships a full Debian userland most services never touch — knowing when slim, alpine, or distroless actually pays off keeps builds smaller without breaking native modules.
Why Container Registries Are an Underexamined Supply Chai...
Registries decide what code actually runs in production, yet most security programs treat them as passive storage. Here's why that's a costly blind spot.
Node Docker Images: Picking the Right Base for Production
The node docker image you pick as a base determines most of your container's attack surface and size. Here's how to choose between full, slim, and alpine variants for production.
Docker and Container Security Best Practices: A Combined Checklist
A single, practical checklist covering dockers and containers together — image build, runtime config, and CI gates — instead of treating Docker security and container security as separate problems.
Container Image Vulnerability Scanning in CI
How to wire container image vulnerability scanning into your CI pipeline so builds fail on real risk instead of shipping unscanned images to production.