docker
Safeguard articles tagged "docker" — guides, analysis, and best practices for software supply chain and application security.
60 articles
Node.js Docker Security Best Practices
A Node.js container is only as secure as its base image, its user, and its dependency layer. This is a Dockerfile-by-Dockerfile walkthrough of hardening a Node app image — multi-stage builds, non-root, distroless, and layer hygiene.
Reducing Docker image build time without sacrificing security
Multi-stage builds and minimal base images can cut CI build times dramatically — and they're the same changes that shrink your CVE attack surface.
Docker Secrets Management: Stop Baking Credentials Into Images
A secret written into a Docker layer is recoverable forever, even after you delete it. Learn the build-time and runtime patterns that keep credentials out of your images entirely.
Container Security for Beginners: Keeping Your Docker Images Safe
Containers made shipping software wonderfully simple, but they also package up whatever risks come along for the ride. Here is a beginner-friendly introduction with a first image scan you can run today.
How to Scan a Container Image for Vulnerabilities
Scan any Docker or OCI image for OS-package and application-layer vulnerabilities, understand the results, and gate risky images before they reach your registry — with copy-paste commands.
Docker Image Security Best Practices
Every Docker layer you ship is attack surface you have to defend. Learn how to build lean, non-root, secret-free images that survive a registry scan and a real audit.
Multi-Stage Docker Build Security in 2026
Multi-stage builds are the right way to ship secure container images, but the security benefits depend on getting the stage boundaries right. A guide for 2026.
How to Harden a Dockerfile in 10 Practical Steps
Ten concrete Dockerfile changes — digest pinning, multi-stage builds, non-root users, BuildKit secrets, SBOM attestations — that remove whole classes of container risk.
Docker BuildKit Security Best Practices for 2026
BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.
Container Image Supply Chain: From Dockerfile to Production
Every container pulled in production is a trust decision. Here's how to secure the chain from base image selection through Dockerfile to admission control.
Dev Containers Security Baseline for 2026
A practical security baseline for devcontainer.json files in 2026, covering base image selection, features, lifecycle scripts, and the supply chain controls that actually matter.
How to Scan Docker Images for Vulnerabilities
A production-grade vulnerability scanning pipeline for Docker images using Trivy and Grype, with reachability-based prioritization and admission enforcement.