docker
Safeguard articles tagged "docker" — guides, analysis, and best practices for software supply chain and application security.
60 articles
Alpine vs Distroless vs Ubuntu Base Images: Security Tradeoffs
Alpine is small, distroless is smaller, Ubuntu is comfortable. The real security question is CVE surface vs debuggability vs compatibility — with numbers.
AI-Generated Dockerfile Vulnerability Patterns
LLM-generated Dockerfiles repeat the same six or seven mistakes. Here is the pattern catalog and how to catch them before they ship.
How to configure OWASP ZAP for automated scanning
A step-by-step guide to configuring OWASP ZAP for automated scanning in CI/CD, from Docker setup through baseline and API scans to pipeline gating.
Container Security Best Practices Checklist 2026
A practical container security checklist for 2026 covering base images, runtime controls, registry hygiene, and signing, with specific thresholds defenders can adopt.
containerd-shim Abstract Unix Socket Exposure Enabling Co...
CVE-2020-15257 lets processes in host-networked containers reach the containerd-shim socket and escape to the host. Impact, affected versions, and fixes explained.
CVE-2025-31133 in runc: Patch Posture & SBOM Response
runc container-escape via /proc mount manipulation affects Docker, Kubernetes, and every CRI runtime. Defender playbook below.
Node.js in Docker: A Practical Setup Guide
A practical setup guide for running node.js docker containers in production, choosing between docker node slim and full images, and locking down what actually matters for security.
Container SBOM Generation: Best Practices for 2025
Container images are multi-layered artifacts that challenge SBOM generators. Here is how to generate comprehensive, accurate SBOMs for containerized applications.
Scanning Docker Images for Vulnerabilities: How To
Knowing how to scan Docker images for vulnerabilities before they ship is the difference between catching a known CVE in CI and finding it in an incident report.
Choosing a Container Security Scanner
A practical checklist for choosing a container security scanner, covering base-image coverage, registry integration, runtime relevance, and how scan noise actually gets managed.
How Snyk Container handles multi-stage Docker builds duri...
How Snyk Container identifies base images, attributes vulnerabilities to Dockerfile instructions, and scopes scans across multi-stage Docker builds.
CVE-2025-9074 in Docker Desktop: Patch Posture & SBOM Response
Docker Desktop container-to-host escape scored CVSS 9.3. Affected Windows and macOS developer fleets need a fast patch rollout. Defender playbook below.