docker
Safeguard articles tagged "docker" — guides, analysis, and best practices for software supply chain and application security.
60 articles
Container Base Image Hygiene: An Underrated Lever for Red...
Swapping bloated base images for minimal ones can cut container CVE counts by 60-90% without touching app code. Here's the data and how to start.
Dockerizing Node.js and PHP Apps: A Practical Guide
Writing a node js dockerfile and learning how to dockerize php application deployments both hinge on the same handful of decisions — base image, layer order, and what you leave out of the final image.
Docker Privileged Containers: `docker run` and Compose Risks
docker run privileged and docker compose privileged both hand a container root-equivalent access to the host — here's exactly what that means and when, if ever, it's justified.
Container Hardening Guide 2025: From Base Image to Production
A practical guide to hardening container images and deployments. Covers base image selection, build-time security, runtime protections, and Kubernetes-specific controls.
Rebuilding Docker Images: Cache, Patching, and Reproducibility
A plain docker build reuses cached layers and silently skips your security patches. Here is how the cache actually works, how to force a real rebuild, and how to keep rebuilds reproducible.
Container Image Digests vs Tags: Why Pinning Matters
A tag is a mutable pointer; a digest is the image. Pinning by digest is the difference between deploying what you tested and deploying whatever the registry says today.
Container Security Best Practices for 2025: Beyond Image Scanning
Container security has evolved far past vulnerability scanning. Here is what mature container security programs look like heading into 2025.
Deep Dive: Safeguard Container Scanning
Container images are supply chain artifacts. Safeguard's container scanning analyzes every layer -- base images, OS packages, and application dependencies -- for a complete risk picture.
Container Security Scanning in 2024: Benchmarks, Tools, and What Actually Matters
Container image scanning tools vary widely in detection rates, false positive rates, and coverage. Here is a practical assessment of the container security scanning landscape in 2024.
BuildKit Cache Security Considerations for Container Builds
BuildKit's caching is what makes container builds fast. It is also a potential vector for cache poisoning attacks if not properly secured.
Multi-Stage Docker Builds: The Security Implications Nobody Talks About
Multi-stage builds reduce image size, but they also introduce security considerations around build secrets, layer caching, and dependency leakage.
Container Base Image Selection: A Security-First Decision Framework
Your base image choice determines your container security baseline. Most teams pick based on size or familiarity, not security properties.