Safeguard
Tag

dockerfile

Safeguard articles tagged "dockerfile" — guides, analysis, and best practices for software supply chain and application security.

11 articles

Container Security

Containerizing Node.js apps: an updated Docker best-practices guide

The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.

Jul 13, 20267 min read
Container Security

Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick

Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.

Jul 8, 20265 min read
Container Security

Building a minimal, multi-stage, non-root Dockerfile for PHP

The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.

Jul 8, 20267 min read
Container Security

Distroless vs Alpine: Which Base Image Is More Secure?

Alpine is tiny and familiar; distroless is tinier and shell-free. The right choice depends on what you value more — debuggability or a minimal attack surface. Here is the honest tradeoff.

Jul 5, 20265 min read
Container Security

Docker Image Security Best Practices

Every Docker layer you ship is attack surface you have to defend. Learn how to build lean, non-root, secret-free images that survive a registry scan and a real audit.

Jul 1, 20265 min read
Guides

How to Harden a Dockerfile in 10 Practical Steps

Ten concrete Dockerfile changes — digest pinning, multi-stage builds, non-root users, BuildKit secrets, SBOM attestations — that remove whole classes of container risk.

Apr 20, 20266 min read
Container Security

How Snyk Container's automatic base image remediation PRs...

How Snyk Container's automatic base image remediation PRs pick replacement tags, what triggers them, and what they actually change in a Dockerfile.

Sep 4, 20256 min read
Containers

Docker Scratch Images: When (and When Not) to Use Them

A docker scratch image starts from nothing — no shell, no package manager, no OS layer — which makes it the smallest possible attack surface, but only for binaries built to run without one.

Jun 17, 20255 min read
Containers

Docker Container Security: A Hardening Checklist

Most container breaches trace back to a handful of avoidable mistakes — root users, bloated images, exposed sockets, unscanned dependencies. This checklist closes them, image to runtime.

Jun 10, 20257 min read
Containers

Node.js in Docker: Choosing and Securing Your Base Image

The Docker Node base image you pick decides your CVE count before you write a line of code. Here is how to choose between Debian, slim, and Alpine — and harden whichever you pick.

Mar 12, 20257 min read
Container Security

BuildKit and Buildah: Building Containers Without Giving Away the Keys

Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer security features that most teams ignore. Here is what to use and why.

Mar 12, 20236 min read
dockerfile — Safeguard Blog