gvisor
Safeguard articles tagged "gvisor" — guides, analysis, and best practices for software supply chain and application security.
5 articles
Container isolation mechanisms explained: namespaces, cgroups, seccomp, and gVisor
Docker's default seccomp profile blocks roughly 44 of the 300-plus Linux syscalls, yet a 2019 runc escape bypassed every default namespace boundary anyway.
gVisor vs Firecracker in 2026: Choosing a Sandbox for Untrusted Workloads
A side-by-side comparison of gVisor and Firecracker for sandboxing untrusted code in 2026, covering security model, performance, and operational complexity.
Container Runtime Showdown: runc vs crun vs gVisor in 2026
A practical comparison of runc, crun, and gVisor across performance, isolation, and operational fit, with concrete guidance on when each runtime earns its place in production.
gVisor Runtime Security Deep Dive
gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.
Container Runtime Security Comparison: runc, gVisor, Kata, and Firecracker
Your container runtime determines the strength of your isolation boundary. Here is an honest comparison of runc, gVisor, Kata Containers, and Firecracker from a security perspective.