Safeguard
Tag

image-security

Safeguard articles tagged "image-security" — guides, analysis, and best practices for software supply chain and application security.

12 articles

Container Security

Rolling Out Zero-CVE Base Images Org-Wide

A pragmatic playbook for migrating an entire engineering organisation onto zero-CVE base images, covering pilot selection, registry mirroring, drift control, and the hard people-side of the rollout.

Apr 11, 20267 min read
Container Security

Container Supply Chain Defence: Build To Run

An end-to-end view of container supply chain controls from source through registry to runtime, covering signing, attestation, admission policy, and runtime drift, with concrete checkpoints at each stage.

Apr 7, 20267 min read
Container Security

Kubernetes Admission Policy Real-World Deployment

What it actually takes to put Kubernetes admission policy into enforcement mode without breaking deployments: phased rollout, exception workflows, audit-mode hygiene, and policy authoring conventions that survive contact with engineers.

Apr 3, 20267 min read
Container Security

Pod Supply Chain Attestation Validation

How to validate supply chain attestations at pod admission time without grinding deployments to a halt: which attestation types actually matter, how to chain verifications, and how to fail useful.

Mar 29, 20267 min read
Container Security

OCI Artifact Signing Rollout Program

A program plan for getting OCI artifact signing across an organisation: trust roots, key custody, build integrations, registry policy, and the inevitable cleanup of unsigned legacy content.

Mar 24, 20267 min read
Container Security

Runtime Container Drift: Supply Chain Implications

Runtime drift is the last honest witness in container supply chain defence. This post covers what drift signals tell you, how to instrument for them, and how to investigate without overwhelming on-call.

Mar 19, 20267 min read
Container Security

Chiseled / Distroless Image Rollout Program

What it takes to standardise on chiseled and distroless container images across an engineering organisation: which workloads benefit, which do not, and how to handle the operational quirks of imageless containers.

Mar 14, 20267 min read
Container Security

Service Mesh Supply Chain Policy 2026

Service meshes are a control plane and a data plane and a supply chain risk surface all at once. This post covers the policy controls that matter in 2026 for sidecars, control planes, and mesh-issued certificates.

Mar 9, 20267 min read
Container Security

Kubernetes Operator Supply Chain Controls

Operators are powerful, privileged, and often under-governed. This post covers the supply chain controls that keep operator installations from becoming the largest attack surface in your cluster.

Mar 4, 20267 min read
Container Security

Helm Chart Supply Chain Defence Blueprint

Helm charts are the most common Kubernetes deployment artifact and the least scrutinised. This blueprint covers chart provenance, signing, value validation, and the runtime correspondence checks that close the loop.

Feb 27, 20267 min read
Container Security

Distroless Node.js 20 on Debian 12 Image Deep Dive

A deep dive into the gcr.io/distroless/nodejs20-debian12 image: contents, attack surface, real-world CVE exposure, and where it fits in production.

Feb 19, 20265 min read
Container Security

Container Security Best Practices Checklist 2026

A practical container security checklist for 2026 covering base images, runtime controls, registry hygiene, and signing, with specific thresholds defenders can adopt.

Jan 22, 20265 min read
image-security — Safeguard Blog