kubernetes-security
Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Policy as code for cloud security guardrails
Policy as code turns cloud security guardrails into version-controlled, testable rules enforced automatically across IaC, Kubernetes, and CI/CD pipelines.
Securing Infrastructure as Code in GitOps workflows
GitOps auto-applies every merged Terraform and Kubernetes change within minutes. Here's how CVE-2022-24348 and CVE-2025-30066 show why PR-time IaC checks are non-negotiable.
Securing managed Kubernetes clusters with IaC scanning
IaC scanning catches Kubernetes RBAC, network, and IAM misconfigurations in Terraform and Helm before they ever reach EKS, GKE, or AKS clusters.
How Trivy sources vulnerability data (NVD, vendor advisor...
Trivy's CVE data comes from NVD, GHSA, and distro trackers compiled into a periodic snapshot — not kube-hunter. Here's how the pipeline really works, and where it lags.
Container escape attacks: how they happen and how to prev...
Container escapes rarely need a zero-day — privileged flags, mounted sockets, and excess capabilities do the job. Here's how they happen, real CVEs, and how to stop them.
Announcing Kubernetes workload protection in Snyk Container
Snyk added Kubernetes workload protection to Snyk Container. Here's what it does, why it matters now, and what security teams should ask before relying on it.
Kubernetes CIS Benchmark
CIS Kubernetes Benchmark controls, common failure patterns, how Aqua Security's kube-bench fits in, and how continuous, supply-chain-aware scanning closes the gaps a point-in-time scan leaves open.
Kubernetes Secrets
Kubernetes Secrets are base64, not encrypted, by default. Here is how they actually leak, why scanners like Aqua fall short, and how to fix it.
eBPF in Kubernetes
eBPF gives Kubernetes deep runtime visibility, but it only sees what a container does after it starts. Here's what Aqua's Tracee gets right, and where supply chain gaps remain.
Tracking Kubernetes CVEs in 2026: A Practical Method
Kubernetes CVE news moves fast across control plane, kubelet, and CNI components — here's a repeatable method for tracking what actually applies to your cluster.
Container Image Signing
Signing tells you where a container image came from; scanning only tells you what's inside it. Here's how image signing works, how Aqua handles it, and what a complete solution needs.
Kubernetes and Infrastructure as Code security
Prisma Cloud pioneered infrastructure as code security scanning for Kubernetes, but alert fatigue and weak commit-level traceability leave real gaps. Here's how to close them.