Safeguard
Tag

kubernetes-security

Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.

125 articles

Infrastructure Security

Policy as code for cloud security guardrails

Policy as code turns cloud security guardrails into version-controlled, testable rules enforced automatically across IaC, Kubernetes, and CI/CD pipelines.

Jun 18, 20266 min read
Infrastructure Security

Securing Infrastructure as Code in GitOps workflows

GitOps auto-applies every merged Terraform and Kubernetes change within minutes. Here's how CVE-2022-24348 and CVE-2025-30066 show why PR-time IaC checks are non-negotiable.

Jun 16, 20267 min read
Infrastructure Security

Securing managed Kubernetes clusters with IaC scanning

IaC scanning catches Kubernetes RBAC, network, and IAM misconfigurations in Terraform and Helm before they ever reach EKS, GKE, or AKS clusters.

Jun 15, 20267 min read
Vulnerability Analysis

How Trivy sources vulnerability data (NVD, vendor advisor...

Trivy's CVE data comes from NVD, GHSA, and distro trackers compiled into a periodic snapshot — not kube-hunter. Here's how the pipeline really works, and where it lags.

Apr 27, 20267 min read
Container Security

Container escape attacks: how they happen and how to prev...

Container escapes rarely need a zero-day — privileged flags, mounted sockets, and excess capabilities do the job. Here's how they happen, real CVEs, and how to stop them.

Apr 26, 20269 min read
Container Security

Announcing Kubernetes workload protection in Snyk Container

Snyk added Kubernetes workload protection to Snyk Container. Here's what it does, why it matters now, and what security teams should ask before relying on it.

Apr 22, 20267 min read
Container Security

Kubernetes CIS Benchmark

CIS Kubernetes Benchmark controls, common failure patterns, how Aqua Security's kube-bench fits in, and how continuous, supply-chain-aware scanning closes the gaps a point-in-time scan leaves open.

Apr 15, 20267 min read
Container Security

Kubernetes Secrets

Kubernetes Secrets are base64, not encrypted, by default. Here is how they actually leak, why scanners like Aqua fall short, and how to fix it.

Apr 15, 20268 min read
Container Security

eBPF in Kubernetes

eBPF gives Kubernetes deep runtime visibility, but it only sees what a container does after it starts. Here's what Aqua's Tracee gets right, and where supply chain gaps remain.

Apr 15, 20267 min read
Containers

Tracking Kubernetes CVEs in 2026: A Practical Method

Kubernetes CVE news moves fast across control plane, kubelet, and CNI components — here's a repeatable method for tracking what actually applies to your cluster.

Apr 14, 20264 min read
Cloud Security

Container Image Signing

Signing tells you where a container image came from; scanning only tells you what's inside it. Here's how image signing works, how Aqua handles it, and what a complete solution needs.

Apr 13, 20268 min read
DevSecOps

Kubernetes and Infrastructure as Code security

Prisma Cloud pioneered infrastructure as code security scanning for Kubernetes, but alert fatigue and weak commit-level traceability leave real gaps. Here's how to close them.

Apr 9, 20267 min read
kubernetes-security (Page 4) — Safeguard Blog