multi-stage-builds
Safeguard articles tagged "multi-stage-builds" — guides, analysis, and best practices for software supply chain and application security.
6 articles
Minimal, Non-Root Docker Images for Python: A Best-Practices Guide
CVE-2019-5736 let a malicious container overwrite the host runc binary via root access. Here's how multi-stage, non-root builds close that door for Python apps.
Containerizing Node.js apps: an updated Docker best-practices guide
The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.
Building a minimal, multi-stage, non-root Dockerfile for PHP
The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.
Golang Docker Images: Building Them Right
How to build Golang Docker images that stay small, patch cleanly, and don't ship a compiler toolchain into production, using multi-stage builds done properly.
How Snyk Container handles multi-stage Docker builds duri...
How Snyk Container identifies base images, attributes vulnerabilities to Dockerfile instructions, and scopes scans across multi-stage Docker builds.
Multi-Stage Docker Builds: The Security Implications Nobody Talks About
Multi-stage builds reduce image size, but they also introduce security considerations around build secrets, layer caching, and dependency leakage.