Container Security
AWS ECR Image Signing in Production
Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.
Jul 22, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.
AWS built Firecracker to run Lambda. The security model is the entire value proposition, and it holds up under scrutiny.
containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.
Network policies are usually framed as a zero-trust tool. They are also one of the best defenses against a compromised dependency.
A practical playbook for protecting the supply chain of services running on Cloud Run: image provenance, Binary Authorization, runtime identity, and the gaps the default configuration leaves wide open.
Wolfi is not a general-purpose Linux distro. It exists to solve one problem: provide secure, minimal, up-to-date packages for container images. Here is why that matters and how to use it.
A review of Prisma Cloud's container and cloud workload security features, covering image scanning, runtime protection, compliance, and the Twistlock heritage.
etcd encryption at rest finally works out of the box. The question is which provider you use, and the trade-offs have sharpened in 2024.
gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.
Weekly insights on software supply chain security, delivered to your inbox.