Vulnerability Response
CVE-2025-31133 in runc: Patch Posture & SBOM Response
runc container-escape via /proc mount manipulation affects Docker, Kubernetes, and every CRI runtime. Defender playbook below.
Nov 19, 20257 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
runc container-escape via /proc mount manipulation affects Docker, Kubernetes, and every CRI runtime. Defender playbook below.
Container images are multi-layered artifacts that challenge SBOM generators. Here is how to generate comprehensive, accurate SBOMs for containerized applications.
Static analysis catches known vulnerabilities. Runtime detection catches exploitation. Here is how to implement runtime threat detection for containerized workloads.
A practical guide to hardening container images and deployments. Covers base image selection, build-time security, runtime protections, and Kubernetes-specific controls.
Earthly combines container isolation with Makefile-style ergonomics. Here's what that means for supply chain posture, with real Earthfile examples.
Container images are supply chain artifacts. Safeguard's container scanning analyzes every layer -- base images, OS packages, and application dependencies -- for a complete risk picture.
A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.
What changes in your software supply chain when you move from virtual machines to containers, and how to adapt governance, scanning, and provenance accordingly.
Root in the container often means root on the host. Rootless mode breaks that assumption. Here is how to run Docker and Podman without root and why it matters more than you think.
Weekly insights on software supply chain security, delivered to your inbox.