Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Disclosed May 17, 2026 with public PoC and in-the-wild activity, CVE-2026-42945 is a buffer overflow in NGINX's ngx_http_rewrite_module. It affects core NGINX and the ingress controllers that wrap it, putting cluster ingress in scope.
Where JFrog Xray and Prisma Cloud actually compete, where they don't, and how to pick between them for software supply chain and runtime security in 2026.
Every container pulled in production is a trust decision. Here's how to secure the chain from base image selection through Dockerfile to admission control.
A fact-based review of the best container image scanners in 2026, comparing Trivy, Grype, Snyk, Prisma Cloud, and Safeguard on accuracy and noise.
A production-grade vulnerability scanning pipeline for Docker images using Trivy and Grype, with reachability-based prioritization and admission enforcement.
Researchers keep finding valid AWS, GitHub, and cloud credentials baked into public Docker Hub images. What the 2024 data shows and how to stop shipping secrets.
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
A fact-based comparison of Safeguard and Aqua Security in 2026 across container coverage, runtime protection, SCA depth, and supply chain capabilities.
Alpine, distroless, and scratch images don't automatically cut risk. The real attack-surface drivers are capabilities, root filesystem, network policies, and seccomp.
Weekly insights on software supply chain security, delivered to your inbox.