Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Every container pulled in production is a trust decision. Here's how to secure the chain from base image selection through Dockerfile to admission control.
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
IngressNightmare - CVE-2025-1974 in Kubernetes ingress-nginx - gave unauthenticated attackers cluster-wide RCE. Here is how it worked and what to harden now.
Container security has matured significantly, but runtime protection remains a weak spot. Here's a practical guide to what works.
Pod Identity and IRSA both give EKS workloads AWS identities. The supply chain implications diverge once you look past the docs.
How Kubernetes RBAC determines what a supply chain attack can actually do once a compromised workload runs, and the RBAC patterns that meaningfully reduce blast radius.
Leaky Vessels bundled four CVEs that let container processes escape into the host. Two years later the class is still mispatched and misunderstood.
How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.
A practical look at Cilium Tetragon for Kubernetes runtime security, what eBPF gives you that audit logs do not, and where Tetragon fits in a real stack.
Weekly insights on software supply chain security, delivered to your inbox.