#containersecurity — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #containersecurity, aggregated by home.social.
-
Security Tip: Harden your containers by using minimal base images. 🛡️
Standard images often include shells and package managers that attackers use once they gain a foothold. By switching to Alpine or Distroless images, you significantly reduce the attack surface and the number of CVEs you need to monitor.
Action: Audit your Dockerfiles and swap heavy images for minimal alternatives.
Track vulnerabilities: https://cvedatabase.com
-
Security Tip: Strengthen your container security by adopting the principle of least privilege. 🛡️ Avoid running processes as root inside containers; a breakout could grant attackers host-level privileges. Use the USER instruction in your Dockerfile to switch to a non-privileged user. Additionally, use minimal base images to reduce the attack surface. Track vulnerabilities affecting your stack at https://cvedatabase.com #ContainerSecurity #Docker #InfoSec #CVE
-
Security Tip: Strengthen your container security by adopting the principle of least privilege. 🛡️ Avoid running processes as root inside containers; a breakout could grant attackers host-level privileges. Use the USER instruction in your Dockerfile to switch to a non-privileged user. Additionally, use minimal base images to reduce the attack surface. Track vulnerabilities affecting your stack at https://cvedatabase.com #ContainerSecurity #Docker #InfoSec #CVE
-
Security Tip: Secure your containerized apps by following the principle of least privilege. 🛡️
1. Never run containers as root; use a non-privileged user instead.
2. Use minimal base images to reduce the attack surface.
3. Scan images for CVEs during CI/CD.Proactive security prevents container breakouts. Research the latest vulnerabilities and stay informed at https://cvedatabase.com
-
Security Tip: Secure your containerized apps by following the principle of least privilege. 🛡️
1. Never run containers as root; use a non-privileged user instead.
2. Use minimal base images to reduce the attack surface.
3. Scan images for CVEs during CI/CD.Proactive security prevents container breakouts. Research the latest vulnerabilities and stay informed at https://cvedatabase.com
-
Looking to enhance your container security? Our latest article explores essential Docker hardening strategies for 2026 productions deployments, including image scanning, secrets management, and resource constraints. Perfect for DevOps teams looking to level up their security game! #ContainerSecurity #DevOps #Cybersecurity #Docker #Kubernetes https://estoreab.com/container-hardening-strategies-secure-deployments
https://estoreab.com/container-hardening-strategies-secure-deplo
-
⚠️ HIGH severity: chainguard-dev apko (<1.2.7) doesn't verify downloaded .apk checksums vs signed index. Attackers can inject rogue packages into OCI images if download sources are compromised. Patch: upgrade to 1.2.7. CVE-2026-42575 https://radar.offseq.com/threat/cve-2026-42575-cwe-345-insufficient-verification-o-918c9a44 #OffSeq #ContainerSecurity
-
⚠️ HIGH severity: chainguard-dev apko (<1.2.7) doesn't verify downloaded .apk checksums vs signed index. Attackers can inject rogue packages into OCI images if download sources are compromised. Patch: upgrade to 1.2.7. CVE-2026-42575 https://radar.offseq.com/threat/cve-2026-42575-cwe-345-insufficient-verification-o-918c9a44 #OffSeq #ContainerSecurity
-
⚠️ HIGH severity: chainguard-dev apko (<1.2.7) doesn't verify downloaded .apk checksums vs signed index. Attackers can inject rogue packages into OCI images if download sources are compromised. Patch: upgrade to 1.2.7. CVE-2026-42575 https://radar.offseq.com/threat/cve-2026-42575-cwe-345-insufficient-verification-o-918c9a44 #OffSeq #ContainerSecurity
-
⚠️ HIGH severity: chainguard-dev apko (<1.2.7) doesn't verify downloaded .apk checksums vs signed index. Attackers can inject rogue packages into OCI images if download sources are compromised. Patch: upgrade to 1.2.7. CVE-2026-42575 https://radar.offseq.com/threat/cve-2026-42575-cwe-345-insufficient-verification-o-918c9a44 #OffSeq #ContainerSecurity
-
Security Tip: Don't trust every container image in your registry. 🛡️ While scanning for known CVEs is vital, image signing ensures provenance. It proves that the image in production is the one your CI/CD pipeline actually built. Without it, you're vulnerable to registry-level tampering. Track vulnerabilities and stay ahead of threats: https://cvedatabase.com #InfoSec #ContainerSecurity #AppSec #CyberSecurity #CVE
-
Security Tip: Don't trust every container image in your registry. 🛡️ While scanning for known CVEs is vital, image signing ensures provenance. It proves that the image in production is the one your CI/CD pipeline actually built. Without it, you're vulnerable to registry-level tampering. Track vulnerabilities and stay ahead of threats: https://cvedatabase.com #InfoSec #ContainerSecurity #AppSec #CyberSecurity #CVE
-
Security Tip: Harden your containers by using a read-only root filesystem. 🛡️ If an attacker exploits a CVE, they often try to download scripts or modify configs. A read-only filesystem blocks these actions at the runtime level. Combine this with non-root users for a robust defense-in-depth strategy. Research container-related vulnerabilities at https://cvedatabase.com #ContainerSecurity #CyberSecurity #InfoSec #CVE
-
Security Tip: Harden your containers by using a read-only root filesystem. 🛡️ If an attacker exploits a CVE, they often try to download scripts or modify configs. A read-only filesystem blocks these actions at the runtime level. Combine this with non-root users for a robust defense-in-depth strategy. Research container-related vulnerabilities at https://cvedatabase.com #ContainerSecurity #CyberSecurity #InfoSec #CVE
-
Security Tip: Harden your containers by using a read-only root filesystem. 🛡️ If an attacker exploits a CVE, they often try to download scripts or modify configs. A read-only filesystem blocks these actions at the runtime level. Combine this with non-root users for a robust defense-in-depth strategy. Research container-related vulnerabilities at https://cvedatabase.com #ContainerSecurity #CyberSecurity #InfoSec #CVE
-
Security Tip: Containers aren't magic sandboxes. 🛡️ To harden your infrastructure, follow the principle of least privilege: 1. Never run containers as root. 2. Use minimal base images (e.g., Alpine or Distroless) to reduce the attack surface. 3. Scan images for known vulnerabilities. Stay informed on the latest container-related CVEs at https://cvedatabase.com #InfoSec #CyberSecurity #ContainerSecurity #DevSecOps
-
Security Tip: Containers aren't magic sandboxes. 🛡️ To harden your infrastructure, follow the principle of least privilege: 1. Never run containers as root. 2. Use minimal base images (e.g., Alpine or Distroless) to reduce the attack surface. 3. Scan images for known vulnerabilities. Stay informed on the latest container-related CVEs at https://cvedatabase.com #InfoSec #CyberSecurity #ContainerSecurity #DevSecOps
-
Security Tip: Your container's base image matters. 🛡️ Using full OS images (like Ubuntu or Debian) often includes shells, package managers, and utilities your app doesn't need—all of which increase your attack surface. Switch to minimal images like Alpine or Google's "Distroless." Fewer binaries mean fewer CVEs to track and a smaller footprint for attackers. Stay updated on the latest vulnerabilities at https://cvedatabase.com #ContainerSecurity #InfoSec #CVE #DevSecOps
-
Security Tip: Your container's base image matters. 🛡️ Using full OS images (like Ubuntu or Debian) often includes shells, package managers, and utilities your app doesn't need—all of which increase your attack surface. Switch to minimal images like Alpine or Google's "Distroless." Fewer binaries mean fewer CVEs to track and a smaller footprint for attackers. Stay updated on the latest vulnerabilities at https://cvedatabase.com #ContainerSecurity #InfoSec #CVE #DevSecOps
-
Security Tip: Your container's base image matters. 🛡️ Using full OS images (like Ubuntu or Debian) often includes shells, package managers, and utilities your app doesn't need—all of which increase your attack surface. Switch to minimal images like Alpine or Google's "Distroless." Fewer binaries mean fewer CVEs to track and a smaller footprint for attackers. Stay updated on the latest vulnerabilities at https://cvedatabase.com #ContainerSecurity #InfoSec #CVE #DevSecOps
-
CVE-2026-31431: Copy Fail vs. rootless containers
https://www.dragonsreach.it/2026/05/04/cve-2026-31431-copy-fail-rootless-containers/
#HackerNews #CVE202631431 #CopyFail #rootlessContainers #cybersecurity #containersecurity
-
CVE-2026-31431: Copy Fail vs. rootless containers
https://www.dragonsreach.it/2026/05/04/cve-2026-31431-copy-fail-rootless-containers/
#HackerNews #CVE202631431 #CopyFail #rootlessContainers #cybersecurity #containersecurity
-
CVE-2026-31431: Copy Fail vs. rootless containers
https://www.dragonsreach.it/2026/05/04/cve-2026-31431-copy-fail-rootless-containers/
#HackerNews #CVE202631431 #CopyFail #rootlessContainers #cybersecurity #containersecurity
-
CVE-2026-31431: Copy Fail vs. rootless containers
https://www.dragonsreach.it/2026/05/04/cve-2026-31431-copy-fail-rootless-containers/
#HackerNews #CVE202631431 #CopyFail #rootlessContainers #cybersecurity #containersecurity
-
CVE-2026-31431: Copy Fail vs. rootless containers
https://www.dragonsreach.it/2026/05/04/cve-2026-31431-copy-fail-rootless-containers/
#HackerNews #CVE202631431 #CopyFail #rootlessContainers #cybersecurity #containersecurity
-
Security Tip: Don't run your containers as root! 🛡️ By default, containers run with root privileges. If a vulnerability allows a container escape, the attacker could gain full control of the host machine. Action: Use the 'USER' instruction in your Dockerfile to switch to a non-privileged user after setup. This follows the principle of least privilege and significantly reduces your risk. Stay informed: https://cvedatabase.com #CVE #InfoSec #ContainerSecurity
-
🛡️ Container Security Mastery: A Guide to Scanning Images for Known CVEs. Secure your applications by implementing automated scanning and integrating security into your DevOps pipeline. Learn to use tools like Trivy and manage vulnerabilities effectively. https://cvedatabase.com/blog/container-security-mastery-a-guide-to-scanning-images-for-known-cves-2026-04-28 #ContainerSecurity #Docker #Trivy #DevSecOps #CyberSecurity #VulnerabilityManagement
-
🛡️ Container Security Mastery: A Guide to Scanning Images for Known CVEs. Secure your applications by implementing automated scanning and integrating security into your DevOps pipeline. Learn to use tools like Trivy and manage vulnerabilities effectively. https://cvedatabase.com/blog/container-security-mastery-a-guide-to-scanning-images-for-known-cves-2026-04-28 #ContainerSecurity #Docker #Trivy #DevSecOps #CyberSecurity #VulnerabilityManagement
-
🛡️ Container Security Mastery: A Guide to Scanning Images for Known CVEs. Secure your applications by implementing automated scanning and integrating security into your DevOps pipeline. Learn to use tools like Trivy and manage vulnerabilities effectively. https://cvedatabase.com/blog/container-security-mastery-a-guide-to-scanning-images-for-known-cves-2026-04-28 #ContainerSecurity #Docker #Trivy #DevSecOps #CyberSecurity #VulnerabilityManagement
-
🛡️ Container Security Mastery: A Guide to Scanning Images for Known CVEs. Secure your applications by implementing automated scanning and integrating security into your DevOps pipeline. Learn to use tools like Trivy and manage vulnerabilities effectively. https://cvedatabase.com/blog/container-security-mastery-a-guide-to-scanning-images-for-known-cves-2026-04-28 #ContainerSecurity #Docker #Trivy #DevSecOps #CyberSecurity #VulnerabilityManagement
-
Security Tip: Minimize your container attack surface. 🐳 Using standard OS base images often includes shells and utilities that attackers use for lateral movement. Switch to "distroless" or minimal images to ensure only your application and its dependencies are present. Fewer binaries mean fewer CVEs to manage. Track emerging threats at https://cvedatabase.com #CyberSecurity #Infosec #ContainerSecurity #DevSecOps
-
Security Tip: Minimize your container attack surface. 🐳 Using standard OS base images often includes shells and utilities that attackers use for lateral movement. Switch to "distroless" or minimal images to ensure only your application and its dependencies are present. Fewer binaries mean fewer CVEs to manage. Track emerging threats at https://cvedatabase.com #CyberSecurity #Infosec #ContainerSecurity #DevSecOps
-
Security Tip: The principle of least privilege applies to your containers too! 🐳 Running containers as root is a major risk. If a vulnerability like a container escape is exploited, the attacker inherits those root privileges on the host. Action: Add a non-privileged user to your Dockerfile and use the USER instruction. Stay informed on the latest container vulnerabilities: https://cvedatabase.com #InfoSec #ContainerSecurity #Docker #CyberSecurity
-
Security Tip: The principle of least privilege applies to your containers too! 🐳 Running containers as root is a major risk. If a vulnerability like a container escape is exploited, the attacker inherits those root privileges on the host. Action: Add a non-privileged user to your Dockerfile and use the USER instruction. Stay informed on the latest container vulnerabilities: https://cvedatabase.com #InfoSec #ContainerSecurity #Docker #CyberSecurity
-
Docker Socket: Power & Danger 🐳⚠️
/var/run/docker.sock = Docker's API endpoint
Safe production uses:
• Monitoring (cAdvisor, Prometheus)
• Logging (Fluentd)
• CI/CD runnersNever:
• Mount in untrusted containers
• Expose to internet
• Run with privileged flag unless neededAccess = Root on host! 🔥
-
Container security is more than just 'docker run'. 🐳 To harden your environment:
1. Scan images in your CI/CD pipeline for known CVEs.
2. Use minimal base images (Alpine/Distroless) to reduce the attack surface.
3. Use the USER directive—never run as root.
4. Keep your host OS patched.Check https://cvedatabase.com to track vulnerabilities affecting your container runtimes and base images. #AppSec #ContainerSecurity #InfoSec #CyberSecurity
-
Container security is more than just 'docker run'. 🐳 To harden your environment:
1. Scan images in your CI/CD pipeline for known CVEs.
2. Use minimal base images (Alpine/Distroless) to reduce the attack surface.
3. Use the USER directive—never run as root.
4. Keep your host OS patched.Check https://cvedatabase.com to track vulnerabilities affecting your container runtimes and base images. #AppSec #ContainerSecurity #InfoSec #CyberSecurity
-
Disclosing a cross-tenant container isolation failure in Google Gemini's code_execution API sandbox.
Submitted to Google VRP on March 19 (ticket #493931439). Closed five times across 25 comments by the same triage handler citing "hallucination," "intended behavior," and a redirect to the gVisor open-source project. No technical engagement on any confirmed primitive. Published the full report and evidence on April 8 after exhausting the VRP process.
Confirmed across three independent Google accounts:
— /proc/<pid>/environ reads from foreign sessions, returning the complete environment of other tenants' processes including INTERPRETER_CALLBACK_SOCKET, INTERPRETER_POLL_CALLBACK, and full session configuration. Verified with raw \x00 null bytes across five consecutive clean runs.
— /proc/<pid>/mem ELF header reads from foreign processes.
— Writes to foreign session control scripts (/tmp/icb<id>/poll, cb.sock).
— Identical BOOT_ID across three independent Google accounts, confirming shared physical container.
— Session ID collisions across independent API users.
— ptrace(PTRACE_ATTACH) = 0 on PID 12, the root RPC process holding live authenticated Stubby/Borg file descriptors. Seccomp disabled. Full capabilities present.
— Shared PID, network, IPC, mount, and UTS namespaces across sessions, verified via /proc/<pid>/ns inode comparison.
The architectural issue: the API path provides near-zero isolation between independent tenants on the same physical container, while the Gemini UI path properly isolates namespaces. The disparity is the core finding.
Full 42-page technical report, evidence extracts, screenshots, ticket history, and reproduction steps:
https://github.com/Mo7ammedMajdy/gemini-sandbox-isolation-failure
-
Disclosing a cross-tenant container isolation failure in Google Gemini's code_execution API sandbox.
Submitted to Google VRP on March 19 (ticket #493931439). Closed five times across 25 comments by the same triage handler citing "hallucination," "intended behavior," and a redirect to the gVisor open-source project. No technical engagement on any confirmed primitive. Published the full report and evidence on April 8 after exhausting the VRP process.
Confirmed across three independent Google accounts:
— /proc/<pid>/environ reads from foreign sessions, returning the complete environment of other tenants' processes including INTERPRETER_CALLBACK_SOCKET, INTERPRETER_POLL_CALLBACK, and full session configuration. Verified with raw \x00 null bytes across five consecutive clean runs.
— /proc/<pid>/mem ELF header reads from foreign processes.
— Writes to foreign session control scripts (/tmp/icb<id>/poll, cb.sock).
— Identical BOOT_ID across three independent Google accounts, confirming shared physical container.
— Session ID collisions across independent API users.
— ptrace(PTRACE_ATTACH) = 0 on PID 12, the root RPC process holding live authenticated Stubby/Borg file descriptors. Seccomp disabled. Full capabilities present.
— Shared PID, network, IPC, mount, and UTS namespaces across sessions, verified via /proc/<pid>/ns inode comparison.
The architectural issue: the API path provides near-zero isolation between independent tenants on the same physical container, while the Gemini UI path properly isolates namespaces. The disparity is the core finding.
Full 42-page technical report, evidence extracts, screenshots, ticket history, and reproduction steps:
https://github.com/Mo7ammedMajdy/gemini-sandbox-isolation-failure
-
My JavaPro article on "10 essential Docker commands to hunt the predator" is live!
We cover:
📜 SBOMs & Attestations
🛡️ Hardened Images (DHI)
🚫 VEX Exemptions
🕵️♂️ Zero-Day DefensesRead the full Asgard mission here 👇
https://javapro.io/2026/03/19/10-docker-commandos-docker-commands-to-hunt-the-predator/ -
My JavaPro article on "10 essential Docker commands to hunt the predator" is live!
We cover:
📜 SBOMs & Attestations
🛡️ Hardened Images (DHI)
🚫 VEX Exemptions
🕵️♂️ Zero-Day DefensesRead the full Asgard mission here 👇
https://javapro.io/2026/03/19/10-docker-commandos-docker-commands-to-hunt-the-predator/ -
My JavaPro article on "10 essential Docker commands to hunt the predator" is live!
We cover:
📜 SBOMs & Attestations
🛡️ Hardened Images (DHI)
🚫 VEX Exemptions
🕵️♂️ Zero-Day DefensesRead the full Asgard mission here 👇
https://javapro.io/2026/03/19/10-docker-commandos-docker-commands-to-hunt-the-predator/ -
🚨 CVE-2026-33945 (CRITICAL, CVSS 10): lxc incus <6.23.0 is vulnerable to path traversal, enabling attackers to write as root & escalate privileges. Upgrade to 6.23.0+ ASAP, restrict config access! https://radar.offseq.com/threat/cve-2026-33945-cwe-22-improper-limitation-of-a-pat-4b327a65 #OffSeq #CVE202633945 #ContainerSecurity
-
🚨 CVE-2026-33945 (CRITICAL, CVSS 10): lxc incus <6.23.0 is vulnerable to path traversal, enabling attackers to write as root & escalate privileges. Upgrade to 6.23.0+ ASAP, restrict config access! https://radar.offseq.com/threat/cve-2026-33945-cwe-22-improper-limitation-of-a-pat-4b327a65 #OffSeq #CVE202633945 #ContainerSecurity
-
🚨 CVE-2026-33945 (CRITICAL, CVSS 10): lxc incus <6.23.0 is vulnerable to path traversal, enabling attackers to write as root & escalate privileges. Upgrade to 6.23.0+ ASAP, restrict config access! https://radar.offseq.com/threat/cve-2026-33945-cwe-22-improper-limitation-of-a-pat-4b327a65 #OffSeq #CVE202633945 #ContainerSecurity
-
While #Docker makes it easy to start and manage containers, a host system is still required to run them. These systems form the infrastructure on which containers run and are covered by objective 702.3 of the DevOps Tools Engineer 2.0 exam.
Dive into episode 8 of the DevOps 2.0 introduction series to learn more from Fabian Thorns and Uirá Ribeiro: https://lpi.org/5nix
#DevOps #Containers #Docker #ContainerImages #ContainerSecurity
-
While #Docker makes it easy to start and manage containers, a host system is still required to run them. These systems form the infrastructure on which containers run and are covered by objective 702.3 of the DevOps Tools Engineer 2.0 exam.
Dive into episode 8 of the DevOps 2.0 introduction series to learn more from Fabian Thorns and Uirá Ribeiro: https://lpi.org/5nix
#DevOps #Containers #Docker #ContainerImages #ContainerSecurity