GUIDE · 6 min read
Container Image Hardening That Survives Production
Most container CVEs never get exploited — but the ones that do almost always succeed because the image runs as root with a writable filesystem. Fix the basics and you remove the blast radius.
Shrink the image
Distroless or chainguard base images. Fewer binaries = fewer LOLBins for the attacker.
Drop privileges by default
runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities, allowPrivilegeEscalation: false. Make these PodSecurity defaults.
- seccomp: RuntimeDefault
- AppArmor / SELinux enforcing
- No hostPath, no hostNetwork
Scan in the pipeline AND at runtime
Trivy/Grype at build time, Falco at runtime. Vulnerable images that never get pulled are a paperwork problem; vulnerable images running in prod are an incident.
Tools mentioned
TrivyGrypeFalcoChainguardDistrolessKyverno
⟩ takeaway
Small, non-root, read-only. Three properties that turn most container exploits into noisy failures.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.