Container Security
Everything on SkillVeris tagged Container Security — collected across the glossary, study notes, blog, and cheat sheets.
22 resources across 1 library
Interview Questions(22)
What is a chroot Jail and What Are Its Limitations?
A chroot jail is created by the chroot() system call, which changes a process’s apparent root directory `/` to a chosen subdirectory, so the process — and anyt…
What is Linux Capability Dropping and Why Does It Matter?
Linux capabilities split the traditionally all-or-nothing power of the root user into dozens of independent, fine-grained privileges — like CAP_NET_BIND_SERVIC…
What is a Docker Multi-Stage Build?
A multi-stage Docker build uses multiple FROM instructions in one Dockerfile, where each stage can compile or prepare artifacts and only the final stage copies…
What Are Dockerfile Best Practices?
Dockerfile best practices center on minimizing image size and build time while maximizing cache reuse and security: use a small pinned base image, order instru…
What is a Docker Registry?
A Docker registry is a storage and distribution service for container images, organized into repositories and tags, that lets teams push built images and pull…
What is a Container Runtime?
A container runtime is the low-level software component that actually creates, starts, and manages the lifecycle of a container on a host by configuring Linux…
Docker vs Podman: What Is the Difference?
Docker relies on a persistent background daemon (dockerd) running as root to build and manage containers, while Podman is daemonless — each podman command dire…
What Are Distroless Images?
Distroless images are minimal container base images that contain only an application and its direct runtime dependencies — no shell, package manager, or OS uti…
What is Docker Image Security Scanning and Why Does It Matter?
Docker image security scanning inspects the layers of a built image against known vulnerability databases (CVEs) to catch outdated packages, exposed secrets, a…
What is the Difference Between Docker Bind Mounts and Volumes?
A Docker volume is storage fully managed by the Docker engine in its own dedicated area on disk, while a bind mount maps an arbitrary existing path on the host…
What is the Docker Build Context and Why Does It Matter?
The Docker build context is the set of files at a specified path (or URL) that the Docker client packages up and sends to the Docker daemon before a build star…
What are Kubernetes Pod Security Standards?
Pod Security Standards are three predefined policy levels — Privileged, Baseline, and Restricted — built into Kubernetes that define what a Pod is allowed to d…
What Are the Key Principles of Container Security?
Container security means hardening every layer of the container lifecycle — the base image, the build process, the runtime configuration, and the host kernel —…
How Does Container Image Vulnerability Scanning Work?
Container image vulnerability scanning inspects every layer of a built image — the OS packages, language dependencies, and binaries — against databases of know…
What is Container Runtime Security?
Container runtime security is the practice of monitoring and constraining what a container is actually doing while it runs — its syscalls, process behavior, fi…
How Does Falco Detect Threats at Runtime?
Falco is an open-source, CNCF-graduated runtime security tool that taps into kernel syscall events using eBPF (or a kernel module driver) and evaluates them in…
What are Seccomp Profiles in Container Security?
A seccomp (secure computing mode) profile is a Linux kernel feature that restricts which system calls a process is allowed to make, and in container security i…
AppArmor vs SELinux: What Is the Difference?
AppArmor and SELinux are both Linux Mandatory Access Control (MAC) systems that restrict what a process can do beyond standard user permissions, but AppArmor c…
What Is Container Image Signing With Cosign?
Cosign is a tool from the Sigstore project that cryptographically signs container images and stores the signature alongside the image in the registry, so a dep…
What Is an SBOM (Software Bill of Materials)?
A Software Bill of Materials (SBOM) is a structured, machine-readable inventory of every component, library, and dependency — including transitive ones — that…
What Is Software Supply Chain Security in DevOps?
Software supply chain security is the practice of securing every stage that produces a running application — source code, dependencies, build systems, CI/CD pi…
What Is the SLSA Framework?
SLSA (Supply-chain Levels for Software Artifacts, pronounced 'salsa') is a security framework, originally developed at Google and now under the OpenSSF, that d…