Docker Hardened Images (DHI) provide developers with secure, minimal container images that are easy to adopt without workflow disruptions. They feature near-zero vulnerabilities, verifiable software bills of materials (SBOMs), and offer extended support for long-lived workloads. This solution is open-source under the Apache 2.0 license.

This article outlines a collection of production-ready container images that are rebuilt daily to minimize vulnerabilities. Each image includes only essential packages, resulting in a reduced attack surface and fast CVE patching.

Lima's second major release introduces support for AI workflows, expanding its functionality beyond containers. New features include plugin support, GPU acceleration for macOS, and tools for securely managing AI agents within a virtual machine. This update aims to improve the safety and usability of AI applications.

This article explores AWS Bottlerocket, a secure operating system designed for container hosting. It tests how Bottlerocket defends against common container escape techniques, demonstrating its effective security measures compared to less hardened systems like Ubuntu.

This article explores Kubernetes' architecture and its various attack vectors. It discusses security concerns, threat hunting, and how tools like Falco can help detect and mitigate potential threats within Kubernetes environments.

This article offers a comprehensive e-book focused on AWS container services. It covers various aspects like security, monitoring, and management for applications running in AWS environments. You'll find insights tailored for developers and IT professionals working with containers.

This article explores different sandboxing techniques for executing AI code safely. It discusses the limitations of containers, the advantages of gVisor and microVMs, and the importance of policy design to prevent data leaks. The author provides a decision-making framework to choose the right sandbox based on threat models and operational needs.

Implementing usage and security reporting for Amazon ECR enhances observability of container registries by generating comprehensive reports that detail repository and image-level metrics. These reports help identify unused resources, track security vulnerabilities, and optimize costs through actionable insights. The article provides a hands-on walkthrough for generating these reports using sample code and AWS tools.

Dalec is a project focused on providing a secure, declarative format for building system packages and containers, emphasizing supply chain security. It supports various operating systems and ensures minimal image sizes to reduce vulnerabilities, while allowing for contributions under a Contributor License Agreement.

AWS ECS tasks running on EC2 instances face weak task-level isolation, leading to potential security risks like credential theft. The article highlights the importance of hardening configurations, particularly by restricting access to the EC2 Instance Metadata Service (IMDS), and discusses various networking modes and methods to effectively block IMDS access for ECS tasks.

Containers, while popular for application deployment, may not be the optimal solution for environment setup and safe execution, as these issues can be addressed by operating systems themselves. Alternatives such as self-contained deployments and ahead-of-time compilation can reduce dependency fragility, while execution manifests could enhance security by defining a program's permissions and interactions with the system.

The 2025 Docker State of Application Development Report reveals key insights from over 4,500 developers, highlighting trends in AI adoption, security as a shared responsibility, and the growing prevalence of non-local development environments. Despite the advancements in tools and culture, developers still encounter friction in their workflows. The report emphasizes the evolving tech stack, with Python surpassing JavaScript in popularity and container usage reaching 92% within the IT sector.

Docker's reliance on a persistent daemon with root privileges has raised security concerns, leading many to explore alternatives like Podman. Podman's daemonless architecture enhances security, reduces resource usage, and simplifies integration with systemd, making it a compelling choice for modern container management. The transition from Docker to Podman is seamless, allowing existing workflows to continue with minimal adjustments.

User namespaces will be enabled by default in future Kubernetes releases, enhancing security by isolating container users from host users. This change aims to simplify the configuration and improve the overall security posture of Kubernetes workloads. Developers are encouraged to adapt their applications to this new default to take full advantage of the security benefits.