From the beginning, Docker has centered on enabling builders to construct, share, and run software program effectively and securely. Right now, Docker Hub powers software program supply at a world scale, with over 14 million pictures and greater than 11 billion pulls every month. That scale offers us a singular vantage level into how trendy software program is constructed and the challenges groups face in securing it.
That’s why we’ve made safety a cornerstone of our platform. From trusted Docker Official Photographs to SBOM assist for transparency, the launch of Docker Scout for real-time vulnerability insights, and a hardened Docker Desktop to safe native growth, each funding displays our dedication to creating software program provide chain safety extra accessible, actionable, and developer-first.
Now, we’re taking that dedication even additional.
We’re excited to introduce Docker Hardened Photographs (DHI) — secure-by-default container pictures purpose-built for contemporary manufacturing environments.
These pictures go far past being simply slim or minimal. Docker Hardened Photographs begin with a dramatically diminished assault floor, as much as 95% smaller, to restrict publicity from the outset. Every picture is curated and maintained by Docker, saved repeatedly updated to make sure near-zero recognized CVEs. They assist extensively adopted distros like Alpine and Debian, so groups can combine them with out retooling or compromising compatibility.
Plus, they’re designed to work seamlessly with the instruments you already rely upon. We’ve partnered with a spread of main safety and DevOps platforms, together with Microsoft, NGINX, Sonatype, GitLab, Wiz, Grype, Neo4j, JFrog, Sysdig and Cloudsmith, to make sure seamless integration with scanning instruments, registries, and CI/CD pipelines.
What we’re listening to from prospects
We speak to groups each day, from fast-moving startups to international enterprises, and the identical themes preserve arising.
Integrity is a rising concern: “How do we all know each part in our software program is strictly what it claims to be—and hasn’t been tampered with?” With so many dependencies, it’s getting more durable to reply that with confidence.
Then there’s the assault floor drawback. Most groups begin with general-purpose base pictures like Ubuntu or Alpine. However over time, these containers get bloated with pointless packages and outdated software program, creating extra methods in for attackers.
And naturally, operational overhead is thru the roof. Safety groups are flooded with CVEs. Builders are caught in a loop of patching and re-patching, as an alternative of transport new options. We’re listening to about vulnerability scanners lighting up continuously, platform groups stretched skinny by centralized dependencies, and builders resorting to guide upgrades simply to remain afloat. These challenges aren’t remoted — they’re systemic. They usually’re precisely what we designed Docker Hardened Photographs to deal with.
Inside Docker Hardened Photographs
Docker Hardened Photographs aren’t simply trimmed-down variations of present containers — they’re constructed from the bottom up with safety, effectivity, and real-world usability in thoughts. They’re designed to fulfill groups the place they’re. Right here’s how they ship worth throughout three important areas:
Seamless Migration
First, they combine seamlessly into present workflows. Not like different minimal or “safe” pictures that power groups to alter base OSes, rewrite Dockerfiles, or abandon tooling, DHI helps the distributions builders already use, together with acquainted Debian and Alpine variants. In reality, upgrading to a DHI will be easy. Switching to a hardened picture is so simple as updating one line in your Dockerfile:
Versatile customization
Second, they strike the precise stability between safety and suppleness. Safety shouldn’t imply sacrificing usability. DHI helps the customizations groups depend on, together with certificates, packages, scripts, and configuration information, with out compromising the hardened basis. You get the safety posture you want with the pliability to tailor pictures to your surroundings.
Underneath the hood, Docker Hardened Photographs observe a distroless philosophy, stripping away pointless parts like shells, bundle managers, and debugging instruments that generally introduce threat. Whereas these extras is perhaps useful throughout growth, they considerably increase the assault floor in manufacturing, decelerate startup instances, and complicate safety administration.
By together with solely the important runtime dependencies wanted to run your utility, DHI delivers leaner, quicker containers which are simpler to safe and preserve. This centered, minimal design results in as much as a 95% discount in assault floor, giving groups a dramatically stronger safety posture proper out of the field.
Automated Patching & Speedy CVE Response
Lastly, patching and updates are steady and automatic. Docker screens upstream sources, OS packages, and CVEs throughout all dependencies. When updates are launched, DHI pictures are rebuilt, subjected to intensive testing, and printed with recent attestations—guaranteeing integrity and compliance inside our SLSA Construct Degree 3–compliant construct system. The end result: you’re all the time working probably the most safe, verified model—no guide intervention required.
Most significantly, when important parts are constructed straight from supply, permitting us to ship essential patches quicker and remediate vulnerabilities promptly. We patch Important and Excessive-severity CVEs inside 7 days — quicker than typical trade response instances —and again all of it with an enterprise-grade SLA for added peace of thoughts.
Inner Adoption: Validating Docker Hardened Photographs in Manufacturing Environments
We’ve been utilizing DHI internally throughout a number of key tasks — placing them to the take a look at in real-world, manufacturing environments. One standout instance is our inside use of a hardened Node picture.
By changing the usual Node base picture with a Docker Hardened Picture, we noticed fast and measurable outcomes: vulnerabilities dropped to zero, and the bundle depend was diminished by over 98%.
That discount in packages isn’t only a matter of picture measurement, it straight interprets to a smaller assault floor, fewer shifting components to handle, and considerably much less overhead for our safety and platform groups. This shift gave us a stronger safety posture and simplified operational complexity — precisely the form of end result we designed DHI to ship.
Able to get began?
Docker Hardened Photographs are designed that can assist you ship software program with confidence by dramatically lowering your assault floor, automating patching, and integrating seamlessly into your present workflows. Builders keep centered on constructing. Safety groups get the peace of mind they want.
Seeking to scale back your vulnerability depend?
We’re right here to assist. Get in contact with us and let’s harden your software program provide chain, collectively.
