Docker has launched Docker Hardened Images, a catalog of enterprise-grade, security-hardened container images designed to protect against software supply chain threats. By relieving DevOps teams from the chore of securing their containers on their own, hardened images provide an easier way to meet enterprise-grade security and compliance standards, Docker says.
Hardened Images aim to increase teams’ confidence that image components have not been tampered with and do not include malicious code. Additionally, it is common for developers to begin with a base image and add packages incrementally, which often expands the attack surface introducing unnecessary or outdated dependencies.
Docker Hardened Images are built with security in mind and are not just “trimmed-down versions of existing containers”:
These images go far beyond being just slim or minimal. Docker Hardened Images start with a dramatically reduced attack surface, up to 95% smaller, to limit exposure from the outset.
To this end, Docker explains, Docker Hardened Images strip away unnecessary components like shells, package managers, and debugging tools that are useful during development but expand the attack surface in production. Developers still have the option to customize these images by adding certificates, packages, scripts, and configuration files using the Docker UI.
As an example, the Node hardened image reduces the overall package count by 98% in comparison with the stock Node image.
Reducing the number of packages also lowers the effort required to comply with a “zero vulnerability” policy. According to Sysdig in its 2023 Cloud-Native Security and Usage Report, only 15% of reported unpatched critical and high-severity vulnerabilities affect packages used at runtime. Yet, unused vulnerable packages still count toward overall vulnerability tallies, leading to a staggering 87% of container images including critical or high-severity vulnerabilities. As noted by Hacker News user koblas, this inflates the number of images that must be patched) compared to a scenario where images only include strictly required packages
The classic UNIX problem was that the LPT printer daemon has an issue (it had lots and lots). But, none of your systems were running LPT, but you still had to patch 1000+s of systems just to maintain a security policy.
What’s different between full on UNIX systems and Docker, the possibility of deploying code based on scratch images. Imagine a system which only had the pieces necessary to run in production, your security exception reports would go to zero.
Moreover, Docker promises to rebuild hardened images whenever updates are released or new CVEs are published for dependencies. All new builds get fresh attestations in compliance with Docker’s SLSA Build Level 3–compliant build system.
We patch Critical and High-severity CVEs within 7 days—faster than typical industry response times—and back it all with an enterprise-grade SLA for added peace of mind.
Docker claims that, for most developers, migrating to Hardened Images is as simple as changing the FROM clause in their Dockerfiles. Developers already using Debian- or Alpine-based images will feel at home, as Hardened Images support both.
Docker is not the only provider of hardened images. Security solution provider Chainguard is also offering a catalog of over 1300 hardened images.
Using a hardened base image is only part of the story when it comes to securing your containers. You may also want to explore key best practices for hardening containers more comprehensively.
