Docker Hardened Images (DHI) are a curated set of minimal images built from source using a distroless approach. By removing shells, package managers, and other unnecessary components, the images are designed to reduce the attack surface of containerised workloads significantly.
According to Docker, the hardened images reduce the vulnerability footprint by up to 95% compared to traditional base images. Each image is maintained with automated patching and ongoing security updates, aiming for a near-zero number of known CVEs. Critical and high-severity vulnerabilities are patched within seven days, backed by a defined service-level agreement.
The hardened images are designed to be drop-in replacements for popular base images, such as Alpine and Debian. Docker has focused on ensuring compatibility with existing Dockerfiles to minimise disruption to build pipelines. A customisation layer allows teams to add their own certificates, packages, and configuration files on top of the secure base.
DHI images also include signed Software Bill of Materials (SBOMs) and provenance metadata, supporting increased transparency and supply chain visibility. These features may be particularly relevant for teams operating in regulated industries or security-sensitive environments, where additional assurance and traceability are valued.
Docker has announced early integration partners, including Microsoft, GitLab, JFrog, NGINX, Sysdig, Wiz, and Sonatype. These collaborations aim to ensure DHI works seamlessly with popular security and CI/CD tooling.
In internal testing, Docker reports that swapping a standard Node.js image for a hardened variant led to a 98% reduction in the number of installed packages and the elimination of known CVEs. The initial catalogue includes hardened images for common runtimes, including Python, Go, and Java.
DHI is now available via Docker Hub, with access determined by Docker’s subscription tiers. The setup documentation and customisation tools are included as part of the release.
