A Year of Docker Hardened Images: The Principles Behind a Safer Container Ecosystem

Why We Chose the Harder Path

Every product and engineering choice we made was deliberately more difficult to build and operate—but ultimately better for developers and for the security of the ecosystem. We made hardened images free and open source. We built a multi-distro product so that adoption doesn't require migrating to a vendor’s proprietary operating system. We compile every system package from source for the distributions you already run. And we ship a wide range of signed attestations with each image, because independent verifiability demands nothing less.

Free and Open Source Security

Our goal was to make a real impact on the security posture of the internet. That meant making hardened images widely accessible. Unlike the industry norm of gating such catalogs behind paywalls, we chose to release DHI Community under a permissive Apache 2.0 license, freely available to every developer. This wasn’t a new undertaking for us—we’ve been maintaining Docker Official Images for over a decade, always free for the community. By raising the security baseline across the ecosystem, we’ve shown that security should never be a premium feature. Openness enables impact at scale.

Multi-Distro Without a Migration Tax

Some vendors have created entirely new Linux distributions and branded them as “distroless.” In practice, this is a proprietary OS that your teams have never run, tested, or audited. We took a different route: we support the distributions you already trust, such as Debian and Alpine. Adopting our hardened images is a drop‑in replacement—no need to learn a new package manager, debug an unfamiliar filesystem, or retrain your operations staff. We believe that improving security should not force you to abandon the platforms that have served you well.

Building a Trustworthy Supply Chain

Our pipeline adheres to SLSA Build Level 3, ensuring provenance and integrity at every stage. Every package is built from source, which gives us full control over the compilation environment and allows us to apply patches immediately as vulnerabilities are disclosed. We continuously monitor CVE databases across multiple distributions and versions, and we rebuild artifacts the moment a fix is available. The result is an ever‑green catalog where each image carries detailed attestations—signed metadata that lets you independently verify what’s inside. This level of transparency is what real supply chain security requires.

Industry Comparisons and Lessons

During the past year, we’ve closely observed how other providers approach the same challenges. Patching timelines vary widely: some vendors wait days or weeks to roll out fixes, while others batch updates infrequently. SBOM completeness is another area where standards differ—many images ship minimal or stale software bills of materials. Advisory coverage also falls short, with incomplete disclosure of affected versions and mitigations. By contrast, we prioritize immediate patches, comprehensive SBOMs, and clear communication about vulnerabilities. These patterns are worth understanding before evaluating any hardened image provider.

What’s Next for Docker Hardened Images

Our catalog will continue to expand. We are adding more Debian packages, additional ELS (Extended Long Support) images, and newer artifact types such as MCP servers and Helm charts. As our pipeline grows, we will maintain our commitment to openness, multi‑distro support, and rigorous supply chain security. The numbers—500k daily pulls, 25k patched artifacts, a million builds—are milestones, but they are just the beginning. The harder path we chose is proving to be the right one, and we invite the community to walk it with us.

For more details on our distribution support, see the Multi-Distro section. To learn about our build pipeline, jump to Building a Trustworthy Supply Chain.