Core concepts

Table of contents

Docker Hardened Images (DHIs) are built on a foundation of secure software supply chain practices. This section explains the core concepts behind that foundation, from signed attestations and immutable digests to standards like SLSA and VEX.

Start here if you want to understand how Docker Hardened Images support compliance, transparency, and security.

Security metadata and attestations

Attestations

Review the full set of signed attestations included with each Docker Hardened Image, such as SBOMs, VEX, build provenance, and scan results.

Software Bill of Materials (SBOMs)

Learn what SBOMs are, why they matter, and how Docker Hardened Images include signed SBOMs to support transparency and compliance.

Supply-chain Levels for Software Artifacts (SLSA)

Learn how Docker Hardened Images comply with SLSA Build Level 3 and how to verify provenance for secure, tamper-resistant builds.

Image provenance

Learn how build provenance metadata helps trace the origin of Docker Hardened Images and support compliance with SLSA.

FIPS

Learn how Docker Hardened Images support FIPS 140 by using validated cryptographic modules and providing signed attestations for compliance audits.

STIG

Learn how Docker Hardened Images provide STIG-hardened container images with verifiable security scan attestations for government and enterprise compliance requirements.

Vulnerability and risk management

Common Vulnerabilities and Exposures (CVEs)

Understand what CVEs are, how Docker Hardened Images reduce exposure, and how to scan images for vulnerabilities using popular tools.

Vulnerability Exploitability eXchange (VEX)

Learn how VEX helps you prioritize real risks by identifying which vulnerabilities in Docker Hardened Images are actually exploitable.

Software Supply Chain Security

Learn how Docker Hardened Images help secure every stage of your software supply chain with signed metadata, provenance, and minimal attack surface.

Secure Software Development Lifecycle (SSDLC)

See how Docker Hardened Images support a secure SDLC by integrating with scanning, signing, and debugging tools.

Image structure and behavior

Distroless images

Learn how Docker Hardened Images use distroless variants to minimize attack surface and remove unnecessary components.

glibc and musl support in Docker Hardened Images

Compare glibc and musl variants of DHIs to choose the right base image for your application’s compatibility, size, and performance needs.

Image immutability

Understand how image digests, read-only containers, and signed metadata ensure Docker Hardened Images are tamper-resistant and immutable.

Image hardening

Learn how Docker Hardened Images are designed for security, with minimal components, nonroot execution, and secure-by-default configurations.

Verification and traceability

Digests

Learn how to use immutable image digests to guarantee consistency and verify the exact Docker Hardened Image you're running.

Code signing

Understand how Docker Hardened Images are cryptographically signed using Cosign to verify authenticity, integrity, and secure provenance.