Share feedback
Answers are generated based on the documentation.

Docker Hardened Images features

Table of contents

Docker Hardened Images (DHI) are minimal, secure, and production-ready container base and application images maintained by Docker. Designed to reduce vulnerabilities and simplify compliance, DHI integrates easily into your existing Docker-based workflows with little to no retooling required.

DHI provides security for everyone:

  • DHI Community provides core security features available to everyone with no licensing restrictions under Apache 2.0.
  • DHI Select and DHI Enterprise add SLA-backed security updates, FIPS/STIG compliance variants, and customization capabilities, with DHI Enterprise offering unlimited customization, full catalog access, and optional Extended Lifecycle Support (ELS) for post-EOL coverage.

DHI Community features

DHI's core features are open and free to use, share, and build on with no licensing surprises, backed by an Apache 2.0 license.

Security by default

  • Near-zero CVEs: Continuously scanned and patched to maintain minimal known exploitable vulnerabilities, with no SLA-backed time commitments for DHI Community users
  • Minimal attack surface: Distroless variants reduce attack surface by up to 95% by removing unnecessary components
  • Non-root execution: Run as non-root by default, following the principle of least privilege
  • Transparent vulnerability reporting: Every CVE is visible and assessed using public data—no suppressed feeds or proprietary scoring

Hardened system packages

Docker Hardened Images maintain supply chain integrity throughout the entire image stack with hardened system packages:

  • Source-built packages: For supported distributions, system packages are built from source code by Docker
  • Cryptographic signatures: Every package is cryptographically signed and verified
  • Supply chain security: Eliminates risk from potentially compromised public packages

Hardened system packages are included in supported distributions of DHI images. Community users can also configure their package manager to use Docker's public hardened package repository in their own images for the same packages included in the base images. See Use hardened system packages for details.

Total transparency

Every image includes complete, verifiable security metadata:

  • SLSA Build Level 3 provenance: Verifiable, tamper-resistant builds that meet supply chain security standards
  • Signed SBOMs: Complete Software Bill of Materials for every component
  • VEX statements: Vulnerability Exploitability eXchange documents provide context about known CVEs
  • Cryptographic signatures: All images and metadata are signed for authenticity

Built for developers

  • Familiar foundations: Built on Alpine and Debian, requiring minimal changes to adopt
  • glibc and musl support: Available in both variants for broad application compatibility
  • Development and runtime variants: Use dev images for building, minimal runtime images for production
  • Drop-in compatibility: Works seamlessly with existing Docker workflows, CI/CD pipelines, and tools

Continuous maintenance

  • Automatic patching: Images are rebuilt and updated when upstream security patches become available, with no SLA-backed time commitments for non-DHI Enterprise users
  • Scanner integration: Direct integration with scanners and other security platforms

Kubernetes and Helm chart support

Docker Hardened Image (DHI) charts are Docker-provided Helm charts built from upstream sources, designed for compatibility with Docker Hardened Images. These charts are available as OCI artifacts within the DHI catalog on Docker Hub. DHI charts are robustly tested after building to ensure they work out-of-the-box with Docker Hardened Images. This removes friction in migration and reduces developer workload in implementing the charts, ensuring seamless compatibility.

Like the hardened images, DHI charts incorporate multiple layers of security metadata to ensure transparency and trust:

  • SLSA Level 3 compliance: Each chart is built with Docker's SLSA Build Level 3 system, including a detailed build provenance, and meeting the standards set by the Supply-chain Levels for Software Artifacts (SLSA) framework.
  • Software Bill of Materials (SBOMs): Comprehensive SBOMs are provided, detailing all components referenced within the chart to facilitate vulnerability management and compliance audits.
  • Cryptographic signing: All associated metadata is cryptographically signed by Docker, ensuring integrity and authenticity.
  • Hardened configuration: Charts automatically reference Docker hardened images, ensuring security in deployments.

DHI Select and Enterprise features

For organizations with strict security requirements, regulatory demands, or operational needs, DHI Select and Enterprise deliver additional capabilities.

DHI Select offers customizations, compliance variants, and SLA-backed updates for teams and organizations with production workloads. DHI Enterprise includes everything in Select with unlimited customizations, plus an optional Extended Lifecycle Support add-on and full catalog access for large enterprises with advanced security needs.

For a detailed comparison, see Docker Hardened Images subscription comparison.

SLA-backed security DHI Select & DHI Enterprise

  • CVE remediation SLA: 7-day SLA for critical and high severity vulnerabilities
  • Continuous patching: Regular security updates backed by SLA commitments
  • Enterprise support: Access to Docker's support team for mission-critical applications

Compliance variants DHI Select & DHI Enterprise

  • FIPS-enabled images: For regulated industries and government systems
  • STIG-ready images: Meet DoD Security Technical Implementation Guide requirements

Customization and control DHI Select & DHI Enterprise

  • Build custom images: Add your own packages, tools, certificates, and configurations
    • DHI Select: Up to 5 customizations
    • DHI Enterprise: Unlimited customizations
  • Hardened packages: Access to additional compliance-specific packages (such as FIPS variants) and Docker-patched packages not available in the public repository
    • DHI Select: Add these packages through the customization UI when customizing hardened images
    • DHI Enterprise: Add these packages through the customization UI, or configure your package manager to use the enterprise package repository in your own images
  • Secure build infrastructure: Customizations built on Docker's trusted infrastructure
  • Full chain of trust: Customized images maintain provenance and cryptographic signing
  • Automatic updates: Custom images are automatically rebuilt when base images are patched

Extended Lifecycle Support DHI Enterprise add-on

  • Post-EOL security coverage: Continue receiving patches for years after upstream support ends
  • Continuous compliance: Updated SBOMs, provenance, and signing for audit requirements
  • Production continuity: Keep production running securely without forced migrations

Learn more