Docker has made its catalog of hardened images – designed to run common runtimes on a secure and minimalist base – free for general use, though with paid-for options for compliance with certain standards and continuous security patching.
The company said that making Docker Hardened Images (DHI) freely available would help counter supply chain attacks, since every image includes a complete SBOM (software bill of materials) and is assessed using CVE (common vulnerabilities and exposures) data. The images have an Apache 2.0 license and Docker promises “no licensing surprises.”
An enterprise license is required for additional features including compliance with FIPS (federal information processing standards) and DoD STIG (department of defense secure technical implementation guide), available for some but not all hardened images, customization, and 7-day critical CVE remediation.
Hardened images are pulled from Docker Hub, but the catalog of definitions is on GitHub, where users can also request new images. Since the announcement yesterday, a number of new hardened images have already been requested.
DHI were introduced as a commercial offering in May 2025. Images are built on Alpine or Debian Linux, and typically have no shell, no package manager, and run as a non-root user. The minimalist approach means that migration from non-hardened images requires some changes to the workflow. The hardened image for PHP, for example, comes with a minimal set of packages. Adding further packages can be done using a -dev version of the image to install the packages, and then copying the resulting artifacts to the runtime variant.
