Introducing Hardened Images | Docker
From the start, Docker has focused on enabling developers to build, share, and run software efficiently and securely. Today, Docker Hub powers software delivery at a global scale, with over 14 million images and more than 11 billion pulls each month. That scale gives us a unique vantage point into how modern software is built and the challenges teams face in securing it.
That’s why we’ve made security a cornerstone of our platform. From trusted Docker Official Images to SBOM support for transparency, the launch of Docker Scout for real-time vulnerability insights, and a hardened Docker Desktop to secure local development, every investment reflects our commitment to making software supply chain security more accessible, actionable, and developer-first.
Now, we’re taking that commitment even further.
We’re excited to introduce Docker Hardened Images (DHI) — secure-by-default container images purpose-built for modern production environments.
These images go far beyond being just slim or minimal. Docker Hardened Images start with a dramatically reduced attack surface, up to 95% smaller, to limit exposure from the outset. Each image is curated and maintained by Docker, kept continuously up to date to ensure near-zero known CVEs. They support widely adopted distros like Alpine and Debian, so teams can integrate them without retooling or compromising compatibility.
Plus, they’re designed to work seamlessly with the tools you already depend on. We’ve partnered with a range of leading security and DevOps platforms, including Microsoft, NGINX, Sonatype, GitLab, Wiz, Grype, Neo4j, JFrog, Sysdig and Cloudsmith, to ensure seamless integration with scanning tools, registries, and CI/CD pipelines.
What we’re hearing from customers
We talk to teams every day, from fast-moving startups to global enterprises, and the same themes keep coming up.
Integrity is a growing concern: “How do we know every component in our software is exactly what it claims to be—and hasn’t been tampered with?” With so many dependencies, it’s getting harder to answer that with confidence.
Then there’s the attack surface problem. Most teams start with general-purpose base images like Ubuntu or Alpine. But over time, these containers get bloated with unnecessary packages and outdated software, creating more ways in for attackers.
And of course, operational overhead is through the roof. Security teams are flooded with CVEs. Developers are stuck in a loop of patching and re-patching, instead of shipping new features. We’re hearing about vulnerability scanners lighting up constantly, platform teams stretched thin by centralized dependencies, and developers resorting to manual upgrades just to stay afloat. These challenges aren’t isolated — they’re systemic. And they’re exactly what we designed Docker Hardened Images to address.
Inside Docker Hardened Images
Docker Hardened Images aren’t just trimmed-down versions of existing containers — they’re built from the ground up with security, efficiency, and real-world usability in mind. They’re designed to meet teams where they are. Here’s how they deliver value across three essential areas:
Seamless Migration
First, they integrate seamlessly into existing workflows. Unlike other minimal or “secure” images that force teams to change base OSes, rewrite Dockerfiles, or abandon tooling, DHI supports the distributions developers already use, including familiar Debian and Alpine variants. In fact, upgrading to a DHI can be simple. Switching to a hardened image is as simple as updating one line in your Dockerfile:
Flexible customization
Second, they strike the right balance between security and flexibility. Security shouldn’t mean sacrificing usability. DHI supports the customizations teams rely on, including certificates, packages, scripts, and configuration files, without compromising the hardened foundation. You get the security posture you need with the flexibility to tailor images to your environment.
Under the hood, Docker Hardened Images follow a distroless philosophy, stripping away unnecessary components like shells, package managers, and debugging tools that commonly introduce risk. While these extras might be helpful during development, they significantly expand the attack surface in production, slow down startup times, and complicate security management.
By including only the essential runtime dependencies needed to run your application, DHI delivers leaner, faster containers that are easier to secure and maintain. This focused, minimal design leads to up to a 95% reduction in attack surface, giving teams a dramatically stronger security posture right out of the box.
Automated Patching & Rapid CVE Response
Finally, patching and updates are continuous and automated. Docker monitors upstream sources, OS packages, and CVEs across all dependencies. When updates are released, DHI images are rebuilt, subjected to extensive testing, and published with fresh attestations—ensuring integrity and compliance within our SLSA Build Level 3–compliant build system. The result: you’re always running the most secure, verified version—no manual intervention required.
Most importantly, when essential components are built directly from source, allowing us to deliver critical patches faster and remediate vulnerabilities promptly. We patch Critical and High-severity CVEs within 7 days — faster than typical industry response times —and back it all with an enterprise-grade SLA for added peace of mind.
Internal Adoption: Validating Docker Hardened Images in Production Environments
We’ve been using DHI internally across several key projects — putting them to the test in real-world, production environments. One standout example is our internal use of a hardened Node image.
By replacing the standard Node base image with a Docker Hardened Image, we saw immediate and measurable results: vulnerabilities dropped to zero, and the package count was reduced by over 98%.
That reduction in packages isn’t just a matter of image size, it directly translates to a smaller attack surface, fewer moving parts to manage, and significantly less overhead for our security and platform teams. This shift gave us a stronger security posture and simplified operational complexity — exactly the kind of outcome we designed DHI to deliver.
Ready to get started?
Docker Hardened Images are designed to help you ship software with confidence by dramatically reducing your attack surface, automating patching, and integrating seamlessly into your existing workflows. Developers stay focused on building. Security teams get the assurance they need.
Looking to reduce your vulnerability count?
We’re here to help. Get in touch with us and let’s harden your software supply chain, together.
