Nearly a year after launching Docker Hardened Images (DHI), we've crossed major milestones—500k daily pulls and 25k continuously patched OS artifacts in our SLSA Build Level 3 pipeline. The catalog now includes 2,000+ hardened images, MCP servers, Helm charts, and ELS images. But the real story isn't the metrics—it's the deliberate choices we made. Every product and engineering decision prioritized developer experience and ecosystem security over ease of building. Here's what we learned and why we took the harder path.
Why did you intentionally choose the harder development path?
We chose the harder path because we believe that secure software shouldn't be a luxury. Building hardened images from source for multiple distributions, making them free and open source, and shipping detailed signed attestations—all of this is more complex than the industry norm. Yet it's the only way to give teams real control and verifiability. The easier route—like gating features behind paywalls or creating a proprietary OS—would have limited adoption and trust. By taking the harder path, we ensure that every developer can raise their security baseline without migrating to a vendor lock-in. Our experience with Docker Official Images over the past decade proved that openness scales; DHI extends that philosophy.
What scale has Docker Hardened Images achieved in one year?
We recently passed 500k daily pulls of DHI artifacts and have over 25k continuously patched OS-level artifacts in our SLSA Build Level 3 pipeline. Since launching the free DHI Community tier, our catalog has grown to more than 2,000 hardened images, MCP servers, Helm charts, and extended life support (ELS) images. We continuously patch every artifact across CVEs, distributions, and versions, running over a million builds regularly. This scale is just the beginning—catalog coverage will soon expand with more Debian packages, additional ELS images, and new artifact types. But numbers alone don't capture the impact; the real achievement is making enterprise-grade security accessible to everyone.
Why did you make Docker Hardened Images free and open source?
We made DHI free and open source because security should never be a premium feature. The industry norm was to gate hardened images behind paywalls, limiting their reach. We wanted to make a real dent in the internet's security posture, so we released the Docker Hardened Images Community tier under a permissive Apache 2.0 license. This decision raised the baseline for security across the ecosystem—any team, from startups to enterprises, can now adopt hardened images without financial barriers. It's the same principle we've applied for over a decade with Docker Official Images: building freely for the community yields widespread, lasting impact. Openness ensures that security improvements benefit everyone, not just those who can pay.
Why does DHI support multiple Linux distributions instead of a proprietary OS?
Some vendors in this space created entirely new Linux distributions branded as "distroless"—which is essentially a proprietary OS that your teams have never run, tested, or audited. We chose a different approach: support established distributions like Debian and Alpine. This makes adoption drop-in, requiring no migration tax. Your teams already know these distros, their package managers, and security patches. By building hardened images for the distributions you already run, we eliminate the need to reinvent the wheel. You get immediate security improvements without retraining or restructuring your workflows. Multi-distro support also means you're not locked into a vendor's ecosystem—you retain control over your infrastructure.
Why do you build every system package from source?
Building every system package from source ensures transparency and control. Off-the-shelf binary packages often have unknown dependencies or hidden vulnerabilities. By compiling from source, we can apply our own security patches, verify the integrity of every component, and produce consistent builds across distributions. This process is more resource-intensive but yields artifacts that are independently verifiable. We also generate and ship a comprehensive set of signed attestations—including SBOMs, provenance, and vulnerability reports—because that's what true verifiability requires. Developers can inspect exactly what's inside each image and trust that no unauthorized changes have been made. This level of detail is rare in the industry, but we believe it's essential for modern supply chain security.
What kind of signed attestations do you include with every image?
Every Docker Hardened Image ships with a rich set of signed attestations: Software Bill of Materials (SBOMs), provenance statements, vulnerability scan results, and build metadata. These attestations are generated during our SLSA Build Level 3 pipeline and cryptographically signed to prevent tampering. Developers can independently verify that the image they're pulling matches the exact build that passed our security checks. We include details on every OS-level package, its version, and the patch status for known CVEs. This goes beyond typical industry practice, where SBOMs are often incomplete or unsigned. Our goal is to give teams full visibility into their software supply chain, so they can make informed decisions and meet compliance requirements. The attestations are also available through our API for easy integration into automated workflows.
How does DHI compare to other hardened image providers?
We examined the industry closely and found significant gaps in patching timelines, SBOM completeness, and advisory coverage. Many providers take weeks to patch critical CVEs; we continuously patch every artifact across the catalog, often within hours. Their SBOMs are frequently incomplete or lack signing; ours are comprehensive and signed. Advisory coverage is often scattershot; we provide detailed vulnerability reports for every image. Some competitors lock advanced features behind paywalls or force you onto their proprietary OS. DHI is free, open source, and multi-distro. We don't believe in gating security. By taking the harder path—building from source, shipping full attestations, and maintaining a massive build pipeline—we deliver a level of trust and transparency that others don't. The result is a hardened image solution that any team can adopt without compromise.