The new standard for building securely

Docker Hardened Images are near-zero CVE, secure-by-default, minimal container images designed to serve as a trusted, verifiable upstream for modern software supply chains. Each image is continuously rebuilt from source, reducing attack surface while patching known CVEs as fixes become available rather than on a manual schedule.

The catalog includes thousands of production-ready images spanning runtimes, frameworks, databases, and infrastructure components, with open-source free and commercial tiers available.

Yes. The full Docker Hardened Images catalog is free and open source under the Apache 2.0 license. Any developer can pull and use hardened images from Docker Hub at no cost, with no usage restrictions or paywalled catalog access. Because the images are open source and built on standard Alpine and Debian foundations, teams retain full portability with no vendor lock-in.

Commercial tiers (DHI Select and DHI Enterprise) are available for organizations that need assurances such as SLA-backed remediation, compliance-ready image variants, and image customization.

Docker Hardened Images are available in three tiers, each building on the one before it.

• DHI Community is free and open under the Apache 2.0 license. It includes the full hardened image catalog with near-zero CVEs, complete SBOMs, SLSA Build Level 3 provenance, OpenVEX exploitability data, and cryptographic signatures.
• DHI Select adds SLA-backed CVE remediation (critical fixes within 7 days), FIPS-validated and STIG-aligned image variants for compliance requirements, and limited image customization.
• DHI Enterprise expands on Select with unlimited customization capabilities, access to the Docker Hardened System Packages repository for building custom images with the same provenance and patching discipline, and eligibility for Extended Lifecycle Support.
• DHI ELS (Extended Lifecycle Support) add-on provides five additional years of security coverage beyond upstream end-of-life, with continued CVE patches, SBOM updates, and provenance attestations.

Docker Hardened Images support both Alpine and Debian, so teams can choose the distribution that matches their existing environment without switching package ecosystems or retraining on unfamiliar tooling.

This matters a lot, because your choice of Linux distribution affects everything downstream: library compatibility, shell scripting, debugging tools, and package management. Docker Hardened Images preserve those foundations rather than replacing them.

Docker Hardened Images take a fundamentally different approach by hardening the distributions developers already use rather than requiring migration to a proprietary or unfamiliar operating system. Teams can adopt them as a drop-in replacement with minimal workflow changes, while other providers may necessitate retooling of CI/CD pipelines, debugging workflows, and dependency management.

The Docker Hardened Images catalog is also free and open under Apache 2.0 with no paywalled image versions or usage restrictions. Where other providers may significantly limit the number of images available under free access, or require paid subscriptions for production use, the entire hardened catalog is available to everyone – including for production uses.

You could, but Docker Hardened Images replace the operational burden of maintaining internal hardening pipelines with a continuously maintained, verifiable supply of production-ready images. Teams that build their own hardened images typically invest significant engineering time in patching, rebuilding, testing, and maintaining SBOMs and provenance for every image in their portfolio.

With Docker Hardened Images, that work is handled by our automated build system, which rebuilds from source whenever upstream fixes become available. Organizations get near-zero CVE images with over 17 complete supply chain attestations that serve the needs of auditors and security teams, without needing to staff and maintain a dedicated image hardening function. 

For teams that need to go beyond the standard catalog, the Enterprise tier provides access to the Docker Hardened System Packages repository for building custom images that retain the same provenance and patching discipline.

Yes. Docker Hardened Images are built on Alpine and Debian foundations, so they are fully compatible with the tools, libraries, and package managers your team already uses. Teams that rely on glibc (Debian) or musl (Alpine) can adopt hardened images without breaking existing dependencies, shell scripts, or CI/CD pipelines.

Other hardened image providers often use custom or proprietary distributions that can introduce compatibility issues with standard Linux utilities and tooling, and need migration planning to adopt proprietary distros. Because Docker Hardened Images preserve the underlying distribution, adoption typically requires changing just one line in a Dockerfile.

Docker Hardened Images provide complete, unsuppressed CVE data for every image alongside OpenVEX exploitability assessments. Every vulnerability is fully disclosed. The VEX data adds context about whether a CVE is actually exploitable in that specific image configuration, giving security teams the information they need to prioritize based on real-world risk rather than raw scanner counts.

Some providers curate CVE visibility through proprietary CVE feeds, or filter the vulnerabilities they surface, which can mask risk. Docker Hardened Images take the opposite approach: full visibility into every known issue, with exploitability context layered on top so teams can make informed decisions.

Docker Hardened Images Select and Enterprise tiers include FIPS-validated and STIG-aligned image variants for teams that need to meet federal and industry compliance requirements, including FedRAMP, NIST, and CIS benchmarks.

Every image across all tiers, including the free Community tier, ships with a complete SBOM, SLSA Build Level 3 provenance attestations, a cryptographic signature, and OpenVEX exploitability data. Together, these give auditors and security teams a verifiable record of what each image contains, how it was built, and the ability to cryptographically verify components within the image.

Docker Hardened Images use a continuous, event-driven build system that automatically rebuilds images whenever upstream fixes become available. The system scans tens of thousands of CVE notifications across the ecosystem to maintain a near-zero known CVE baseline across the catalog without requiring teams to manage patching themselves.

For organizations on Select or Enterprise tiers, critical CVE fixes are delivered within 7 days under an SLA.

Extended Lifecycle Support (ELS) is an add-on for the Docker Hardened Images Enterprise tier that extends security coverage up to five years beyond a software version’s upstream end-of-life. When upstream patches stop, ELS ensures vulnerabilities are still addressed with hardened updates, maintained SBOMs, and continued provenance.

ELS is designed for organizations that are unable to upgrade on upstream timelines due to regulatory requirements, testing constraints, or operational complexity. It provides a supported path to maintain security and compliance without forcing disruptive version migrations.

Yes. The Select tier includes limited image customization, and the Enterprise tier provides unlimited customization capabilities along with direct access to the Docker Hardened System Packages repository. This means teams can build custom images using the same hardened packages, provenance, and patching discipline that power the standard catalog.

When a base layer is patched, we automatically rebuild custom images built through the Enterprise customization workflow. This removes the need for self-built CI scripts to keep custom images current, and ensures that custom builds retain the same verifiable supply chain integrity as the rest of the catalog.

Customizations with Docker Hardened Images keep SLSA Level 3 provenance, security attestations, and the Docker SLA intact. The SLA persists automatically through every patch.

Migrating to Docker Hardened Images is designed to be as simple as changing one line in your Dockerfile. Existing libraries, scripts, and CI/CD pipelines typically work without modification because the images preserve the base distribution your team already uses.