Hey everyone! I'm absolutely thrilled to share some groundbreaking news that dropped today from Docker, and honestly, I can barely contain my excitement. As someone who's been working with containers for years and actively contributing to the Docker community as a Docker Captain, I can tell you this is one of those rare moments that will genuinely change how we all build and deploy applications.
![Docker DHI]()
Docker just announced that Docker Hardened Images (DHI) are now completely free and open source under the Apache 2.0 license. Yes, you read that right – FREE for all 26 million+ developers in the container ecosystem!
Why This Matters (And Why I'm So Excited)
Let me take you back a bit. When Docker first introduced Hardened Images back in May 2025, it was a premium offering targeted at enterprises. Companies like Adobe, Qualcomm, and startups like Attentive were using these images to achieve stringent compliance requirements and accelerate their security posture. I remember thinking, "This is fantastic, but imagine if every developer could start with this level of security from day one."
Well, that day is today!
Think about it this way: every single time you type docker pull and grab a base image, you're making a decision that affects your entire application's security foundation. It's like building a house – you wouldn't start with a weak foundation, right? But until now, getting a truly hardened, production-ready, minimal base image required either significant effort on your part or paying for enterprise solutions.
The Problem Docker Is Solving
Before we dive deeper into what DHI offers, let's talk about why this matters so much. Supply chain attacks have become one of the biggest nightmares in our industry. The numbers are staggering – in 2025 alone, these attacks caused more than $60 billion in damage. That's triple what it was just four years ago!
Every layer of your application stack is a potential target. Your language runtime, your dependencies, your base operating system – everything. When you pull a base image and start building on top of it, you're essentially trusting that foundation completely. But how many of us actually audit our base images? How many check for vulnerabilities before deploying to production?
I'll be honest with you – even as someone deeply involved in the Docker ecosystem, keeping base images secure and up-to-date has always been challenging. You're constantly juggling updates, scanning for CVEs, trying to minimize your attack surface, and hoping you haven't missed something critical.
What Makes Docker Hardened Images Special
Now, let's get into what DHI actually brings to the table, and why it's different from just pulling any random image from Docker Hub.
![Screenshot 2025-12-17 at 8.53.14 PM]()
Built on Familiar Foundations
First off, DHI is built on top of Alpine and Debian – distributions you already know and trust. This is huge because it means you're not learning a completely new ecosystem. If you're currently using Alpine or Debian-based images, migrating to DHI is incredibly straightforward. Docker hasn't tried to reinvent the wheel here; they've taken what works and hardened it properly.
Dramatically Smaller Attack Surface
One of the things that immediately caught my attention is how much smaller these images are. We're talking up to 95% reduction in size compared to traditional base images. How? DHI uses a distroless runtime approach, which means it only includes what your application absolutely needs to run. No extra utilities, no shells you'll never use in production, no unnecessary packages that could become security liabilities.
Smaller images mean:
Complete Transparency
Here's something I really appreciate: Docker isn't playing games with CVE reporting. Some vendors will actually suppress vulnerabilities or use proprietary scoring systems to make their security posture look better than it is. Docker takes the opposite approach.
Every DHI image comes with:
A complete and verifiable Software Bill of Materials (SBOM)
SLSA Build Level 3 provenance (that's the gold standard for supply chain security)
Transparent public CVE data – they won't hide vulnerabilities, even when they're still working on fixes
Proof of authenticity for every image
This transparency is critical. You should always know exactly what's in your images and what your security posture is. No surprises, no hidden issues.
Near-Zero CVEs
In the free version, you're getting dramatically reduced CVEs right out of the box. For the enterprise version, Docker guarantees near-zero critical vulnerabilities with patches applied within 7 days. That's incredibly fast, and they're working on bringing that down to one day or less.
Three Flavors to Choose From
Docker has structured DHI into three offerings, each designed for different needs:
![security model]()
1. Docker Hardened Images (Free)
This is what's available to everyone starting today. You get:
Minimal, hardened base images
Full transparency with SBOMs and provenance
Built on Alpine and Debian
Apache 2.0 license – truly open source
Easy migration from your existing images
Perfect for developers, small teams, startups, and anyone who wants to start with a secure foundation without paying a dime.
2. DHI Enterprise
For organizations with stricter requirements, DHI Enterprise adds:
7-day SLA for critical CVE remediation
FIPS-enabled and STIG-ready images
CIS benchmark compliance
Unlimited customization (add your own certificates, tools, system packages)
Access to Docker's secure build infrastructure
This is what companies like Adobe and Qualcomm are using to meet their enterprise and regulatory requirements.
3. DHI Extended Lifecycle Support (ELS)
Here's a pain point I know many of you face: what happens when upstream support ends for a runtime or base OS version? You're stuck running a potentially vulnerable image or undertaking a massive migration effort.
ELS solves this by providing up to five additional years of security coverage even after upstream support ends. You continue getting CVE patches, updated SBOMs, and maintained compliance – all while your applications keep running without forced migrations.
Beyond Images: Hardened Helm Charts and MCP Servers
What really excites me is that Docker isn't stopping at container images. They've already released Hardened Helm Charts that leverage DHI images in Kubernetes environments, and these are open source too!
But here's where it gets really interesting for those of us working with AI applications: Docker is now introducing Hardened MCP Servers. If you're building agentic applications, MCP (Model Context Protocol) is becoming the backbone of how these systems communicate. Docker is bringing their security principles to this layer as well.
You can now run hardened versions of popular MCP servers like:
MongoDB
Grafana
GitHub
And more coming soon
This is just the beginning. Docker's roadmap includes extending this hardened foundation across the entire software stack – hardened libraries, hardened system packages, and other secure components. Their goal is simple but ambitious: secure your application from main() all the way down through every layer of the stack.
How Docker's AI Assistant Makes Migration Easy
One concern you might have is: "This sounds great, but migrating my existing containers seems like a lot of work." Docker has thought about this too.
Their AI assistant (currently experimental but rapidly improving) can scan your existing containers and recommend equivalent hardened images. Even better, it can help apply those recommendations automatically. As someone who's dealt with the pain of container migrations before, having AI assistance to identify compatible hardened alternatives is a game-changer.
The feature is brand new, so it's marked as experimental, but knowing Docker's track record, I expect this to become incredibly powerful very quickly as they learn from real-world migrations.
The Ecosystem Is Already On Board
What gives me even more confidence in this announcement is seeing the ecosystem support. Major players are already integrating with DHI:
Google Cloud is ready to run these secure workloads from day one. Ryan Salva from Google said it perfectly: "Security shouldn't be a premium feature."
MongoDB is delivering hardened images built on these proven Linux foundations, making it easier for teams to build with confidence.
Anaconda is partnering to deliver secure, enterprise-grade AI workloads, bringing their experience with Fortune 500 companies to the DHI ecosystem.
Security platforms like Snyk and JFrog Xray are integrating DHI directly into their scanners.
The CNCF is also backing this initiative, with many CNCF projects already available in the DHI catalog. This kind of industry-wide support doesn't happen unless something is truly valuable.
My Perspective as a Docker Captain
I've been creating educational content about Docker and containerization for years now, and one of the challenges I always face is balancing best practices with accessibility. Security best practices can be complex and time-consuming to implement, which often leads to developers skipping them, especially in the early stages of projects or in learning environments.
What Docker has done here is make security the default, the easy path. You don't need to be a security expert to use DHI. You don't need to spend hours researching best practices for minimal base images. You just pull a hardened image and start building.
This democratization of security is exactly what our industry needs. When I teach Docker workshops or create tutorials, I can now confidently tell beginners: "Start with a Docker Hardened Image. It's free, it's secure, and it's the right way to begin."
How to Get Started Today
Ready to try DHI? Here's how you can jump in:
Visit Docker Hub and look for images marked as "Hardened Image"
Replace your current base image – if you're using Alpine or Debian, this is often as simple as updating your FROM statement
Join Docker's launch webinar to see hands-on demonstrations and learn what's new
Explore the documentation to understand how to integrate DHI into your workflows
Consider joining Docker's partner program if you want to help raise the security bar for everyone
The images are available right now, and since they're Apache 2.0 licensed, you can use them, modify them, and build on them however you need.
What This Means for the Future
This announcement represents a fundamental shift in how we think about container security. Docker isn't just providing a product here – they're establishing a new industry standard. By making these hardened images free and open source, they're saying that baseline security should be accessible to everyone, not just enterprises with big budgets.
I genuinely believe this will change behavior across the industry. When security is free, transparent, and easier than the alternatives, adoption becomes natural. We'll see more developers starting projects with hardened images. We'll see more open source projects migrating to this foundation. We'll see security scanners showing better results because the foundation itself is stronger.
My Call to Action
If you're a developer, start using DHI in your next project. If you maintain an open source project, consider migrating to hardened base images. If you work in a company, share this with your DevOps and security teams.
We have an opportunity here to collectively raise the security baseline for the entire container ecosystem. Docker with its 20 billion monthly pulls on Docker Hub has the reach to make this the new normal. But it only works if we, as developers, embrace it.
I'm excited to create more content around DHI in the coming weeks – tutorials on migration, deep dives into specific hardened images, and practical guides for different use cases. This is the kind of initiative that makes me proud to be part of the Docker community.
Final Thoughts
Security has always been one of those things we know we should care about but often sacrifice in the interest of speed or convenience. Docker has just removed that excuse. There's no longer a tradeoff between security and accessibility, between doing the right thing and doing the easy thing.
Free, open source, hardened container images built on familiar foundations, backed by transparent security practices, and supported by industry leaders – this is how we move forward as an ecosystem.
So here's my challenge to you: the next time you type docker pull, make it a hardened image. Start building your applications on this stronger foundation. And if you want to learn more or need help getting started, the Docker community (including folks like me) is here to support you.
Let's build something great – securely, from the very first layer.
Want to stay updated on Docker, containerization, and cloud technologies? Follow me for more insights, tutorials, and hands-on content. And if you have questions about migrating to Docker Hardened Images, drop them in the comments – I'd love to help!
Useful Links: