DEVCLASS AD
Docker has made its catalog of hardened images – designed to run common runtimes on a secure and minimalist base – free for general use, though with paid-for options for compliance with certain standards and continuous security patching.
The company said that making Docker Hardened Images (DHI) freely available would help counter supply chain attacks, since every image includes a complete SBOM (software bill of materials) and is assessed using CVE (common vulnerabilities and exposures) data. The images have an Apache 2.0 license and Docker promises “no licensing surprises.”
An enterprise license is required for additional features including compliance with FIPS (federal information processing standards) and DoD STIG (department of defense secure technical implementation guide), available for some but not all hardened images, customization, and 7-day critical CVE remediation.
DEVCLASS AD
Hardened images are pulled from Docker Hub, but the catalog of definitions is on GitHub, where users can also request new images. Since the announcement yesterday, a number of new hardened images have already been requested.
DHI were introduced as a commercial offering in May 2025. Images are built on Alpine or Debian Linux, and typically have no shell, no package manager, and run as a non-root user. The minimalist approach means that migration from non-hardened images requires some changes to the workflow. The hardened image for PHP, for example, comes with a minimal set of packages. Adding further packages can be done using a -dev version of the image to install the packages, and then copying the resulting artifacts to the runtime variant.
Hardened images do not restrict what you add to them, though the modifications may reduce their security. “That’s where scanners like Docker Scout, Trivy, Grype, and more come in to review the complete image that you have built,” explained a Docker employee on Hacker News.
Another issue is debugging. Since there is no shell, developers may need a tool such as Docker Debug, which provides a shell and tools such as editors and process viewers without modifying the hardened image. Docker Debug requires Docker Desktop, which requires a subscription in most business cases.
DEVCLASS AD
The benefit though is substantial, with the hardened images being both smaller and more secure than the general-purpose equivalents. Docker claims up to a 95 percent reduction in attack surface.
Initial reaction is positive, though some are wary of the future, based on Docker’s history of reducing its free offerings and pushing subscriptions. “It’s free for now, just like registries were ‘free’ and docker desktop was free… until they weren’t,” said one.
Earlier this year, Bitnami (part of VMWare) withdrew its free public catalog of images, which were free prior to Broadcom’s acquisition of VMWare, suggesting that users shift to a subscription to Bitnami Secure Images at $50,000 or more annually. Bitnami said in its defense that “Bitnami has been the Jenkins of the internet for many years, but this has become unsustainable. Operating a build pipeline and OCI registry for the general public is very expensive.”
A comment from Docker said that DHI are sustainable because “we do offer an enterprise tier for companies that need things like contractual continuous patching SLAs, regulated-industry variants (FIPS, etc.), and secure customizations with full provenance and attestations. Those things carry very real ongoing costs, so keeping them in Enterprise allows us to make the entire hardened catalog free for the community.”
DEVCLASS AD
It may be hard though to use DHI in a business without some level of Docker subscription, since a login is required, alongside needing Docker Desktop for some tools.
