For more than a decade, containers have been the universal path to production. Today, Docker is redefining what “secure by default” means for the entire industry. Starting now, Docker is making its full catalog of Docker Hardened Images (DHI) free and fully open source under the Apache 2.0 license. More than 1,000 hardened images—built on the widely adopted Debian and Alpine distributions—are available to everyone, with no subscription, no usage restrictions, and no vendor lock-in.
This marks a major shift away from paywalled security foundations toward an open, transparent baseline that strengthens the global software supply chain.
Why This Matters
Docker Hub handles over 20 billion image pulls every month. When so much of the world’s software depends on shared container foundations, the security of those base layers becomes a collective responsibility.
At the same time, supply-chain attacks are projected to cost businesses $60 billion globally in 2025. Vulnerabilities introduced early in the build process continue to be one of the most expensive and difficult risks to manage.
Security cannot be optional. And it cannot be reserved for only those who can pay.
By making Docker Hardened Images free and open source, Docker is setting a new industry standard—secure containers as the default starting point for every developer, everywhere.
What Are Docker Hardened Images?
Docker Hardened Images dramatically reduce risk compared to traditional community images—cutting vulnerabilities by up to 95%—while remaining fully compatible with existing workflows.
Every Docker Hardened Image includes:
-
A minimal, distroless runtime to reduce attack surface
-
A complete Software Bill of Materials (SBOM)
-
Public, transparent CVE data
-
SLSA Build Level 3 provenance
-
Cryptographic signing and verification
Because DHI is built on Debian and Alpine, not proprietary distributions, teams can adopt hardened images with minimal changes and zero lock-in—on any cloud, any orchestrator, any infrastructure.
Starting today, every developer, startup, government, and enterprise has access to the same secure foundation.
Open Source, Fully Transparent
Docker Hardened Images are now fully open source under the Apache 2.0 license, enabling anyone to:
-
Use hardened images freely
-
Inspect and verify how images are built
-
Fork, extend, and customize images
-
Redistribute without hidden restrictions
This openness ensures trust, auditability, and long-term sustainability—key requirements for modern software supply chains.
Easier Adoption with AI Assistance
To accelerate adoption, Docker’s AI assistant can now:
-
Scan existing container images
-
Recommend equivalent Docker Hardened Images
-
Automatically apply hardened replacements
This allows teams to upgrade their security posture in minutes, without rewriting Dockerfiles or disrupting pipelines.
Extending Security to AI Infrastructure
As AI agents become embedded in development workflows, their infrastructure must meet the same security standards as traditional workloads.
Docker is extending its hardening methodology to Model Context Protocol (MCP) servers, a rapidly growing part of the AI ecosystem—and an emerging attack surface.
At launch, Docker is releasing hardened MCP server images for more than ten popular servers, including:
-
Grafana
-
MongoDB
-
GitHub
-
Context7
More hardened MCP servers will follow in the coming weeks, all built with the same minimal footprint, CVE remediation, and provenance guarantees that define DHI.
DHI Enterprise: Security at Scale
For organizations with advanced compliance and regulatory requirements, Docker Hardened Images Enterprise provides additional capabilities, including:
-
SLA-backed CVE remediation for critical vulnerabilities in under seven days, with a roadmap to 24-hour SLAs
-
FIPS-enabled and STIG-ready images
-
Full image customization, while preserving trust, signing, and provenance
Extended Lifecycle Support Beyond End-of-Life
When upstream support ends, vulnerabilities don’t stop. To address this, Docker is introducing Docker Hardened Images Extended Lifecycle Support (DHI ELS), a paid add-on to DHI Enterprise that provides:
-
Five additional years of security coverage beyond upstream end-of-life
-
Continued CVE patching and SBOM updates
-
Ongoing signing and auditability for compliance frameworks
This ensures long-lived systems remain secure without risky migrations or unsupported dependencies.
A New Baseline for the Industry
“Security has to start at the earliest point in development, and it needs to be universally available to every developer,” said Mark Cavage, President and COO of Docker. “By making hardened images freely available and extending our security model to AI infrastructure, we’re giving the entire ecosystem a stronger, safer foundation.”
With adoption already underway across leading organizations like Adobe, Attentive, and Crypto.com, Docker Hardened Images are quickly becoming the standard for building and running containerized applications.
How to Use Docker Hardened Image (DHI)
- Navigate to the official URL, which is dhi.io
Basic Dockerfile using DHI
FROM dhi.io/nginx:1-alpine3.21To be able to pull a DHI image locally, you need to be authenticated using the Dockerhub Personal Access Token and not your DockerHub password
- Then run the following command to authenticate with Docker DHI
docker login dhi.io
- Then enter your Dockerhub username and the access token generated as your password.
- Next, run the pull command to pull an image from DHI
docker pull dhi.io/nginx:1-alpine3.21
Conclusion
Docker is redefining container security by making hardened images free, open, and accessible to everyone. This shift establishes a secure-by-default foundation for modern software and AI infrastructure. With transparency, compatibility, and enterprise-grade options, Docker meets developers where they build.
The result is a stronger, safer software supply chain for the entire Internet.
