Docker Hardened Images for Container Security

In 2024, a staggering 87% of container images were found to have at least one vulnerability, and a measurable fraction of them have been targeted to compromise the production infrastructure. With cloud and container orchestration adoption not slowing down, the percentages are expected to increase.

While organizations strive to keep their containers secure, security often takes a back seat to feature development. This is where Docker Hardened Images (DHI) can help, serving as a pivotal step towards container supply chain security.

Let's explore how we can use DHIs to bolster container supply chain security. Simply put, DHIs are minimal, secure, and production-ready container-based and application images maintained by Docker. Their primary purpose is to mitigate vulnerabilities and simplify compliance. They offer two tires: DHI Free and DHI Enterprise. Today, we will be talking about the DHI Free tier.

First and foremost, DHI is built to meet Supply-chain Levels for Software Artifacts (SLSA) Level 3. It is a security framework primarily responsible for enhancing the security and integrity of software supply chains.

Second, DHI images are Distroless. Distroless images only have minimal OS components required for running an application. As a result, the attack surface is reduced significantly.

Third and most importantly, because these images are maintained by Docker, your team is free from maintaining the base images.

Last but not least, the images come prebuilt with SBOMs and VEX documents required for compliance reasons.

Base Image Types

There are two main base image types that DHI offers:

• Debian-based images: Most popular image format with compatibility across a ton of enterprise and language ecosystems.
• Alpine-based images: These are lightweight images with a smaller footprint and take less time to pull.

In addition to the above, engineering teams have multiple environments. And often, we want to be less restrictive in the development environment compared to production. This is where DHI also offers Development (dev) images and Runtime images.

• Development images: These images are equipped with the development tools required for testing and debugging applications.
• Runtime images: These are stripped-down versions of development images containing only essential components.

Another important image type to consider is FIPS (Federal Information Processing Standards) compliant images. FIPS is a set of standards issued by NIST for protecting sensitive information in U.S. government systems. DHI offers images in this format as well.

For example:

3.9.23-debian12-fips: Is a FIPS variant of the Debian-based Python 3.9.23 image.

Exploring Docker Hardened Images

In order to browse the hardened images, you can visit the hardened images catalog. Below is an example of an HA Proxy Hardened image.

To use the image:

Step 1: Run the docker login command to DHI. Provide the Docker username and password that you use to log in to DockerHub when prompted.

docker login dhi.io

Step 2: Run the docker pull command.

docker pull dhi.io/haproxy:3

3: Pulling from haproxy
b6333da2da1a: Pull complete
063d1e58f288: Pull complete
ecd2e4e4bafa: Pull complete
ab8976a7e8ab: Pull complete
fa5ebd2c8cac: Pull complete
972929f73937: Pull complete
8a50f202d4cd: Pull complete
Digest: sha256:1be3e9192704f706c6a1b627788698ab674e19ea067cce5003de67f8c5449c8c
Status: Downloaded newer image for dhi.io/haproxy:3
dhi.io/haproxy:3

Step 3: To check for any CVE's, run the docker CVE command.

docker scout cves dhi.io/haproxy:3

    i New version 1.19.0 available (installed version is 1.18.3) at https://github.com/docker/scout-cli
    v SBOM of image already cached, 28 packages indexed
    x Detected 2 vulnerable packages with a total of 8 vulnerabilities


## Overview

                    │       Analyzed Image
────────────────────┼──────────────────────────────
  Target            │  dhi.io/haproxy:3
    digest          │  1be3e9192704
    platform        │ linux/amd64
    vulnerabilities │    0C     0H     0M     8L
    size            │ 18 MB
    packages        │ 28


## Packages and Vulnerabilities

   0C     0H     0M     7L  glibc 2.41-12
   
 8 vulnerabilities found in 2 packages
  CRITICAL  0
  HIGH      0
  MEDIUM    0
  LOW       8

Docker Hardened Image Charts

For teams working with a Kubernetes environment, Helm charts are not new. Helm is one of the standardized ways to package, configure, and manage the deployment of applications to the Kubernetes environment.

DHI also provides hardened Helm charts that can be installed on the Kubernetes environment. For example, in order to use the Traefik Helm chart.

Step 1: Get the access token using helm registry login command.

echo $ACCESS_TOKEN | helm registry login dhi.io --username sirivarma --password-stdin

Step 2: Install using the chart values from the Docker registry.

DHI Helm Chart: https://hub.docker.com/hardened-images/catalog/dhi/traefik-chart.

Comparing DHI Images Against Regular Images

To better understand the capabilities of hardened images, it might be beneficial to compare them with regular images. For example, comparing a hardened Python image with a standard Python image can highlight differences.

For example, running the following command provides information on how many vulnerabilities have been removed due to the image hardening. In this case, there are 176 total vulnerabilities removed.

docker scout compare dhi.io/node:22-debian13 --to node:22 --platform linux/amd64 --ignore-unchanged 

 ## Packages and Vulnerabilities


    +    8 packages added
    -  714 packages removed
    ⎌   11 packages changed (↑ 11 upgraded, ↓ 0 downgraded)


    - 176 vulnerabilities removed

Conclusion

With 87% of container images carrying vulnerabilities, the “we’ll secure it later” approach simply doesn’t scale anymore. Docker Hardened Images offer a pragmatic solution — instead of asking overstretched teams to manually harden base images, DHI shifts that burden upstream.

The numbers from our comparison tell the story: 714 packages removed, 176 vulnerabilities eliminated. That’s not tweaking around the edges; it’s a fundamentally more secure starting point.

DHI won’t solve all your container security challenges, but it does remove a significant chunk of them before you write your first line of code. For teams juggling security and feature delivery, that’s a trade-off worth making.