Setting Docker Hardened Images free

Summary

Docker has transitioned its Hardened Images (DHI) from a paid feature to a free, open-source offering. These images are designed to provide a secure, minimal, and production-ready foundation for containerized applications.

Key Points

• Docker Hardened Images (DHI) are now freely available and open source to all software builders.
• The images include a Software Bill of Materials (SBOM) to provide transparency into all included components.
• DHI adheres to SLSA (Supply-chain Levels for Software Artifacts) standards to ensure supply chain integrity.
• Support for VEX (Vulnerability Exploitability eXchange) is integrated to assist in managing vulnerability data.
• The images are compatible with Docker Scout for monitoring and analyzing image health scores.

Technical Details

DHI is engineered to reduce the attack surface of production environments by utilizing minimal image footprints. A core technical component of the offering is the provision of SBOMs and adherence to SLSA frameworks, which allows for the verification of the software supply chain. Additionally, the implementation of VEX allows developers to more accurately manage vulnerabilities by providing context on whether a specific vulnerability is actually exploitable within the specific configuration of the image. This reduces the noise typically associated with large-scale vulnerability scanning.

Impact / Why It Matters

Developers can now implement high-security, audited container images into their CI/CD pipelines without additional licensing costs. This simplifies the process of securing the software supply chain and reduces the manual effort required for vulnerability management and compliance.