Docker Hardened Images: A Year of Building Security at Scale
Milestones and Metrics
It has been nearly a year since we launched Docker Hardened Images (DHI) last May, and a recent milestone made me pause to reflect on what we have achieved. Earlier this month, DHI crossed 500,000 daily pulls and 25,000 continuously patched OS-level artifacts in our SLSA Build Level 3 pipeline. Since introducing the free DHI Community tier at the end of last year, the catalog has grown to over 2,000 hardened images, MCP servers, Helm charts, and ELS images. We continuously patch every artifact across CVEs, distros, and versions, running over a million builds regularly—and we are just getting started. Catalog coverage will expand further as more Debian packages, ELS images, and newer artifact types are added.
Over 500k Daily Pulls and Growing
These numbers demonstrate the trust and adoption from the developer community. The daily pull count reflects not just usage but reliance on DHI for production workloads. Each pull benefits from our continuous patching pipeline, ensuring that images remain secure against the latest vulnerabilities.
Continuous Patching at Scale
Our SLSA Build Level 3 pipeline ensures every build is verifiable and reproducible. We rebuild and patch every OS-level artifact continuously, meaning that when a CVE is disclosed, the fix is automatically integrated into our images. This approach eliminates the gap between vulnerability disclosure and patch availability, a common pain point in the industry.
The Philosophy Behind the Harder Path
The interesting part is not the numbers but how we got here. Every product and engineering decision was intentionally harder to build and operate—but better for developers and for ecosystem security. We chose this path deliberately.
Free and Open Source by Design
We made hardened images free and open source under the Apache 2.0 license. Security should not be a premium feature locked behind a paywall. By making DHI widely accessible, we raised the security baseline across the internet. This impact at scale is only possible because the foundation is open. We have been doing this for over a decade with Docker Official Images, freely available to the community. With DHI Community, we ensured that every team, regardless of budget, can raise their security posture.
Multi-Distro for Zero Migration Tax
We built a multi-distro product so that adoption does not require migrating to a vendor’s proprietary operating system. Some vendors created entirely new Linux distributions, branding them as “distroless” but effectively imposing a proprietary OS that teams have never run, tested, or audited. Our approach lets you use the distros you already run—Debian, Alpine, and more—without a migration tax. Drop-in hardening that works with your existing workflows.
Source-Built Packages and Verifiable Attestations
We build every system package from source for the distros you already run. This gives us full control over the build process and ensures transparency. Additionally, we ship a wide range of signed attestations with every image—SLSA provenance, SBOMs, and vulnerability reports. Independent verifiability requires this level of detail, and we provide it because it is necessary for trust.
How We Compare to the Industry
Along the way, we examined how the rest of the industry approaches the same problems. Many vendors have inconsistent patching timelines, incomplete SBOMs, and limited advisory coverage. Some provide minimal attestations or require proprietary tooling to verify. In contrast, our continuous patching pipeline updates all supported distros simultaneously, and our SBOMs are comprehensive, covering every OS-level package. Our advisories are precise, helping teams prioritize vulnerabilities effectively.
We also observed a pattern: some providers focus on a single distro or maintain a small catalog, limiting flexibility. Our multi-distro, continuously growing catalog ensures that you can choose the best base for your application without compromising on security.
The Impact on the Ecosystem
The ultimate goal was to make a real dent in the security posture of the internet. By making hardened images free, multi-distro, and fully verifiable, we lowered the barrier to entry for secure container practices. The numbers—500k daily pulls, 25k patched artifacts, 2,000+ images—are evidence of adoption. But the real impact is in the shift towards a more open and accessible security model. Teams that previously could not afford premium hardened images now have a robust, free option. This, in turn, raises the overall security baseline of the container ecosystem.