Docker makes hardened images free open and transparent for everyone

Docker has made its open source Docker Hardened Images project available at no cost for every developer and organization. The catalog contains more than 1,000 container images built on open source distributions such as Debian and Alpine and is released under the Apache 2.0 license. The images are accessible through Docker Hub and related distribution points.

“Security has to start at the earliest point in development, and needs to be universally available to every developer,” said Mark Cavage, President and COO at Docker. “By making hardened images freely available and providing tooling that works with AI coding agents, we’re giving the entire industry and community the best possible baseline to build on.”

What hardened images include

Docker Hardened Images are designed to give developers a base set of container images that integrate common security features. Every image includes a software bill of materials (SBOM), public Common Vulnerabilities and Exposures (CVE) data, provenance met at Software Supply Chain Levels for Software Artifacts (SLSA) Build Level 3, and cryptographic evidence of authenticity. The catalog is built to support typical container workloads and includes runtime variants for common runtimes.

The images are minimal by design with toolchains and libraries selectively included to limit the number of exploitable components. Docker states these images reduce vulnerability counts relative to standard community-provided base images.

Integration with tooling

Docker’s tooling ecosystem now includes support for identifying when existing container images can be replaced with hardened equivalents. A Docker AI assistant extension can analyze existing containers and recommend corresponding hardened images that match application requirements.

Docker is also extending the hardened approach to images used for Model Context Protocol (MCP) servers. These images support AI-related infrastructure components such as database and observability services, bringing the same build and verification processes applied to core container images to these server types.

Commercial offerings around hardened images

Docker continues to offer paid tiers of the hardened images for environments with more stringent operational and regulatory requirements. DHI Enterprise adds service level agreements for critical CVE remediation, compliance-ready variants, and image customization options. An additional Extended Lifecycle Support product provides vulnerability updates, SBOM revisions, and provenance attestations for up to five years after upstream support ends.

Reception and ecosystem use

A range of developer and enterprise stakeholders have adopted hardened images since their initial release earlier in the year. Major technology companies appear in adoption commentary, reporting use of the images in internal workflows. Third-party observers in the container and DevSecOps space are evaluating the move as a step toward broader adoption of verified, traceable base images in software supply chains.