More than 1,000 Docker Hardened Images (DHI) are now freely available and open source under the Apache 2.0 license, giving software developers unrestricted access to secure, production-ready container base images. Docker is widely used by developers to build, test, and deploy applications inside containers that package all required dependencies, ensuring consistent behavior across systems and environments.

Figure 1. Docker Hardened Images.

Launched in May, Docker Hardened Images are minimal, security-focused base images maintained directly by Docker. They are designed to reduce attack surfaces and mitigate supply-chain risks at the container layer, making them well suited for production environments. DHIs run in rootless mode, remove unnecessary components, and ship without known vulnerabilities. They also support the Vulnerability Exploitability eXchange (VEX) standard, enabling more efficient vulnerability management. Docker continues to patch vulnerabilities in DHI components as they are discovered.

In October, Docker announced plans to provide unlimited access to its full catalog of more than 1,000 Hardened Images and introduced a 30-day free trial for subscribers. The company has now gone further, shifting DHIs from a paid offering to a fully subscription-free, open-source resource available to all developers. Figure 1 shows Docker Hardened Images.

“Today, we are setting a new industry standard by making Docker Hardened Images freely available and open source for everyone who builds software—all 26 million-plus developers in the container ecosystem,” Docker said in its announcement. According to the company, DHI images are now free to use, modify, share, and build upon without licensing restrictions, backed by the Apache 2.0 license [1]. Docker added that DHIs provide a secure, minimal, production-ready foundation from the first image pull.

Docker emphasized that the move does not compromise security standards. The images remain SBOM-verifiable, provide SLSA Build Level 3 provenance, and include cryptographic proof of authenticity. However, the company clarified that its seven-day critical CVE patching service-level agreement (SLA) remains exclusive to the paid DHI Enterprise tier. While security patches will continue to be released for the free images, they will not follow a guaranteed timeline.

Docker noted that it is working to reduce patch turnaround times for DHI Enterprise to one day or less. The commercial tier also offers additional capabilities, including the ability to customize DHI images, configure runtimes, and install extra tools.

References

1. https://cyberinsider.com/react2shell-flaw-threatens-rce-in-39-of-all-cloud-environments/

Cite this article:

Keerthana S (2025), Docker Hardened Images Are Now Open Source and Free to Use , AnaTechMaz, pp.179.