Painless Docker - 2nd Edition

Use Docker Hardened Images

Docker hardened images are pre-configured container images that have been optimized for security. The project, initiated by Docker Inc., aims to provide a set of base images that follow best security practices and reduce the attack surface of containerized applications.

This is probably one of the most straightforward and quickest steps you should take to improve the security of your containers, as it's easy, effective, and free at some level.

The catalog of Docker hardened images includes various popular base images and application stacks, such as Kafka, Valkey, Grafana, and many more. The list is growing continuously as Docker Inc. collaborates with different technology partners to provide secure images for a wide range of applications and use cases.

DHI images are built with several security features, including:

• Minimal image size: Reduced attack surface by minimizing unnecessary components.
• Near-zero CVEs: Regularly scanned and updated to minimize vulnerabilities.
• Verified SBOMs: Software Bill of Materials (SBOMs) are provided for transparency.
• SLSA Level 3: Built following Supply-chain Levels for Software Artifacts (SLSA) guidelines.

The images are accessible for free on Docker Hub, but some advanced features (like image lifecycle management) may require a paid subscription.

Images use Aline and Debian as distros, and they offer a drop-in replacement/migration for standard Docker images. For example, to use the hardened version of the official PHP image, you would pull dhi.io/php:8-debian13-fpm