Welcome to our reflection on the first year of Docker Hardened Images (DHI). In the months since launch, we've reached significant milestones and made intentional decisions that shaped our product. Here we answer key questions about our journey, philosophy, and results.

What milestones has Docker Hardened Images achieved in its first year?

Since launching in May 2023, DHI has grown rapidly. We now serve over 500,000 daily pulls and maintain more than 25,000 continuously patched OS-level artifacts, all built within a SLSA Build Level 3 pipeline. The catalog has expanded to include over 2,000 hardened images, MCP servers, Helm charts, and ELS images. Thanks to our continuous patching across CVEs, distributions, and versions, we now run over a million builds regularly. And this is just the beginning: coverage will soon increase with more Debian packages, ELS images, and new artifact types.

Why did you choose the harder path for building Docker Hardened Images?

We deliberately chose a path that is harder to build and operate, because it is better for developers and ecosystem security. Every decision—from making images free and open source, to supporting multiple Linux distributions, to building every system package from source for distros you already use—was driven by a commitment to verifiability and trust. We ship extensive signed attestations with each image to enable independent verification. While this approach demands more effort, it ensures that teams can adopt our images without migrating to a proprietary OS or sacrificing transparency.

Why are Docker Hardened Images offered for free and open source?

We believe security should not be a premium feature. To raise the security baseline across the internet, we made the DHI Community tier available under a permissive Apache 2.0 license. This was a deliberate break from the industry norm of gating such catalogs behind paywalls. By making hardened images freely accessible, every development team can improve their security posture without financial barriers. Our decade of experience maintaining Docker Official Images has shown that open, community-driven security benefits everyone. The scale of impact—thousands of artifacts, millions of builds—is only possible because the foundation remains open.

How does multi-distro support benefit developers using Docker Hardened Images?

Some vendors create a proprietary “distroless” OS, forcing teams to adopt an untested, closed platform. We reject that approach. Docker Hardened Images support established distributions like Debian and Alpine, so you can drop them into your existing workflows without migration overhead. Your teams already know how to test, audit, and run these distros. Our multi-distro strategy means zero vendor lock-in: you keep using the packages and tools you rely on, while gaining continuous hardening against CVEs. This compatibility lowers adoption friction and lets you focus on building, not retooling.

What makes your patching process and attestation approach unique?

We continuously patch every artifact in our pipeline, covering CVEs, all supported distributions, and multiple versions. This goes beyond typical monthly or quarterly updates—our pipeline runs over a million builds regularly, ensuring you always receive the latest fixes. Equally important, we ship a comprehensive set of signed attestations with each image: SBOMs, provenance, and more. This allows you to independently verify exactly what’s inside an image and how it was built. Our SLSA Build Level 3 compliance ensures that every step is cryptographically signed and traceable. No other hardened image provider offers this level of transparent, real-time patching and verifiable supply chain security.

How does Docker Hardened Images compare to other industry solutions?

We examined how the rest of the industry handles patching timelines, SBOM completeness, and advisory coverage. Many vendors provide incomplete or delayed updates, proprietary base images, or limited attestations. In contrast, DHI delivers continuous patching across multiple distros, complete SBOMs for every build, and a fully open catalog. While others might offer a faster initial setup, their long-term maintenance often introduces risks like vendor lock-in or opaque rebuild cycles. Our approach ensures you always have the latest, independently verifiable hardened images without compromising on flexibility or trust. The numbers—500k daily pulls, 25k artifacts—show that teams increasingly value this transparent, community-first model.

What can teams expect from the growing DHI catalog?

Our catalog currently includes over 2,000 hardened images, MCP servers, Helm charts, and ELS images. We are aggressively expanding coverage: more Debian packages, additional ELS images, and entirely new artifact types are in the pipeline. Every existing artifact is continuously patched, and new ones are added with the same rigorous pipeline. Teams can expect support for a wider range of languages, frameworks, and use cases, all while maintaining the same level of security, transparency, and zero-cost access. As the ecosystem evolves, we will keep adding resources to help you stay protected without slowing down development.