Docker has announced a significant shift in its container security strategy, making its Docker Hardened Images (DHI) freely available to all developers.
Previously a commercial-only offering, DHI provides a set of secure, minimal, and production-ready container images.
By releasing these under an Apache 2.0 license, Docker aims to combat the rising tide of software supply chain attacks, which caused over $60 billion in damages in 2025.
With over 20 billion monthly pulls on Docker Hub, Docker is the standard for software delivery. The new initiative ensures that every developer, regardless of budget, starts with a secure foundation.
Unlike proprietary alternatives, DHI is fully open source and compatible with popular foundations like Alpine and Debian.
This ensures teams can adopt these secure images without rewriting their existing Dockerfiles or changing workflows.
Docker emphasizes that “hardened” does not mean opaque. The free DHI offering includes:
| Feature | Description |
|---|---|
| Full Transparency | Provides a complete Software Bill of Materials (SBOM) for every image |
| Provenance | Uses SLSA Build Level 3 verification |
| Honest Reporting | Shows full CVE status without hiding vulnerability warnings |
| Reduced Attack Surface | Images are up to 95% smaller, lowering security risk |
Enterprise Options Remain
While the base images are now free, Docker continues to offer DHI Enterprise for organizations with strict regulatory requirements.
The commercial tier focuses on service-level agreements (SLAs) rather than gatekeeping the security technology itself. Docker is also expanding this program beyond basic OS images.
| Feature | Docker Hardened Images (Free) | DHI Enterprise (Paid) |
|---|---|---|
| Availability | Open Source (Apache 2.0) | Commercial License |
| Base OS | Alpine, Debian | Alpine, Debian + Custom |
| Patching Speed | Standard Release Cycle | <7 Day SLA for Critical CVEs |
| Compliance | Standard Security | FIPS, FedRAMP, STIG |
| Lifecycle | Standard Support | Extended Lifecycle Support (ELS) |
The release includes Hardened Helm Charts for Kubernetes and trusted versions of the Model Context Protocol (MCP) servers for popular tools such as MongoDB, Grafana, and GitHub.
By making these tools free, Docker is effectively raising the “security poverty line,” ensuring that secure software delivery is a standard, not a luxury.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
