Introduction: Current State and Challenges of Container Security
In 2025, container security incidents grew by 47%, with supply chain attacks causing $60 billion in global losses. Traditional container security approaches have a fatal blind spot: even if you use a secure base image, a single apk add or apt-get install command can introduce hundreds of unverified system packages into your container, each a potential attack vector.
On March 3, 2026, Docker officially announced Hardened System Packages, extending Docker Hardened Images (DHI) security guarantees from the base image layer down to the individual system package level. This marks a new era in container security.
Why Traditional Images Arenβt Secure Enough
Letβs look at an actual comparison:
| Metric | Standard Node:20 Image | Docker Hardened Image |
|---|---|---|
| Image Size | 1.1GB | 112MB |
| Vulnerabilities | 171 CVEs | 8 CVEs |
| Default User | root | non-root |
| Components | 44+ packages (shell, package manager, etc.) | Runtime-only libraries (2 packages) |
The Key Question: What happens when you execute RUN apk add curl in your Dockerfile?
- Download curl package from public Alpine repositories
- Package manager automatically installs 15+ dependencies
- These packages come from multiple unknown maintainers
- No cryptographic signature verification of origin
- CVE fixes depend on upstream maintainers with uncertain timing
This is exactly what Docker Hardened System Packages solves.
Chapter 1: Understanding Docker Hardened System Packages
What Are Hardened System Packages?
Docker Hardened System Packages are system packages built from source, maintained, patched, and cryptographically signed by Docker itself. Every package meets SLSA Build Level 3 standards with complete provenance traceability.
Core Features:
- Provenance: Built from source with cryptographic signatures and provenance
- SLA Guarantee: Critical CVEs fixed within 24 hours, all within 7 days
- Minimal Attack Surface: Unnecessary tools and shells removed, runtime-only components
- Multi-Distro Support: Alpine Linux (8,000+ packages), Debian (coming soon)
Key Differences from Traditional Docker Images
Think of traditional images as a car assembled from parts sourced from multiple suppliers, while Hardened System Packages are produced from parts to vehicle by a single controlled supply chain.
| Dimension | Traditional Docker Image | Docker Hardened System Packages |
|---|---|---|
| Package Source | Public upstream repositories (apk, apt) | Docker secure pipeline built and signed |
| CVE Fixes | Wait for upstream maintainers, uncertain timing | SLA guaranteed, 24-hour target for critical |
| Supply Chain Trust | Multiple unknown maintainers | Single controlled namespace, complete chain |
| Default User | Typically root | Default non-root |
| Attack Surface | High (every package a potential entry) | Minimal (no shell, no package manager) |
Actual Data: Quantified Security Improvements
Docker security team conducted comparative testing:
Test Scenario: Running a simple Node.js application
# Traditional approach
docker pull node:20
docker scout cves node:20
# Result: 171 CVEs
# Hardened approach
docker pull dhi.io/node:20
docker scout cves dhi.io/node:20
# Result: 8 CVEsImprovement:
- Vulnerabilities reduced by 95%
- Image size reduced by 90%
- Attack surface reduced by 90% (shell, package manager removed)
Chapter 2: Core Security Features
Provenance and Supply Chain Security
Every Hardened System Package includes complete provenance documentation:
- Built from Source: Each package traces to specific source code commits
- Cryptographic Signing: Cosign signatures prevent tampering
- Rekor Transparency Log: All build events recorded publicly
- SLSA Build Level 3: Highest supply chain security standard
Verification Example:
# Verify image signature
cosign verify \
--certificate-identity-regexp=https://github.com/docker/* \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
dhi.io/node:20Vulnerability Fix SLA
Docker commits to:
- Critical CVEs: Fixed within 24 hours
- High CVEs: Fixed within 7 days
- Continuous Monitoring: Automated scanning and rebuilding
This means you no longer need to wait for Alpine or Debian maintainers, or manually track CVE announcements.
Minimal Attack Surface
Hardened System Packages follow βdistrolessβ philosophy:
- No Shell: Attackers cannot gain interactive access
- No Package Manager: Cannot install additional software
- No Debug Tools: Reduces information leakage
- Non-Root Default: Cannot escalate privileges even if compromised
Chapter 3: DHI Service Tiers
DHI Community (Free)
Best For: Individual developers, small projects, evaluation
- Apache 2.0 open source license
- 2,000+ hardened image catalog
- Base images: Alpine, Node.js, Python, Go, Java
- Community support
Access:
docker pull dhi.io/node:20
docker pull dhi.io/python:3.11
docker pull dhi.io/alpine:latestDHI Select ($5,000/repository)
Best For: Medium enterprises, teams needing SLA guarantees
- All Community features
- SLA-backed CVE fixes
- Custom image capabilities
- Compliance guarantees (SOC 2, ISO 27001)
- Priority support
DHI Enterprise
Best For: Large enterprises, financial institutions, government
- All Select features
- Access to Hardened System Packages repository
- Up to 5 years Extended Lifecycle Support (ELS)
- Enterprise customization and support
- Private repository support
- Dedicated account manager
Chapter 4: Quick Start Guide
Prerequisites
- Docker account (free)
- Docker Desktop or Docker Engine 20.10+
- Basic container knowledge
Step 1: Start with DHI Community
# Pull free hardened images
docker pull dhi.io/node:20
docker pull dhi.io/python:3.11
docker pull dhi.io/alpine:3.19
# Run test
docker run --rm dhi.io/node:20 node --versionStep 2: Scan with Docker Scout
# Scan for vulnerabilities
docker scout cves dhi.io/node:20
# Compare with traditional image
docker scout compare --to node:20 dhi.io/node:20
# Example output:
# Overall improvement
# 95% less vulnerabilities
# 90% smaller image sizeStep 3: Build Custom Hardened Image
# Use DHI base image
FROM dhi.io/node:20
WORKDIR /app
# Copy dependencies
COPY package*.json ./
# Production install (runtime dependencies only)
RUN npm ci --only=production && npm cache clean --force
# Copy application code
COPY . .
# Run as non-root user
USER node
# Start command
CMD ["node", "server.js"]Build and Run:
docker build -t myapp:1.0 .
docker run --rm -p 3000:3000 myapp:1.0Chapter 5: CI/CD Integration
GitHub Actions Example
name: Build and Scan Hardened Image
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build hardened image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: |
${{ secrets.DOCKER_USERNAME }}/myapp:${{ github.sha }}
${{ secrets.DOCKER_USERNAME }}/myapp:latest
build-args: |
BASE_IMAGE=dhi.io/node:20
- name: Run Docker Scout scan
uses: docker/scout-action@v1
with:
command: cves
image: ${{ secrets.DOCKER_USERNAME }}/myapp:${{ github.sha }}
sarif-file: scout-report.sarif
exit-code: 1 # Fail on high severity vulnerabilities
- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: scout-report.sarifConfigure Vulnerability Threshold Policy
Enforce security standards in CI/CD:
- name: Check vulnerability threshold
uses: docker/scout-action@v1
with:
command: cves
image: myapp:latest
only-fixable: true
severity: CRITICAL,HIGH
exit-code: 1 # Fail on fixable high severity vulnerabilitiesChapter 6: Production Configuration Examples
Example 1: Hardened Python Web Application
FROM dhi.io/python:3.11
WORKDIR /app
# Use --no-cache-dir to reduce image size
COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
# Create non-root user
RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app
USER appuser
HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
CMD python healthcheck.py
CMD ["python", "app.py"]Example 2: Hardened Go Microservice (Multi-stage Build)
# Stage 1: Build (full Go SDK)
FROM golang:1.22-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
# Static linking, reduce binary size
RUN CGO_ENABLED=0 GOOS=linux \
go build -ldflags='-w -s' -o /app/server ./cmd/server
# Stage 2: Runtime (hardened distroless)
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /app/server /server
USER nonroot:nonroot
EXPOSE 8080
ENTRYPOINT ["/server"]Example 3: Kubernetes Deployment Configuration
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp@sha256:abc123... # Use digest lock
ports:
- containerPort: 8080
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: tmp
mountPath: /tmp
- name: app
mountPath: /app
readOnly: true
volumes:
- name: tmp
emptyDir: {}
- name: app
configMap:
name: myapp-configChapter 7: Migration from Traditional Images
Migration Checklist
-
Inventory Existing Images
docker images --format "{{.Repository}}:{{.Tag}}" -
Scan Vulnerability Baseline
docker scout cves myapp:latest -
Identify Base Images
docker inspect myapp:latest | grep -i "from" -
Develop Migration Plan
- Prioritize public-facing services
- Start with non-critical workloads
- Incremental replacement with continuous validation
Compatibility Testing
Execute these tests after migration:
- Functional Testing: Ensure application runs correctly
- Performance Testing: Compare response times and resource usage
- Security Testing: Re-scan vulnerabilities
- Rollback Testing: Ensure quick reversion capability
Performance Impact Assessment
According to Docker test data:
| Metric | Traditional Image | Hardened Image | Change |
|---|---|---|---|
| Startup Time | 1.2s | 0.8s | -33% |
| Memory Usage | 256MB | 220MB | -14% |
| CPU Usage | Baseline | Baseline | No change |
Conclusion: Hardened images show improvement in startup time and memory usage, with no CPU performance impact.
Chapter 8: Best Practices and Common Pitfalls
Best Practices Checklist
β Always Use:
- DHI base images (dhi.io/*)
- Non-root users
- Read-only filesystems
- Image digest locking (@sha256:xxx)
- Regular scanning and rebuilding
β Avoid:
- Using
:latesttag in production - Running containers as root
- Storing sensitive data in containers
- Ignoring Docker Scout scan results
Common Mistakes and How to Avoid Them
Mistake 1: Running apk add or apt-get install in hardened images
# β Wrong: Breaks hardening guarantees
FROM dhi.io/python:3.11
RUN apt-get update && apt-get install -y curl
# β
Correct: Use DHI packages (if available)
FROM dhi.io/python:3.11
# Or install in build stage
FROM python:3.11 AS builder
RUN apt-get update && apt-get install -y curl
FROM dhi.io/python:3.11
COPY --from=builder /usr/bin/curl /usr/bin/curlMistake 2: Forgetting to configure non-root user
# β Wrong: Runs as root by default
FROM dhi.io/node:20
CMD ["node", "app.js"]
# β
Correct: Explicitly specify user
FROM dhi.io/node:20
USER node
CMD ["node", "app.js"]Summary and Next Steps
Docker Hardened System Packages represent a new standard in container security through:
- β Complete provenance chain (SLSA Build Level 3)
- β Near-zero CVE guarantee (continuous patching and rebuilding)
- β Multi-distro support (Alpine + Debian)
- β Flexible service tiers (free Community to enterprise Enterprise)
Recommended Starting Path
-
Today: Start with DHI Community free images
docker pull dhi.io/node:20 -
This Week: Use Docker Scout to compare scans
docker scout compare --to node:20 dhi.io/node:20 -
This Month: Integrate automated scanning in CI/CD
- uses: docker/scout-action@v1 -
Next Quarter: Evaluate DHI Select/Enterprise for SLA support
External References:
