Introduction to DHI
Containers have become the core of modern application delivery. But as adoption grows, so does the attack surface. From vulnerable base images to supply chain risks, security is no longer optional—it’s foundational.
This is where 
Docker Hardened Images (DHI) come into play.
Docker Hardened Images are minimal, secure, and production-ready container images maintained directly by Docker. They are designed to reduce vulnerabilities from the start while simplifying compliance and integration into existing workflows. Docker Hardened Images features
Instead of relying on generic base images and fixing issues later with scanners, DHI focuses on building a secure foundation from the beginning.
- Secure, minimal, production-ready container images by Docker
- Near-zero CVEs with continuous patching
- Built-in SBOM, provenance (SLSA L3), and signed metadata
- Drop-in replacement for existing Docker workflow
- Available in Community, Select, and Enterprise tiers
Docker Hardened Images (DHI) are curated container images built with a strong focus on security, minimalism, and maintainability. They are designed to reduce the number of known vulnerabilities by limiting unnecessary packages and continuously applying patches.
Most container vulnerabilities originate from base images. If your foundation is already risky, everything built on top inherits that risk. DHI minimizes this exposure early in the lifecycle.
- When building production-grade applications
- When compliance and security are priorities
- When you want to reduce dependency on reactive scanning
DHI combines multiple security layers:
- Near-zero known vulnerabilities (CVEs)
- Non-root containers by default
- Minimal packages → smaller attack surface
- Signed SBOM (Software Bill of Materials)
- SLSA Level 3 build provenance
- VEX (context about exploitability)
- Cryptographic signatures for integrity
- Packages built from source by Docker
- Signed and verified artifacts
- Reduced risk from compromised public registries
- Built on Alpine and Debian, requiring minimal changes to adopt. Full support
glibcandmuslavailable in both variants for broad application compatibility - Compatible with existing CI/CD
- No major workflow changes required
Using DHI doesn’t require additional software installation because it’s integrated directly into the Docker Engine. However, since it uses a specialized registry, you must first authenticate.
Open your terminal and run the login command for the official dhi.io registry:
docker login dhi.ioYou will be prompted for your Docker ID and Personal Access Token (PAT). Ensure your account has access to a Docker tier that supports DHI (Select or Enterprise tiers).
Implementation is as simple as updating a single line in your Dockerfile. Just replace your standard image prefix with dhi.io/.
Example: Standard Node.js Image
FROM node:22-alpine# ... rest of your buildExample: Hardened Node.js Image
FROM dhi.io/node:22# ... rest of your buildSince DHI images are designed to be extremely minimal—often lacking a shell (like /bin/sh) or a package manager (like apt/apk)—you should adopt the following strategies:
DHI is a runtime-optimized image, not a build-time environment. Perform your compilation and dependency installation in a standard “builder” image, then copy only the necessary artifacts into the final DHI layer.
# Stage 1: Build (Standard Image)FROM node:22 AS builderWORKDIR /appCOPY . .RUN npm install && npm run build
# Stage 2: Runtime (Hardened Image)FROM dhi.io/node:22WORKDIR /appCOPY --from=builder /app/dist ./dist# DHI runs as a non-root user by defaultCMD ["node", "dist/index.js"]Because DHI images lack an interactive shell, docker exec -it will not work by default. Instead, use the new Docker Debug capability to inspect your running containers:
docker debug <container_id>DHI represents a shift in how we think about container security.
Instead of reacting to vulnerabilities after scanning, DHI helps prevent them from being introduced in the first place—starting from the base image.
It doesn’t replace tools like Trivy or other scanners, but it significantly reduces the noise and risk those tools have to deal with.
If you’re already building containers, adopting hardened images is one of the lowest-effort, highest-impact improvements you can make.
Aight, thanks for taking the time read this post. Happy containerazation 🚀
References: