What to Expect from Your 30-days Trial?<\/h3>\n
You\u2019ve got 30 days to evaluate whether Docker Hardened Images fits your environment. That\u2019s enough time to answer the crucial question: Would this reduce our security debt without adding operational burden?<\/em><\/p>\n It\u2019s important to note that while DHI provides production\u2011grade images, this trial isn\u2019t about rushing into production. Its primary purpose is educational: to let you experience the benefits of a hardened base image for supply\u2011chain security by testing it with the actual services in your stack and measuring the results.<\/p>\n By the end of the trial, you should have concrete results<\/strong>:\u00a0<\/p>\n Testing with real projects always outshines promises.<\/p>\n The DHI quickstart guide<\/a> walks through the actions. This post covers what the docs don\u2019t: the confusion points you may hit, what metrics actually matter, and how to evaluate results easily.<\/p>\n\n To get started with your Free trial, you must be an organization owner or editor. This means you will get your own Repository where you can mirror images, but we\u2019ll get back to this later.<\/p>\n If you are familiar with Docker Hub, the DHI catalog should already look familiar:<\/p>\n\n The most obvious difference are the little lock icons indicating a Hardened Image. But what exactly does it mean?<\/p>\n The core concept behind hardened images is that they present a minimal attack surface<\/strong>, which in practical terms means that only the strict minimum is included (as opposed to \u201cbattery-included\u201d distributions like Ubuntu or Debian).\u00a0<\/p>\n Think of it like this: The hardened images maintain compatibility with the distro\u2019s core characteristics (libc, filesystem hierarchy, package names) while removing the convenience layers that increase attack surface (package managers, extra utilities, debugging tools).<\/p>\n So the \u201cOS\u201d designation you can see below every DHI means this image is built on top of those\u00a0 distributions (uses the same base operating system), but with security hardening and package minimization applied.<\/p>\n Sometimes, you need<\/em> these convenient Linux utilities, for development or testing purposes.\u00a0<\/p>\n This is where variants<\/strong> come into play.<\/p>\n The catalog shows multiple variants for each base image: standard versions, (dev) versions, (fips) versions.\u00a0 Here\u2019s what they mean:\u00a0<\/p>\n Standard variants (e.g., node-base:24-debian13):<\/p>\n Fips variants (e.g., node-base:24-debian13-fips): Dev variants (e.g., node-base:24-debian13-dev):<\/p>\n The catalog includes dozens of base images: language runtimes (Python, Node, Go), distros (Alpine, Ubuntu, Debian), specialized tools (nginx, Redis).\u00a0 You can\u2019t just \u2018docker pull\u2019 directly from Docker\u2019s DHI catalog. Instead, you mirror images to your organization\u2019s namespace first. Here\u2019s the workflow:<\/p>\n Mirroring takes a few minutes and copies all available tags. Once complete, the image appears in your organization\u2019s repositories like any other image.<\/p>\n Why this model? Two reasons:<\/p>\n The first time you encounter \u201cmirror this image to your repository,\u201d it feels like unnecessary friction. But once you realize it\u2019s a one-time setup per base image (not per tag), it makes sense. You mirror node-base once and get access to all current and future Node versions<\/p>\n Now that you\u2019ve mirrored a hardened image, it\u2019s time to test it with an actual project. The goal is to discover friction points early, when stakes are low.<\/p>\n Choose a project that is:<\/p>\n Open your Dockerfile and locate the FROM instruction. The migration is straightforward:<\/p>\n \n Replace your organization\u2019s namespace and choose the appropriate tag. If you were using a generic tag like node:22, switch to a specific version tag from the hardened catalog (like 22-debian13-fips). Pinning to specific versions is a best practice anyway \u2013 hardened images just make it more explicit.<\/p>\n For\u00a0 other language runtimes, the pattern is similar:<\/p>\n # Python example # Node example Build the image with your new base:<\/p>\n docker build . -t my-service-hardened<\/p>\n Watch the build output: if your Dockerfile assumes certain utilities exist (like wget, curl, or package managers), the build may fail<\/strong>. This is expected. Hardened bases strip unnecessary tools to reduce attack surface. Here are some common build failures and fixes:<\/p>\n Missing package manager (apt, yum):<\/p>\n Missing utilities (wget, curl, bash):<\/p>\n Different default user:<\/p>\n For my Node.js test, the build succeeded without changes. The hardened Node base contained everything the runtime needed \u2013 npm dependencies installed normally, and the packages removed were system utilities my application never touched.<\/p>\n Build success doesn\u2019t mean runtime success. Start the container and verify it behaves correctly:<\/p>\n docker run \u2013rm -p 3000:3000 my-service-hardened<\/p>\n Test the service:<\/p>\n\n Before moving to measurement, build the original version alongside the hardened one:<\/p>\n # Switch to your main branch Now you have two images to compare: one with the official base, one with the hardened base. Now comes the evaluation: what actually improved, and by how much?<\/p>\n\n Docker Scout compares images and reports on vulnerabilities, package differences, and size changes. If you haven\u2019t enrolled your organization with Scout yet, you\u2019ll need to do that first (it\u2019s free for the comparison features we\u2019re using).<\/p>\n Run the comparison (here we are comparing Node base images) :<\/p>\n docker scout compare \u2013to <your-org-namespace>\/dhi-node:24.11-debian13-fips node:24-bookworm-slim<\/p>\n Scout outputs a detailed breakdown. Here\u2019s what we found when comparing the official Node.js image to the hardened version.<\/p>\n The Scout output shows CVE counts by severity:<\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Official Node\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Hardened DHI The hardened image achieved complete vulnerability elimination. While the official image already had zero Critical\/High CVEs (good baseline), it contained 1 Medium and 24 Low severity issues \u2013 all eliminated in the hardened version. Scout shows a dramatic difference in package count:<\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Official Node\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Hardened DHI The hardened image removed 289 packages including:<\/p>\n These are tools your Node.js application never uses at runtime. Removing them drastically reduces attack surface: 90% fewer packages means 90% fewer potential targets for exploitation. Scout reports image sizes:<\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Official Node\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Hardened DHI The hardened image is 41.5% smaller \u2013 that\u2019s 34 MB saved per image<\/strong>. For a single service, this might seem minor. But multiply across dozens or hundreds of microservices, and the benefits start to become obvious: faster pulls, lower storage costs, and reduced network transfer.<\/p>\n One of the most valuable compliance features is the embedded SBOM (Software Bill of Materials). Unlike many images where you\u2019d need to generate the SBOM yourself, hardened images include it automatically.<\/p>\n Extract the SBOM to see every package in the image:<\/p>\n docker scout sbom <your-org-namespace>\/dhi-node:24.11-debian13-fips \u2013format list<\/p>\n This outputs a complete package inventory:<\/p>\n Name\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Version\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Type The Type column shows where packages came from:<\/p>\n The SBOM includes name, version, license, and package URL (purl) for each component \u2013 everything needed for vulnerability tracking and compliance reporting. # SPDX format (widely supported) Beyond the SBOM, hardened images include 17 different attestations covering SLSA provenance, FIPS compliance, STIG scans, vulnerability scans, and more. We\u2019ll explore how to verify and use these attestations in Part 2 of this blog series.<\/p>\n You\u2019ve now: The results look good on paper, but verification builds confidence for production. But how do you verify<\/em> these security claims independently? In Part 2, we\u2019ll explore:<\/p>\n View related documentation:<\/p>\n First steps: Run your first secure, production-ready image Container base images form the foundation of your application security. When those […]<\/p>\n","protected":false},"author":1,"featured_media":2816,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2815","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2815"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2815\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/2816"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
Step 1: Understanding the DHI Catalog\u00a0<\/h3>\n
![\"DHI](\"https:\/\/www.docker.com\/app\/uploads\/2025\/11\/DHI-Trial-4-1.png\" "\\"-")
\n <\/div>\n\n![\"DHI](\"https:\/\/www.docker.com\/app\/uploads\/2025\/11\/DHI-Trial-3.png\" "\\"-")
\n <\/div>\n![\"DHI](\"https:\/\/www.docker.com\/app\/uploads\/2025\/11\/DHI-Trial-2.png\" "\\"-")
The variant choice matters for security posture. If you can run your application without a package manager in the final image (using multi-stage builds, for example), always choose the standard variant. Fewer tools in the container means fewer potential vulnerabilities.<\/p>\n\n
FIPS variants come in both runtime and build-time variants. These variants use cryptographic modules that have been validated under FIPS 140, a U.S. government standard for secure cryptographic operations. They are required for highly-regulated environments<\/p>\n\n
Instead of trying to evaluate everything from the start, start narrow by picking one image<\/strong> (that you use frequently (Alpine, Python, Node are common starting points) for the first test.
What \u201cEntitlements\u201d and \u201cMirroring\u201d Actually Mean<\/p>\n\n
\n
![\"DHI](\"https:\/\/www.docker.com\/app\/uploads\/2025\/11\/DHI-Trial-1.png\" "\\"-")
Step 2: Your First Real Migration Test<\/h3>\n
\n
\n
Drop-In Replacement<\/h4>\n
\n# Before\nFROM node:22-bookworm-slim\n# After\nFROM <your-org-namespace>\/dhi-node:22-debian13-fips\n<\/pre>\n<\/div>\n<\/p>
FROM python:3.12-slim
# becomes
FROM <your-org-namespace>\/dhi-python-base:3.12-bookworm<\/p>\n
FROM node:20-alpine
# becomes
FROM <your-org-namespace>\/dhi-node-base:20.18-alpine3.20<\/p>\nBuild and Test<\/h4>\n
\n
\n
\n
Verify It Runs<\/h4>\n
\n
Step 3: Comparing What Changed
<\/h3>\n
git checkout main
# Build original version
docker build . -t my-service-original
# Switch back to your test branch with hardened base
git checkout dhi-test
# Build hardened version
docker build . -t my-service-hardened<\/p>\nDocker Scout<\/h4>\n\n
1. Vulnerability Reduction<\/h4>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a024-bookworm-slim \u00a0 \u00a0 \u00a0 24.11-debian13-fips
Critical\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0
High\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0
Medium\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 1\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\u00a0 \u2190 eliminated
Low \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 24 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\u00a0 \u2190 eliminated
Total \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 25 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0<\/p>\n
Medium and Low severity vulnerabilities matter for compliance frameworks. If you\u2019re pursuing SOC2, ISO 27001, or similar certifications (especially in regulated industries with strict security standards), demonstrating zero CVEs across all severity levels significantly simplifies audits.<\/p>\n2. Package Reduction\u00a0<\/h4>\n
Total packages\u00a0 \u00a0 \u00a0 \u00a0 321\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 32
Reduction \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u2014\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 289 packages (90%)<\/p>\n\n
This is important because even if packages have no CVEs today, they represent future risk. Every utility, library, or tool in your image could become a vulnerability tomorrow. The hardened base eliminates that entire category of risk.<\/p>\n3. Size Difference<\/h4>\n
Image size\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 82 MB\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 48 MB
Reduction \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u2014\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 34 MB (41.5%)<\/p>\n4. Extracting and Reading the SBOM
<\/h4>\n
base-files\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 13.8+deb13u1 \u00a0 \u00a0 deb
ca-certificates \u00a0 \u00a0 \u00a0 20250419 \u00a0 \u00a0 \u00a0 \u00a0 deb
glibc \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 2.41-12\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 deb
nodejs\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 24.11.0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 dhi
openssl \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 3.5.4\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 dhi
openssl-provider-fips 3.1.2\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 dhi
\u2026<\/p>\n\n
You can can easily the SBOM in SPDX or CycloneDX format for ingestion by a vulnerability tracking tools:<\/p>\n
docker scout sbom <your-org>\/dhi-node:24.11-debian13-fips
\u00a0\u00a0\u2013format spdx
\u00a0\u00a0\u2013output node-sbom.json
# CycloneDX format (OWASP standard)
docker scout sbom <your-org>\/dhi-node:24.11-debian13-fips
\u00a0\u00a0\u2013format cyclonedx
\u00a0\u00a0\u2013output node-sbom-cyclonedx.json<\/p>\nTrust, But Verify<\/h3>\n
![\"\u2705\"](\"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/2705.png\")
\n
\n