{"id":3398,"date":"2026-02-10T14:12:48","date_gmt":"2026-02-10T14:12:48","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/02\/10\/hardened-images-are-free-now-what\/"},"modified":"2026-02-10T14:12:48","modified_gmt":"2026-02-10T14:12:48","slug":"hardened-images-are-free-now-what","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/02\/10\/hardened-images-are-free-now-what\/","title":{"rendered":"Hardened Images Are Free. Now What?"},"content":{"rendered":"<p><a href=\"https:\/\/docs.docker.com\/dhi\/\" rel=\"nofollow noopener\" target=\"_blank\">Docker Hardened Images<\/a> are now free, covering Alpine, Debian, and over 1,000 images including databases, runtimes, and message buses. For security teams, this changes the economics of container vulnerability management.<\/p>\n<p>DHI includes security fixes from Docker\u2019s security team, which simplifies security response. Platform teams can pull the patched base image and redeploy quickly. But free hardened images raise a question: how should this change your security practice? Here\u2019s how our thinking is evolving at Docker.<\/p>\n<h2 class=\"wp-block-heading\"><strong>What Changes (and What Doesn\u2019t)<\/strong><\/h2>\n<p>DHI gives you a security \u201cwaterline.\u201d Below the waterline, Docker owns vulnerability management. Above it, you do. When a scanner flags something in a DHI layer, it\u2019s not actionable by your team. Everything above the DHI boundary remains yours.<\/p>\n<p>The scope depends on which DHI images you use. A hardened Python image covers the OS and runtime, shrinking your surface to application code and direct dependencies. A hardened base image with your own runtime on top sets the boundary lower. The goal is to push your waterline as high as possible.<\/p>\n<p>Vulnerabilities don\u2019t disappear. Below the waterline, you need to pull patched DHI images promptly. Above it, you still own application code, dependencies, and anything you\u2019ve layered on top.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Supply Chain Isolation<\/strong><\/h2>\n<p>DHI provides supply chain isolation beyond CVE remediation.<\/p>\n<p>Community images like <code>python:3.11<\/code> carry implicit trust assumptions: no compromised maintainer credentials, no malicious layer injection via tag overwrite, no tampering since your last pull. The <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/09\/23\/widespread-supply-chain-compromise-impacting-npm-ecosystem\" rel=\"nofollow noopener\" target=\"_blank\">Shai Hulud campaign(s)<\/a> demonstrated the consequences when attackers exploit stolen PATs and tag mutability to propagate through the ecosystem.<\/p>\n<p>DHI images come from a controlled namespace where Docker rebuilds from source with review processes and cooldown periods. Supply chain attacks that burn through community images stop at the DHI boundary. You\u2019re not immune to all supply chain risk, but you\u2019ve eliminated exposure to attacks that exploit community image trust models.<\/p>\n<p>This is a different value proposition than CVE reduction. It\u2019s isolation from an entire class of increasingly sophisticated attacks.<\/p>\n<h2 class=\"wp-block-heading\"><strong>The Container Image as the Unit of Assessment<\/strong><\/h2>\n<p>Security scanning is fragmented. Dependency scanning, SAST, and SCA all run in different contexts, and none has full visibility into how everything fits together at deployment time.<\/p>\n<p>The container image is where all of this converges. It\u2019s the actual deployment artifact, which makes it the checkpoint where you can guarantee uniform enforcement from developer workstation to production. The same evaluation criteria you run locally after <code>docker build<\/code> can be identical to what runs in CI and what gates production deployments.<\/p>\n<p>This doesn\u2019t need to replace earlier pipeline scanning altogether. It means the image is where you enforce policy consistency and build a coherent audit trail that maps directly to what you\u2019re deploying.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Policy-Driven Automation<\/strong><\/h2>\n<p>Every enterprise has a vulnerability management policy. The gap is usually between policy (PDFs and wikis) and practice (spreadsheets and Jira tickets).<\/p>\n<p>DHI makes that gap easier to close by dramatically reducing the volume of findings that require policy decisions in the first place. When your scanner returns 50 CVEs instead of 500, even basic severity filtering becomes a workable triage system rather than an overwhelming backlog.<\/p>\n<p>A simple, achievable policy might include the following:<\/p>\n<ul class=\"wp-block-list\">\n<li>High and critical severity vulnerabilities require remediation or documented exception<\/li>\n<li>Medium and lower severity issues are accepted with periodic review<\/li>\n<li>CISA KEV vulnerabilities are always in scope<\/li>\n<\/ul>\n<p>Most scanning platforms support this level of filtering natively, including Grype, Trivy, Snyk, Wiz, Prisma Cloud, Aqua, and Docker Scout. You define your severity thresholds, apply them automatically, and surface only what requires human judgment.<\/p>\n<p>For teams wanting tighter integration with DHI coverage data, Docker Scout evaluates policies against DHI status directly. Third-party scanners can achieve similar results through pipeline scripting or by exporting DHI coverage information for comparison.<\/p>\n<p>The goal isn\u2019t perfect automation but rather reducing noise enough that your existing policy becomes enforceable without burning out your engineers.<\/p>\n<h2 class=\"wp-block-heading\"><strong>VEX: What You Can Do Today<\/strong><\/h2>\n<p>Docker Hardened Images ship with <a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/minimum-requirements-vulnerability-exploitability-exchange-vex\" rel=\"nofollow noopener\" target=\"_blank\">VEX<\/a> attestations that suppress CVEs Docker has assessed as not exploitable in context. The natural extension is for your teams to add their own VEX statements for application-layer findings.<\/p>\n<p>Here\u2019s what your security team can do today:<\/p>\n<p><strong>Consume DHI VEX data.<\/strong> <a href=\"https:\/\/github.com\/anchore\/grype\" rel=\"nofollow noopener\" target=\"_blank\">Grype<\/a> (v0.65+), <a href=\"https:\/\/trivy.dev\/\" rel=\"nofollow noopener\" target=\"_blank\">Trivy<\/a>, <a href=\"https:\/\/www.wiz.io\/\" rel=\"nofollow noopener\" target=\"_blank\">Wiz<\/a>, and <a href=\"https:\/\/docs.docker.com\/scout\/\" rel=\"nofollow noopener\" target=\"_blank\">Docker Scout<\/a> all ingest DHI VEX attestations automatically or via flags. Scanners without VEX support can still use extracted attestations to inform manual triage.<\/p>\n<p><strong>Write your own VEX statements.<\/strong> <a href=\"https:\/\/openvex.dev\/\" rel=\"nofollow noopener\" target=\"_blank\">OpenVEX<\/a> provides the JSON format. Use <a href=\"https:\/\/github.com\/openvex\/vexctl\" rel=\"nofollow noopener\" target=\"_blank\">vexctl<\/a> to generate and sign statements.<\/p>\n<p><strong>Attach VEX to images.<\/strong> Docker recommends docker scout attestation add for attaching VEX to images already in a registry:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: xml; title: ; notranslate\">\ndocker scout attestation add \n  --file .\/cve-2024-1234.vex.json \n  --predicate-type https:\/\/openvex.dev\/ns\/v0.2.0 \n  &lt;image&gt;\n<\/pre>\n<\/div>\n<p>Alternatively, COPY VEX documents into the image filesystem at build time, though this prevents updates without rebuilding.<\/p>\n<p><strong>Configure scanner VEX ingestion.<\/strong> The workflow: scan, identify investigated findings, document as VEX, feed back into scanner config. Future scans automatically suppress assessed vulnerabilities.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Compliance: What DHI Actually Provides<\/strong><\/h2>\n<p>Compliance frameworks such as<strong> <\/strong><a href=\"https:\/\/www.docker.com\/blog\/docker-announces-soc-2-type-2-attestation-iso-27001-certification\/\">ISO 27001, SOC 2<\/a>, and the <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/cyber-resilience-act\" rel=\"nofollow noopener\" target=\"_blank\">EU Cyber Resilience Act<\/a> require systematic, auditable vulnerability management. DHI addresses specific control requirements:<\/p>\n<p><strong>Vulnerability management documentation (ISO 27001\u00a0 A.8.8. , SOC 2 CC7.1).<\/strong> The waterline model provides a defensible answer to \u201chow do you handle base image vulnerabilities?\u201d Point to DHI, explain the attestation model, show policy for everything above the waterline.<\/p>\n<p><strong>Continuous monitoring evidence.<\/strong> DHI images rebuild and re-scan on a defined cadence. New digests mean current assessments. Combined with your scanner\u2019s continuous monitoring, you demonstrate ongoing evaluation rather than point-in-time checks.<\/p>\n<p><strong>Remediation traceability.<\/strong> VEX attestations create machine-readable records of how each CVE was handled. When auditors ask about specific CVEs in specific deployments, you have answers tied to image digests and timestamps.<\/p>\n<p><strong>CRA alignment.<\/strong> The Cyber Resilience Act requires \u201cdue diligence\u201d vulnerability handling and SBOMs. DHI images include <a href=\"https:\/\/docs.docker.com\/build\/metadata\/attestations\/sbom\/\" rel=\"nofollow noopener\" target=\"_blank\">SBOM attestations<\/a>, and VEX aligns with CRA expectations for exploitability documentation.<\/p>\n<p>This won\u2019t satisfy every audit question, but it provides the foundation most organizations lack.<\/p>\n<h2 class=\"wp-block-heading\"><strong>What to Do After You Read This Post<\/strong><\/h2>\n<ol class=\"wp-block-list\">\n<li><strong>Identify high-volume base images.<\/strong> Check <a href=\"https:\/\/hub.docker.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Docker Hub\u2019s Hardened Images catalog<\/a> (My Hub \u2192 Hardened Images \u2192 Catalog) for coverage of your most-used images (Python, Node, Go, Alpine, Debian).<\/li>\n<li><strong>Swap one image.<\/strong> Pick a non-critical service, change the FROM line to DHI equivalent, rebuild, scan, compare results.<\/li>\n<li><strong>Configure policy-based filtering. <\/strong>Set up your scanner to distinguish DHI-covered vulnerabilities from application-layer findings. Use Docker Scout or Wiz for native VEX integration, or configure Grype\/Trivy ignore policies based on extracted VEX data.<\/li>\n<li><strong>Document your waterline.<\/strong> Write down what DHI covers and what remains your responsibility. This becomes your policy reference and audit documentation.<\/li>\n<li><strong>Start a VEX practice.<\/strong> Convert one informally-documented vulnerability assessment into a VEX statement and attach it to the relevant image.<\/li>\n<\/ol>\n<p>DHI solves specific, expensive problems around base image vulnerabilities and supply chain trust. The opportunity is building a practice around it that scales.<\/p>\n<h2 class=\"wp-block-heading\"><strong>The Bigger Picture<\/strong><\/h2>\n<p>DHI coverage is expanding. Today it might cover your OS layer, tomorrow it extends through runtimes and into hardened libraries. Build your framework to be agnostic to where the boundary sits. The question is always the same, though, namely \u2014\u00a0 what has Docker attested to, and what remains yours to assess?<\/p>\n<p>The methodology Docker uses for DHI (policy-driven assessment, VEX attestations, auditable decisions) extends into your application layer. We can\u2019t own your custom code, but we can provide the framework for consistent practices above the waterline. Whether you use Scout, Wiz, Grype, Trivy, or another scanner, the pattern is the same. You can let DHI handle what it covers, automate policy for what remains, and document decisions in formats that travel with artifacts.<\/p>\n<p>At Docker, we\u2019re using DHI internally to build this vulnerability management model. The framework stays constant regardless of how much of our stack is hardened today versus a year from now. Only the boundary moves.<\/p>\n<p>The hardened images are free. The VEX attestations are included. What\u2019s left is integrating these pieces into a coherent security practice where the container is the unit of truth, policy drives automation, and every vulnerability decision is documented by default.<\/p>\n<p>For organizations that require stronger guarantees, FIPS-enabled and STIG-ready images, and customizations, DHI Enterprise is tailor made for those use cases. <a href=\"https:\/\/www.docker.com\/products\/hardened-images\/#getstarted\">Get in touch<\/a> with the Docker team if you would like a demo. If you\u2019re still exploring, take a look at <a href=\"https:\/\/hub.docker.com\/hardened-images\/catalog\" rel=\"nofollow noopener\" target=\"_blank\">the catalog<\/a> (no-signup needed) or take DHI Enterprise for a spin with a <a href=\"https:\/\/www.docker.com\/products\/hardened-images\/#getstarted\">free trial<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Docker Hardened Images are now free, covering Alpine, Debian, and over 1,000 images including databases, runtimes, and message buses. For [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":94,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-3398","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=3398"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3398\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/94"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=3398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=3398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=3398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}