Announcing Docker Hardened System Packages

Source: Docker Blog

Your Package Manager, Now with a Security Upgrade

Last December, we made Docker Hardened Images (DHI) free because we believe secure, minimal, production‑ready images should be the default. Every developer deserves strong security at no cost. It should not be complicated or locked behind a paywall.

From the start, flexibility mattered just as much as security. Unlike opaque, proprietary hardened alternatives, DHI is built on trusted open‑source foundations like Alpine and Debian. That gives teams true multi‑distro flexibility without forcing change.

• If you run Alpine, stay on Alpine.
• If Debian is your standard, keep it.

DHI strengthens what you already use. It does not require you to replace it.

Extending the philosophy beyond images

With Docker Hardened System Packages, we’re driving security deeper into the stack. Every package is built on the same secure supply‑chain foundation: source‑built and patched by Docker, cryptographically attested, and backed by an SLA.

The best part? Multi‑distro support by design.

The result is consistent, end‑to‑end hardening across environments with the production‑grade reliability teams expect.

Since introducing DHI Community (our OSS tier), interest has surged. The DHI catalog has expanded from more than 1,000 to over 2,000 hardened container images. Its openness and ability to meet teams where they are have accelerated adoption across the ecosystem. Companies of all sizes, along with a growing number of open‑source projects, are making DHI their standard for secure containers.

A short selection of examples

• n8n.io has moved its production infrastructure to DHI; they share why and how in this recent webinar.
• Medplum, an open‑source electronic health‑records platform (managing data of 20 + million patients), has now standardized to DHI.
• Adobe uses DHI because of great alignment with its security posture and developer‑tooling compatibility.
• Attentive co‑authored this e‑book with Docker on helping others move from POC to production with DHI.

Docker Hardened System Packages: Going Deeper into the Container

From day one, Docker has built and secured the most critical operating‑system packages to deliver on our CVE‑remediation commitments. This is how we continuously maintain near‑zero CVEs in DHI images.

At the same time, we recognize that many teams extend our minimal base images with additional upstream packages to meet their specific requirements. To support that reality, we are expanding our catalog with more than 8,000 hardened Alpine packages (Debian coverage coming soon).

What this means for you

• Flexibility without weakening security – Start with a DHI base image, add the packages you need, and retain the same hardened‑supply‑chain guarantees.
• No distro switching required – Continue using the Alpine and Debian environments you know, now backed by Docker’s secure‑build system (SLSA Build Level 3).
• Continuous patching & verified builds – Every package is built from source, attested, and cryptographically signed from the base image to the final container.

Why this matters for your security posture

Ongoing effort on our users’ behalf

Maintaining thousands of packages is continuous work. We:

1. Monitor upstream projects.
2. Backport security patches.
3. Test compatibility across dependencies.
4. Rebuild packages when dependencies change.
5. Generate attestations for every release.

• Alpine: > 8,000 hardened packages today, soon approaching 10,000.
• Debian: Coverage is in progress and will follow shortly.

---

Start with a hardened DHI base image, add the packages you need, and keep your containers secure from the ground up.

Making Enterprise‑Grade Security Even More Accessible

We’re simplifying how teams access DHI:

• DHI Community – the full catalog of thousands of open‑source images (Apache 2.0).
  Just a name change; licensing remains the same.

• DHI Select – a new pricing tier for teams that need SLA‑backed CVE remediation and customization at a more accessible price.
  Price: $5,000 per repository.

• DHI Enterprise – for organizations with demanding requirements, offering:

  • Unlimited customizations
  • Access to the Hardened System Packages repository
  • Extended lifecycle coverage (up to 5 years after upstream EOL)

• DHI Extended Lifecycle Support – an add‑on that extends the Enterprise offering even further.

More options = more teams can adopt the right level of security for where they are today.

## Build with the standard that’s redefining container security

Docker’s momentum in securing the software supply chain is accelerating. We’re bringing security to more layers of the stack, making it easier for teams to **build securely by default**—whether they’re using open‑source containers or internally‑developed software.

Key initiatives:

- **Broader security coverage** across the entire stack.
- **One‑day (or shorter) turnaround** for critical CVE fixes.
- Continuous improvement that moves us toward **end‑to‑end supply‑chain security** for all critical applications.

Each step builds on the last, bringing us closer to a fully secure development pipeline.```

## Get started

- **Join the n8n webinar** – Learn how they run production workloads on Docker Hardened Images:  
  

- **Start your free trial** – Get access to the full Docker Hardened Images (DHI) catalog: