Docker Sets Free the Hardened Container Images

With a sprawling cloud native ecosystem, security needs to be as scalable as everything else. Hence, the rise of the software bill of materials (SBOM), a systematic accounting for all the software being used in an environment. An SBOM is important because it reveals where all the newly found security holes would be found, and gives the admin a stage for streamlining, if not automating, the remediation process. Hardened images are the industry’s way of getting ahead of the never-ending river of freshly unrooted security holes by preapplying all the security holes identified by common vulnerabilities and exposures (CVEs). Today, about 20 billion images a month are pulled from Docker Hub, and so it made sense that the company started offering hardened images for its users, which it did last May. Now, Docker Inc. has expanded its service of providing security-hardened images of the most widely used open source software applications. Going forward, the full catalogue from the Docker Hardened Images (DHI) collection, which numbers over 200 packages, is free to download. “The reason we’re doing this is to set the new standard for the container ecosystem overall,” said Mike Donovan, vice president of product at Docker, in an interview with TNS. “It’s like every customer, every engineering team was faced with evaluating 10 different vendors. That’s not going to get us to a more secure foundation that we need.” A paid enterprise extension for enterprises will concentrate on ensuring these images meet the necessary government and regulatory mandates. In addition, the company has launched, for a fee, an extended warranty service for selected images, guaranteeing they will remain patched even if the originator of that application has stopped supporting them. Docker has also extended its hardening methodology to Model Context Protocol (MCP) servers, bringing the same security rigor to the AI agent infrastructure that developers are rapidly adopting. Organizations that previously purchased DHI are automatically upgraded to DHI Enterprise at no additional cost. What Are Hardened Images? How are images hardened? Strong provenance, reproducible builds and clear attestations built on finely chiseled containers, according to Docker. For developers, having access to prehardened images means they don’t have to spend time updating them with the latest security patches. But they are also built in such a way that all their component sources are clearly documented and signed to ensure against any changes made in on-path attacks. Thus far, DHI images have 96% fewer vulnerabilities, compared to traditional base images. Each image includes: Complete SBOM Transparent public CVE data SLSA Build Level 3 provenance Cryptographic proof of authenticity Because DHI is built on Debian and Alpine, it will be immediately compatible with variants of those distributions. How could they be used? Socket offers a platform that detects malicious packages and stops them from being used in real time. An organization could combine Socket’s platform and Docker’s hardened images “without lifting a finger,” wrote Feross Aboukhadijeh, founder & CEO at Socket, in a statement. “Pull a hardened image, run npm install, and the Socket firewall embedded in the DHI is already working for you,” Aboukhadijeh boasted. “That is what true secure-by-default should look like.” With the rise of SBOM, a number of organizations have stepped up with catalogues of security-hardened open source images, including Chainguard, Broadcom’s Bitnami, RapidFort and ActiveState. Docker Hardened Images. Docker’s Enterprise Extension Docker focused its paid subscription on providing services essential to the enterprise. DHI Premium is a paid offering with service-level agreements (SLAs) to ensure CVE remediation is done on a timely basis. Images are made FIPS– and STIG-compliant for U.S. Defense Department work. Docker will also support the ability to customize tools, certificates and runtime configuration. The service is promising (in the company’s words): SLA-backed CVE remediation for critical vulnerabilities in under seven days, with a roadmap toward same-day fixes. FIPS-enabled and STIG-ready images. Full customization, including adding or changing runtime configuration, tools, certificates and image contents, while maintaining trust and provenance. Complete catalog access. Extended Life Cycle Support Extended Life Cycle Support (ELS) is a paid add-on to DHI Enterprise, aimed at organizations that require hardened updates and compliance continuity for end-of-life software. If a software package is only supported by the project maintainers for five years, but the user needs it to run for several more years, due to internal upgrade cycles or some other factor, Docker itself will ensure the software itself is maintained. In detail, the service offers: Five additional years of security coverage beyond upstream end of life. Continued CVE patches, SBOM updates and provenance attestations. Ongoing signing and auditability for compliance framework. “Extended Life Cycle Support helps … keep long-running systems secure without constant replatforming,” said Temporal.io CEO Samar Abbas, in a statement. MCP Hardened, Too Docker is extending its hardening platform to MCP server images on the hub as well. With this announcement, the company has launched today hardened versions of a number of the most popular servers, including Grafana, MongoDB, GitHub and Context7. In the weeks ahead, the company plans to harden the full MCP catalog. They get the same treatment as other hardened images, with the same minimal footprint, CVE remediation and provenance attestations. The post Docker Sets Free the Hardened Container Images appeared first on The New Stack.