More than a 1,000 Docker Hardened Images (DHI) are now freely available and open source for software builders, under the Apache 2.0 license.
Docker is a popular platform that enables developers to build, test, and deploy applications quickly inside container images that include the required dependencies, allowing for predictable and repeatable results across various systems and environments.
DHIs, launched in May this year, are secure, minimal, production-ready Docker base images maintained directly by Docker. They are designed to reduce the attack surface and supply-chain risks at the container layer.
DHIs are rootless, stripped of unnecessary components, free of known vulnerabilities, and support the Vulnerability Exploitability eXchange (VEX) standard for leaner security management.
They are also guaranteed to push fixes for new flaws in existing DHI components within 7 days of their disclosure.
In October, the Docker team announced that it would open unlimited access to its entire DHI catalog of 1,000 images to all developer teams and also offer a 30-day free trial to all subscribers.
However, Docker decided to move DHIs from being a commercial offering to making them available subscription-free for all developers.
“Today, we are establishing a new industry standard by making DHI freely available and open source to everyone who builds software. All 26 Million+ developers in the container ecosystem,” reads the announcement.
“DHI is fully open and free to use, share, and build on with no licensing surprises, backed by an Apache 2.0 license. DHI now gives the world a secure, minimal, production-ready foundation from the very first pull,” the company said.
Docker has highlighted that the move does not come with security discounts for DHI, as the images remain SBOM-verifiable, the builds provide SLSA Build Level 3 provenance, and every image is accompanied by proof of authenticity.
... continue reading