A Safer Container Ecosystem with Docker: Free Docker Hardened Images

Posted by anttiharju 12/17/2025

A Safer Container Ecosystem with Docker: Free Docker Hardened Images(www.docker.com)

360 points | 98 commentspage 2

wolfi1 12/17/2025|

hardened images are cool, definitely, but I'm not sure what it actually means? just systems with the latest patches or stricter config rules as well?for example: would any of these images have mitigated or even prevented Shai-Hulud [12]?

divmain 12/17/2025||

Docker Hardened Images integrate Socket Firewall, which provides protection from threats like Shai-Hulud during build steps. You can read our partnership announcement over here: https://socket.dev/blog/socket-firewall-now-available-in-doc...

kevinb2222 12/17/2025||

Docker Hardened Images are built from scratch with the minimal packages to run the image. The hardened images didn't contain any compromised packages for Shai-Hulud.

https://www.docker.com/blog/security-that-moves-fast-dockers...

Note: I work at Docker

wolfi1 12/17/2025||

yeah, but if you would have installed with npm your software, would the postinstall script have been executed?

kevinb2222 12/17/2025|||

Hardened base images don't restrict what you add on top of them. That's where scanners like Docker Scout, Trivy, Grype, and more come in to review the complete image that you have built.

shepherdjerred 12/17/2025|||

Of course? They are only concerned with the base image. What you do with it is your responsibility

This would be like expecting AWS to protect your EC2 instance from a postinstall script

acdha 12/17/2025||

The difference is that they’re charging extra for it, so people want to see benefits they could take to their management to justify the extra cost. The NPM stuff has a lot of people’s attention right now so it’s natural to ask whether something would have blocked what your CISO is probably asking about since you have an unlimited number of possible security purchase options. One of the Docker employees mentioned one relevant feature: https://socket.dev/blog/socket-firewall-now-available-in-doc...

Update the analogy to “like EC2 but we handle the base OS patching and container runtime” and you have Fargate.

jitl 12/17/2025||

I went to "Hardened Images Catalog" and searched for pgbouncer, not found (https://hub.docker.com/hardened-images/catalog?search=pgboun...)

There's a "Make a request" button, but it links to this 404-ing GitHub URL: https://github.com/docker-hardened-images/discussion/issues

oh well. hope its good stuff otherwise.

pploug 12/17/2025||

Thanks for reporting, team is fixing it, the right url is: https://github.com/docker-hardened-images/catalog/issues/

nathanchou 12/18/2025||

CEO of VulnFree here.

We can harden that image for you. $800/img/mth for standard setups. Feel free to reach out on our contact form and our automations will ping our phones, so you can expect a quick response (even on weekends).

radioradioradio 12/18/2025||

I think I can do it for 750 - Xmas discount

jiehong 12/17/2025||

At $work, we switched everything to Redhat’s ubi images (micro and minimal) for that.

But, we pay for support already.

Nice from docker!

nunez 12/18/2025|

Red Hat launched an equivalent effort in October: https://www.redhat.com/en/technologies/linux-platforms/enter...

limaho 12/25/2025||

I'm struggling to find where I can browse these RHEL images. Do you have any insight?

edit: they can be found here https://quay.io/organization/hummingbird and more documentation is located here https://gitlab.com/redhat/hummingbird/containers

politelemon 12/17/2025||

I appreciate what they're doing here, which is something I haven't seen other vendors doing.

lrvick 12/18/2025||

For anyone that wants dead simple LFS style, full source bootstrapped, deterministic, multi-party compiled/signed container native images with hash pinning for your entire dependency graph, that will be free forever, check out stagex.

None of the alternatives come anywhere close to what we needed to satisfy a threat model that trusts no single maintainer or computer, so we started over from actually zero.

https://stagex.tools

chuckadams 12/18/2025|

I checked out stagex and hit `make`, and after the delightful initial bootstrap phase, I sat for hours watching eleventy thousand attempts to download gnulib (and many other gnu packages) time out and fail. Is there perhaps a tarball or other image available that collects all these packages together? Seems it would only add up to as much as the source packages of a small Linux distribution.

I've also noticed it's downloading many different versions of the same set of packages, which seems odd for bootstrapping a build. I finally lost patience and stopped it. Sure, in the real world I'll probably start from a stage3 container, but so far, trying it out for myself has been pretty disappointing.

lrvick 12/18/2025||

If we put out our own tar of all the sources, who is to say we did not tamper with them? This is a bit of a lose/lose but we have a solution we are working on with other distros to have a shared repository for all these, often legacy, sources and a universal swhid identifier for each one we can pin in stagex so they are highly tamper evident.

For shorter term we are starting to archive at archive.org and CERN and hope to have the fetch script be able to fail over to those soon.

The GNU servers are the worst, and unreliable for hours at a time, and have lots of rate limiting.

At the moment collecting all the sources directly from upstreams, while great for trust building, is the biggest pain point. Sorry about that!

For the super short term join #stagex:matrix.org and anyone would be happy to wormhole you their "fetch" directory.

a-l-e-c 12/18/2025||

Which would be the best/recommended ways to compare the official images to their hardened versions, and could most of the differences be baked into the original images by default? Wondering specifically about something like postgres.

a-l-e-c 12/22/2025|

nvm... seems like 'docker history' should work to compare images

kamrannetic 12/17/2025||

no need for chainguard/bitnami anymore?

progbits 12/17/2025||

Bitnami is in broadcom hell, nobody should use that.

Chainguard still has better CVE response time and can better guarantee you zero active exploits found by your prod scanners.

(No affiliation with either, but we use chainguard at work, and used to use bitnami too before I ripped it all out)

mmbleh 12/17/2025||

CVE response time is a toss up, they all patch fast. Chainguard can only guarantee zero active exploits because they control their own exploit feed, and don't publish anything on it until they've patched. So while this makes it look better, it may not actually be better

dlor 12/17/2025||

Hey!

I work at Chainguard. We don't guarantee zero active exploits, but we do have a contractual SLA we offer around CVE scan results (those aren't quite the same thing unfortunately).

We do issue an advisory feed in a few versions that scanners integrate with. The traditional format we used (which is what most scanners supported at the time) didn't have a way to include pending information so we couldn't include it there.

The basic flow was: scanner finds CVE and alerts, we issue statement showing when and where we fixed it, the scanner understands that and doesn't show it in versions after that.

so there wasn't really a spot to put "this is present", that was the scanner's job. Not all scanners work that way though, and some just rely on our feed and don't do their own homework so it's hit or miss.

We do have another feed now that uses the newer OSV format, in that feed we have all the info around when we detect it, when we patch it, etc.

All this info is available publicly and shown in our console, many of them you can see here: https://github.com/wolfi-dev/advisories

You can take this example: https://github.com/wolfi-dev/advisories/blob/main/amass.advi... and see the timestamps for when we detected CVEs, in what version, and how long it took us to patch.

digi59404 12/17/2025||

FWIW - A whole host of the pre-IPO GitLab folks went to Chainguard. A lot of them, many in leadership roles. Most importantly, In Sales Leadership. These are people whom don’t really believe in high-pressure sales. Rather they aim to show the value and not squeeze customers for profit or making a number on a chart go up.

Do with that knowledge what you may.

chrisweekly 12/17/2025||

Thanks for sharing. This kind of "color" isn't always easy to ascertain, but (for me, at least) it plays a part in vendor selection.

dangoodmanUT 12/18/2025||

A hardened image is just removing everything that’s not your code, or required for your code to run

From scratch is ideal, distroless is great too

Then use firewalls around your containers as needed

mertleee 12/17/2025|

[dead]

More comments...