Setting Docker Hardened Images free (Interview) - The Changelog: Software Development, Open Source Recap
Podcast: The Changelog: Software Development, Open Source
Published: 2026-02-04
Duration: 1 hr 17 min
Summary
Docker has launched Hardened Images as a free, open-source solution to enhance supply chain security for developers, aiming to minimize vulnerabilities and streamline container management.
What Happened
In this episode, Jared welcomes Tushar Jain, EVP of Engineering at Docker, to discuss the recent launch of Docker Hardened Images (DHI), a set of secure and minimal production-ready images that are now freely available to all developers. The decision to make DHI open source stems from the rising threat of supply chain attacks that inflicted $60 billion in damages in 2025 alone, emphasizing the urgent need for a secure development environment. Tushar highlights that Docker Hardened Images were designed to minimize common vulnerabilities found in Docker images, which often become bloated with unnecessary packages and slow patching processes.
Tushar elaborates on the evolution of Docker's approach to supply chain security, explaining that the company sought to alleviate the burden on engineering teams by providing minimal packages with a commitment to rapid patching. Initially launched as a paid product, the decision to make most of DHI available for free reflects Docker's vision of promoting broad adoption and accessibility in the developer community. He notes that while basic access to these hardened images is free, enterprises still have the option to pay for additional services such as compliance and advanced support, catering to organizations with specific security needs.
The conversation also covers the technical aspects of Docker Hardened Images, such as the inclusion of Software Bill of Materials (SBOMs) and cryptographic signing to enhance security. Tushar emphasizes that these measures are essential in assuring developers of the integrity and safety of the images they use, thus contributing to a more secure software supply chain overall.
Key Insights
- Docker Hardened Images aim to reduce supply chain vulnerabilities.
- Making DHI free enhances accessibility for developers.
- Enterprise users can still access premium features and support.
- The introduction of SBOMs and cryptographic signing strengthens image security.
Key Questions Answered
What are Docker Hardened Images?
Docker Hardened Images are a minimal, secure set of production-ready images designed to minimize vulnerabilities. They were introduced to address the common issues associated with bloated images that often contain unnecessary packages, making them more susceptible to security issues.
Why did Docker make Hardened Images free?
Docker's decision to make Hardened Images free stems from the need to enhance accessibility and provide developers with a secure starting point. This choice aligns with their vision of promoting broader adoption of secure practices within the developer community, particularly in light of rising supply chain threats.
How do Hardened Images help with supply chain security?
Hardened Images assist with supply chain security by minimizing the common vulnerabilities found in Docker images. They feature low-tenure Common Vulnerabilities (CVs) and are backed by a commitment to rapid patching, thus reducing the risk of attacks on the software supply chain.
What additional features are available for enterprise users?
Enterprise users can access additional features such as Service Level Agreements (SLAs), compliance support, and advanced customization options. These features cater to organizations that require a higher level of assurance and support for their security needs.
What security measures are included in Docker Hardened Images?
Docker Hardened Images include important security measures such as Software Bill of Materials (SBOMs) and cryptographic signing. These measures enhance the integrity and safety of the images, ensuring that developers can trust the software they use.