Switch to DHI
Making the Switchโ
Switching to a Docker Hardened Image is straightforward. All we need to do is replace the base image node:24-trixie-slim with a DHI equivalent.
Docker Hardened Images come in two variants:
- Dev variant (
<YOUR_ORG_NAME>/dhi-node:24-debian13-dev) - includes a shell and package managers, making it suitable for building and testing. - Runtime variant (
<YOUR_ORG_NAME>/dhi-node:24-debian13) - stripped down to only the essentials, providing a minimal and secure footprint for production.
This makes them perfect for use in multi-stage Dockerfiles. We can build the app in the dev image, then copy the built application into the runtime image, which will serve as the base for production.
Step 1. Update the Dockerfileโ
Update the Dockerfile to use the DHI images:
Change the dev stage:
FROM <YOUR_ORG_NAME>/dhi-node:24-debian13-dev AS dev
Change the production stage:
FROM <YOUR_ORG_NAME>/dhi-node:24-debian13 AS prod
Step 2. Non-root User (Already Built-in!)โ
Looking back at the output for the scout quickview, the No default non-root user found policy was not met. To resolve this we typically need to add a non-root user to the Dockerfile description. The good news is that the DHI comes with a nonroot user built-in, so no changes should be made.
Step 3. Rebuild and Scan the New Imageโ
Now let's rebuild and scan the new image:
docker buildx build --provenance=true --sbom=true -t <YOUR_ORG_NAME>/demo-node-dhi:v1 .
docker scout quickview <YOUR_ORG_NAME>/demo-node-dhi:v1
You will see similar output:
Target โ orgname/demo-node-dhi:v1 โ 0C 0H 0M 0L
digest โ cec31e6f0a36 โ
Base image โ orgname/dhi-node:24-debian13 โ
Policy status SUCCESS (9/9 policies met)
Status โ Policy โ Results
โโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ AGPL v3 licenses found โ 0 packages
โ โ Default non-root user โ
โ โ No AGPL v3 licenses โ 0 packages
โ โ No embedded secrets โ 0 deviations
โ โ No embedded secrets (Rego) โ 0 deviations
โ โ No fixable critical or high vulnerabilities โ 0C 0H 0M 0L
โ โ No high-profile vulnerabilities โ 0C 0H 0M 0L
โ โ No unapproved base images โ 0 deviations
โ โ Supply chain attestations โ 0 deviations
Hooray! There are zero CVEs and policy violations now!
Step 4. Compare Image Size and Packagesโ
Docker Scout offers a helpful command docker scout compare that allows you to analyze and compare two images. We'll use it to evaluate the difference in size and package footprint between node:24-trixie-slim and dhi-node:24-debian13 based images.
docker scout compare local://<YOUR_ORG_NAME>/demo-node-dhi:v1 --to local://<YOUR_ORG_NAME>/demo-node-doi:v1
Scroll up the output and you will see a similar summary:
## Overview
โ Analyzed Image โ Comparison Image
โโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโ
Target โ local://orgname/demo-node-dhi:v1 โ local://orgname/demo-node-doi:v1
digest โ e5b9ec7a980c โ 66cb8da420d8
tag โ v1 โ v1
platform โ linux/arm64 โ linux/arm64
vulnerabilities โ 0C 0H 0M 8L โ 0C 2H 2M 20L
โ -2 -2 -20 โ
size โ 59 MB (-40 MB) โ 97 MB
packages โ 648 (-214) โ 858
โ โ
Base image โ orgname/dhi-node:24 โ node:24-trixie-slim
vulnerabilities โ 0C 0H 0M 0L โ 0C 1H 2M 20L
As you can see, the dhi-node:24-debian13โbased image is 40 MB (around 40%) smaller, contains 214 fewer packages, and has nearly zero CVEs compared to the original node:24-trixie-slimโbased image.
Step 5. Validate the Applicationโ
Last but not least, after migrating to a DHI base image, we should verify that the application still functions as expected.
Start the app:
docker run --rm -d --name demo-node -p 3005:3000 <YOUR_ORG_NAME>/demo-node-dhi:v1
Open your browser and navigate to http://localhost:3005 to validate that the app is up and running.
Then stop the container:
docker stop demo-node