Skip to main content

Overview

Docker Hardened Images - The Pro-active Approachโ€‹

Start Secure. Docker Hardened Images are purpose-built from the ground up to be extremely minimal - not stripped-down versions of something bloated.

This is the pro-active half of the container security story. Where Scout helps you find and fix CVEs in images you already have, DHI helps you stop creating them in the first place.

The premise is simple: if your base image starts with near-zero CVEs, follows a distroless philosophy, and ships with signed supply-chain attestations, you've eliminated most of the reactive cycle before it begins.


What makes a Docker Hardened Image differentโ€‹

PropertyStandard base imageDHI
CVEs (critical/high)dozens to hundreds0 critical, 0 high
Package count200โ€“700+~12
Shell in runtimeYes (sh, bash)No (distroless)
Non-root by defaultManualBuilt-in (UID 65532)
SBOMBuild-time, optionalCryptographically signed
VEX documentNoYes (eliminates false positives)
SLSA provenanceBuild-time, optionalVerified, signed
FIPS variantNoYes (-fips tag)
STIG variantNoYes
CVE remediation SLANone7-day SLA

DHI variantsโ€‹

DHI ships in two variants per language/runtime:

VariantTag patternUse case
Dev<DHI_PREFIX>node:24-debian13-devBuilding - has shell, npm, build tools
Runtime<DHI_PREFIX>node:24-debian13Production - distroless, no shell

Replace <DHI_PREFIX> with dhi.io/ for the free tier or <YOUR_ORG>/dhi- for the paid tier (see Setup).

Because the runtime variant has no shell or npm, you use multi-stage builds: the dev image installs dependencies, the runtime image gets only the output. This isn't a constraint - it's how production images should be built.


Workshop sectionsโ€‹

SectionWhat you'll do
Migrate to DHIConvert catalog-service-node from node:25-slim to DHI, before/after Scout comparison
Attestations & Scanner IntegrationInspect SBOMs, VEX, SLSA provenance, FIPS, and pass them into Grype/Trivy

The four attack vectors, addressedโ€‹

Recall the four attack vectors from the Container Security overview:

VectorDHI's answer
Image vulnerabilitiesNear-zero CVEs by construction; 7-day SLA on remediation
Supply chain integritySigned SBOMs + SLSA provenance + VEX, all verifiable with docker scout attest
Runtime attack surfaceDistroless: no shell, no package manager, no curl, no apt
ComplianceFIPS 140-validated and STIG variants ship out of the box

That's why DHI is the pro-active answer. You're not finding CVEs and patching them - you're starting from a base where there are almost none, with cryptographic evidence to prove it.

Use both. Scout for visibility on what you run. DHI for the foundation you build on.