DEV Community

Cover image for Docker Hardened Images are Free
Docker profile image Mohammad-Ali A'RÂBI
Mohammad-Ali A'RÂBI for Docker

Posted on • Originally published at dockersecurity.io

Docker Hardened Images are Free

#kubernetes #docker #security

Docker introduced Hardened Images in 2025 as a secure-by-default base image line, designed to keep production and development images as close to zero known CVEs as realistically possible.

As supply chain attacks are on the rise, Docker made the Hardened Images open-source under the Apache 2.0 license to let the community audit and contribute to them.

From now on, you can use the hardened images for free in your projects:

# For build stage
FROM dhi.io/node:24-dev AS build

# For production stage
FROM dhi.io/node:24
Enter fullscreen mode Exit fullscreen mode

To get started, visit dhi.io.

How to Pull Hardened Images Locally

To pull the images locally, you need to log into dhi.io first:

docker login dhi.io
Enter fullscreen mode Exit fullscreen mode

The images are free to use, but you still need to authenticate before pulling them.

Use your Docker Hub credentials to login. You can use your personal Docker Hub account and a personal access token (PAT) as the password. No special subscription is required.

Then pull the desired image:

docker pull dhi.io/node:24
Enter fullscreen mode Exit fullscreen mode

Check for CVEs

To check for CVEs in the images, you can use Docker Scout:

docker scout cves dhi.io/node:24
Enter fullscreen mode Exit fullscreen mode

The image has 8 low-severity CVEs as of December 17th, 2025, as there are no fixed versions available for those packages:

8 vulnerabilities found in 2 packages
  CRITICAL  0  
  HIGH      0  
  MEDIUM    0  
  LOW       8
Enter fullscreen mode Exit fullscreen mode

To check with Trivy:

trivy image --scanners vuln dhi.io/node:24
Enter fullscreen mode Exit fullscreen mode

Trivy also found 7 low-severity CVEs on one package:

dhi.io/node:24 (debian 13.2)

Total: 7 (UNKNOWN: 0, LOW: 7, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Enter fullscreen mode Exit fullscreen mode

You can still use the Alpine-based hardened images to have a smaller attack surface.

Final Words

There are more than 500 different tags just for the Node.js Hardened Images available on dhi.io, including Alpine-based, Debian-based, dev and runtime, and FIPS and STIG-compliant images. And there are some 100 different repositories for other languages and runtimes, such as Python, Go, Java, .NET, Ruby, and more. And there are Helm charts to deploy DHI images on Kubernetes clusters directly.

To explore all available images, visit the DHI Catalog.

To learn more about Docker and Kubernetes security, check out my book Docker and Kubernetes Security, currently 40% off with code BLACKFOREST25.

Top comments (0)