Docker Makes Hardened Container Images Free for All Developers

Docker Revolutionizes Container Security with Free Hardened Images

In a landmark move that could reshape the container security landscape, Docker has announced it's making its entire catalog of Docker Hardened Images (DHI) completely free and open source under the Apache 2.0 license. The announcement, made on December 17, 2025, represents what company executives are calling a 'fundamental reset' of the container security market.

From Premium to Free: A Security Game-Changer

Docker's hardened images, which previously required paid subscriptions, are now available to every developer worldwide at no cost. The catalog includes more than 1,000 security-enhanced container images built on widely adopted open source distributions Debian and Alpine. According to Docker, these hardened images reduce vulnerabilities by up to 95% compared to traditional community images.

'Security has to start at the earliest point in development, and needs to be universally available to every developer,' said Mark Cavage, President and Chief Operating Officer at Docker, Inc. 'By making hardened images freely available and providing tooling that works with today's AI coding agents, we're giving the entire industry and community the best possible baseline to build on.'

The Growing Threat of Supply Chain Attacks

The move comes as software supply chain attacks are projected to cost businesses $60 billion globally in 2025, according to Cybersecurity Ventures. Docker Hub, the world's largest container registry, handles more than 20 billion pulls each month, making it a critical infrastructure component for modern software development.

Docker's hardened images address this threat through several key security features: complete Software Bill of Materials (SBOM), transparent public CVE data, SLSA Build Level 3 provenance, and cryptographic proof of authenticity. The images use a distroless runtime approach to minimize attack surfaces while preserving essential developer tools.

Extending Security to AI Infrastructure

In a forward-looking move, Docker is also extending its hardening methodology to Model Context Protocol (MCP) servers, bringing the same security rigor to the AI agent infrastructure that developers are rapidly adopting. The company is launching with hardened versions of more than ten popular servers including Grafana, MongoDB, GitHub, and Context7.

'With Docker Hardened Images, you're not having to pay a security team to do all the things required for securing a container image because it's already being done for you,' said Cameron Griffin, Senior Cloud Security Engineer at GuidePoint Security.

Enterprise Options for Advanced Needs

While the base hardened images are now free, Docker continues to offer DHI Enterprise for organizations with rigorous security and regulatory mandates. This paid offering includes SLA-backed CVE remediation for critical vulnerabilities in under seven days (with a roadmap toward 24-hour SLA), FIPS-enabled and STIG-ready images, and full customization capabilities.

The company is also introducing Docker Hardened Images Extended Lifecycle Support (DHI ELS), a paid add-on that provides five additional years of security coverage beyond upstream end-of-life, including continued CVE patches, SBOM updates, and provenance attestations.

Industry Reaction and Adoption

Major partners and enterprises including Adobe, Attentive, and Crypto.com have already standardized on hardened images organization-wide. Industry analysts and open source leaders have voiced strong support for the move.

'Docker's move to make its hardened images freely available under Apache 2.0 underscores its strong commitment to the open source ecosystem,' said Jonathan Bryce, Executive Director of the Cloud Native Computing Foundation. 'Many CNCF projects can already be found in the DHI catalog, and giving the broader community access to secure, well-maintained building blocks helps us strengthen the software supply chain together.'

'Software supply chain attacks are a severe industry problem,' added James Governor, Analyst and Co-founder at RedMonk. 'Making Docker Hardened Images free and pervasive should underpin faster, more secure software delivery across the industry by making the right thing the easy thing for developers.'

Technical Implementation and Availability

The free Docker Hardened Images are available immediately at https://dhi.io and through Docker Hub. Because DHI is built on Debian and Alpine rather than proprietary distributions, developers can adopt them with minimal changes to existing workflows and no vendor lock-in.

Docker's AI assistant can now scan existing containers and recommend and apply equivalent hardened images, making adoption even easier for development teams. The company will host a webinar on January 13, 2025, to discuss how free hardened images and enterprise offerings reshape supply-chain security.

This strategic shift by Docker comes at a critical time when container security has become paramount. With Docker serving over 20 million developers worldwide, the move to make hardened images the default starting point for containerized applications could significantly raise the security baseline across the entire software industry.