Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions content/guides/dhi-backstage.md
Original file line number Diff line number Diff line change
Expand Up @@ -430,7 +430,7 @@ docker exec -it <container-id> sh
OCI runtime exec failed: exec failed: unable to start container process: ...
```

Use [Docker Debug](/dhi/troubleshoot/#general-debugging) if you need to troubleshoot a running distroless container.
Use [Docker Debug](/dhi/how-to/troubleshoot/#general-debugging) if you need to troubleshoot a running distroless container.

> [!NOTE]
>
Expand Down Expand Up @@ -479,5 +479,5 @@ Different scanners detect different issues. Running all three gives you the most
- [Create and build a DHI](/dhi/how-to/build/) — learn how to write a DHI definition file, build images locally.
- [Use the DHI CLI](/dhi/how-to/cli/) — manage DHI images, mirrors, and customizations from the command line.
- [Migrate to DHI](/dhi/migration/) — for applications that work with standard DHI images without additional packages.
- [Compare images](/dhi/how-to/explore/#compare-and-evaluate-images) — evaluate security improvements between your original and hardened images.
- [Docker Debug](/dhi/troubleshoot/#general-debugging) — troubleshoot distroless containers that have no shell.
- [Compare images](/dhi/how-to/search-evaluate/#compare-and-evaluate-images) — evaluate security improvements between your original and hardened images.
- [Docker Debug](/dhi/how-to/troubleshoot/#general-debugging) — troubleshoot distroless containers that have no shell.
2 changes: 1 addition & 1 deletion content/guides/dhi-openshift.md
Original file line number Diff line number Diff line change
Expand Up @@ -620,6 +620,6 @@ and use `COPY --chown` to transfer results.

- [Use an image in Kubernetes](/dhi/how-to/k8s/) — general DHI Kubernetes deployment guide.
- [Customize an image](/dhi/how-to/customize/) — add packages to DHI images using Enterprise customization.
- [Debug a container](/dhi/troubleshoot/#general-debugging) — troubleshoot distroless containers with Docker Debug (local development).
- [Debug a container](/dhi/how-to/troubleshoot/#general-debugging) — troubleshoot distroless containers with Docker Debug (local development).
- [Managing SCCs](https://docs.openshift.com/container-platform/4.14/authentication/managing-security-context-constraints.html) — Red Hat’s reference documentation on Security Context Constraints.
- [Creating images for OpenShift](https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html) — Red Hat’s guidelines for building OpenShift-compatible container images.
6 changes: 3 additions & 3 deletions content/guides/dhi-vex-walkthrough.md
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,7 @@ The justification codes have precise meanings:
that addresses the CVE in this image.

For the full list of justification codes, see [VEX status
reference](/manuals/dhi/core-concepts/vex.md#not_affected-justification-codes).
reference](/manuals/dhi/explore/security-concepts/vex.md#not_affected-justification-codes).

Every suppression is documented, auditable, and verifiable with any VEX-enabled
scanner.
Expand Down Expand Up @@ -357,7 +357,7 @@ $ curl -s https://raw.githubusercontent.com/docker-hardened-images/advisories/ma
```

For status definitions and justification codes, see the [VEX status
reference](/manuals/dhi/core-concepts/vex.md#vex-status-reference).
reference](/manuals/dhi/explore/security-concepts/vex.md#vex-status-reference).

## What's next

Expand All @@ -369,7 +369,7 @@ reference](/manuals/dhi/core-concepts/vex.md#vex-status-reference).
VEX](/manuals/scout/how-tos/create-exceptions-vex.md).
- VEX status reference: For status definitions, justification codes, and
why DHI does not use `fixed`, see [Vulnerability Exploitability eXchange
(VEX)](/manuals/dhi/core-concepts/vex.md#vex-status-reference).
(VEX)](/manuals/dhi/explore/security-concepts/vex.md#vex-status-reference).
- Browse the VEX feed directly: The raw VEX data is published at
[github.com/docker-hardened-images/advisories](https://github.com/docker-hardened-images/advisories/tree/main/vex),
organized by image name.
73 changes: 58 additions & 15 deletions content/manuals/dhi/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@
title: Docker Hardened Images
description: Secure, minimal, and production-ready base images
weight: 8
aliases:
- /dhi/features/
- /dhi/features/secure/
- /dhi/features/integration/
- /dhi/features/support/
- /dhi/features/patching/
- /dhi/features/flexible/
- /dhi/features/helm/
params:
sidebar:
group: Supply chain security
Expand All @@ -14,24 +22,20 @@ params:
description: Learn what Docker Hardened Images are, how they're built, and what sets them apart from typical base images.
icon: information-circle
link: /dhi/explore/
- title: Features
description: Discover the security, compliance, and enterprise-readiness features built into Docker Hardened Images.
icon: lock-closed
link: /dhi/features/
- title: How-tos
description: Step-by-step guides for using, verifying, scanning, and migrating to Docker Hardened Images.
icon: play
link: /dhi/how-to/
- title: Core concepts
- title: Security concepts
description: Understand the secure supply chain principles that make Docker Hardened Images production-ready.
icon: clipboard-document-check
link: /dhi/core-concepts/
- title: Troubleshoot
description: Resolve common issues with building, running, or debugging Docker Hardened Images.
icon: question-mark-circle
link: /dhi/troubleshoot/
- title: Additional resources
description: Guides, Docker Hub catalog, GitHub repositories, and more.
link: /dhi/explore/security-concepts/
- title: Tools
description: Browse and manage Docker Hardened Images using Docker Hub, the CLI, MCP server, or Terraform.
icon: wrench-screwdriver
link: /dhi/tools/
- title: Resources and feedback
description: Guides, GitHub repositories, community channels, and how to give feedback.
icon: link
link: /dhi/resources/
- title: Release notes
Expand Down Expand Up @@ -68,9 +72,48 @@ DHI is available in the following three subscriptions.
For pricing and more details, see the [Docker Hardened Images subscription
comparison](https://www.docker.com/products/hardened-images/#compare).

## Community features

DHI's core features are free to use, share, and build on under Apache 2.0.

- [Near-zero CVEs](/dhi/explore/security-concepts/cves/): continuously scanned and patched
to maintain minimal known vulnerabilities
- [Distroless variants](/dhi/explore/security-concepts/distroless/): remove unnecessary
components, reducing attack surface by up to 95%
- Non-root execution: containers run as non-root by default
- [Hardened system packages](/dhi/how-to/hardened-packages/): system packages
built from source, cryptographically signed, and verified by Docker
- [SLSA Build Level 3 provenance](/dhi/explore/security-concepts/slsa/), [signed
SBOMs](/dhi/explore/security-concepts/sbom/), [VEX statements](/dhi/explore/security-concepts/vex/),
and [cryptographic signatures](/dhi/explore/security-concepts/signatures/) on every image
- Built on Alpine and Debian with [glibc and musl
variants](/dhi/explore/security-concepts/glibc-musl/); dev and runtime image variants
available
- Works with existing Docker workflows, CI/CD pipelines, and tools with no
retooling required
- [Helm charts](/dhi/how-to/helm/): Docker-provided charts built from upstream
sources, tested for compatibility with DHI, and available as OCI artifacts in
the DHI catalog; include SLSA Level 3 provenance, SBOMs, and cryptographic
signing

## Select and Enterprise features

For organizations with strict security or compliance requirements:

- [7-day SLA](https://docs.docker.com/go/dhi-sla/) for critical and high
severity CVE remediation
- [FIPS-enabled](/dhi/explore/security-concepts/fips/) and
[STIG-ready](/dhi/explore/security-concepts/stig/) compliance variants
- [Customization](/dhi/how-to/customize/): add packages, tools, certificates,
and configurations (up to 5 with Select, unlimited with Enterprise)
- [Enterprise package repository](/dhi/how-to/hardened-packages/) access and
full catalog access (Enterprise)
- Extended Lifecycle Support: post-EOL security patches, updated SBOMs,
provenance, and signing (Enterprise add-on)

## Get started

Explore the sections below to get started with Docker Hardened Images, integrate
them into your workflow, and learn what makes them secure and enterprise-ready.

{{< grid
items="grid_sections"
>}}
{{< grid items="grid_sections" >}}
12 changes: 6 additions & 6 deletions content/manuals/dhi/explore/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,11 @@ params:
description: Understand Docker's role and your responsibilities when using Docker Hardened Images as part of your secure software supply chain.
icon: user-group
link: /dhi/explore/responsibility/
- title: Give feedback
icon: question-mark-circle
description: Docker welcomes all contributions and feedback.
link: /dhi/explore/feedback
- title: Security concepts
description: Learn the core concepts behind Docker Hardened Images — signed attestations, immutable digests, SLSA, VEX, and more.
icon: clipboard-document-check
link: /dhi/explore/security-concepts/

aliases:
- /dhi/about/
---
Expand All @@ -48,8 +49,7 @@ existing Docker-based workflows with little to no retooling required.

This section helps you understand what Docker Hardened Images are, how they're
built and tested, the different types available, and how responsibility is
shared between Docker and you as a user. For a complete list of DHI features and
capabilities, see [Features](/dhi/features/).
shared between Docker and you as a user.

## Learn more about Docker Hardened Images

Expand Down
4 changes: 2 additions & 2 deletions content/manuals/dhi/explore/available.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Docker Hardened Images (DHI) is a comprehensive catalog of
security-hardened container images built to meet diverse
development and production needs.

You can explore the DHI catalog on [Docker Hub](https://hub.docker.com/hardened-images/catalog) or use the [DHI CLI](../how-to/cli.md) to browse
You can explore the DHI catalog on [Docker Hub](https://hub.docker.com/hardened-images/catalog) or use the [DHI CLI](../tools/cli.md) to browse
available images, tags, and metadata from the command line.

## Framework and application images
Expand Down Expand Up @@ -85,7 +85,7 @@ For example, you might find tags like the following in a DHI repository:

Some Docker Hardened Images include a `-fips` variant. These variants use
cryptographic modules that have been validated under [FIPS
140](../core-concepts/fips.md), a U.S. government standard for secure
140](security-concepts/fips.md), a U.S. government standard for secure
cryptographic operations.

FIPS variants are designed to help organizations meet regulatory and compliance
Expand Down
2 changes: 1 addition & 1 deletion content/manuals/dhi/explore/build-process.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ contents, build pipeline steps, security configurations, and runtime settings.

Every Docker Hardened Image includes a SLSA Build Level 3 attestation that
provides verifiable build provenance. For details on SLSA attestations and how to
verify them, see [SLSA](../core-concepts/slsa.md).
verify them, see [SLSA](security-concepts/slsa.md).

## Build triggers

Expand Down
43 changes: 0 additions & 43 deletions content/manuals/dhi/explore/feedback.md

This file was deleted.

2 changes: 1 addition & 1 deletion content/manuals/dhi/explore/responsibility.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ securely.
and is responsible for validating core features.
- Docker: Validates that DHIs start, run, and behave consistently with
upstream expectations. Docker also runs security scans and includes a [testing
attestation](../core-concepts/attestations.md) with each image.
attestation](security-concepts/attestations.md) with each image.
- You: Test your application on top of DHIs and validate that any changes or
customizations function as expected in your environment.

Expand Down
2 changes: 1 addition & 1 deletion content/manuals/dhi/explore/scanner-integrations.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ the minimum requirements for VEX defined by CISA (Cybersecurity and
Infrastructure Security Agency), the U.S. government agency responsible for
cybersecurity guidance. These attestations document which vulnerabilities don't
apply to the image and why, helping you focus on real risks. To understand what
VEX is and how it works, see the [VEX core concept](/manuals/dhi/core-concepts/vex.md).
VEX is and how it works, see the [VEX core concept](/manuals/dhi/explore/security-concepts/vex.md).

Because OpenVEX is an open standard with government backing, it has strong
industry momentum and any tool can implement it without vendor-specific
Expand Down
Original file line number Diff line number Diff line change
@@ -1,85 +1,88 @@
---
title: Core concepts
aliases:
- /dhi/core-concepts/
title: Security concepts
linkTitle: Security concepts
description: Learn the core concepts behind Docker Hardened Images, including security metadata, vulnerability management, image structure, and verification.
weight: 30
weight: 60
params:
grid_concepts_metadata:
- title: Attestations
description: Review the full set of signed attestations included with each Docker Hardened Image, such as SBOMs, VEX, build provenance, and scan results.
icon: clipboard-document-list
link: /dhi/core-concepts/attestations/
link: /dhi/explore/security-concepts/attestations/
- title: Software Bill of Materials (SBOMs)
description: Learn what SBOMs are, why they matter, and how Docker Hardened Images include signed SBOMs to support transparency and compliance.
icon: list-bullet
link: /dhi/core-concepts/sbom/
link: /dhi/explore/security-concepts/sbom/
- title: Supply-chain Levels for Software Artifacts (SLSA)
description: Learn how Docker Hardened Images comply with SLSA Build Level 3 and how to verify provenance for secure, tamper-resistant builds.
icon: clipboard-document-check
link: /dhi/core-concepts/slsa/
link: /dhi/explore/security-concepts/slsa/
- title: Image provenance
description: Learn how build provenance metadata helps trace the origin of Docker Hardened Images and support compliance with SLSA.
icon: pencil-square
link: /dhi/core-concepts/provenance/
link: /dhi/explore/security-concepts/provenance/

grid_concepts_compliance:
- title: FIPS
description: Learn how Docker Hardened Images support FIPS 140 by using validated cryptographic modules and providing signed attestations for compliance audits.
icon: check-badge
link: /dhi/core-concepts/fips/
link: /dhi/explore/security-concepts/fips/
- title: STIG
description: Learn how Docker Hardened Images provide STIG-ready container images with verifiable security scan attestations for government and enterprise compliance requirements.
icon: shield-check
link: /dhi/core-concepts/stig/
link: /dhi/explore/security-concepts/stig/
- title: CIS Benchmarks
description: Learn how Docker Hardened Images help you meet Center for Internet Security (CIS) Docker Benchmark requirements for secure container configuration and deployment.
icon: check-circle
link: /dhi/core-concepts/cis/
link: /dhi/explore/security-concepts/cis/

grid_concepts_risk:
- title: Common Vulnerabilities and Exposures (CVEs)
description: Understand what CVEs are, how Docker Hardened Images reduce exposure, and how to scan images for vulnerabilities using popular tools.
icon: exclamation-circle
link: /dhi/core-concepts/cves/
link: /dhi/explore/security-concepts/cves/
- title: Vulnerability Exploitability eXchange (VEX)
description: Learn how VEX helps you prioritize real risks by identifying which vulnerabilities in Docker Hardened Images are actually exploitable.
icon: exclamation-triangle
link: /dhi/core-concepts/vex/
link: /dhi/explore/security-concepts/vex/
- title: Software Supply Chain Security
description: Learn how Docker Hardened Images help secure every stage of your software supply chain with signed metadata, provenance, and minimal attack surface.
icon: shield-check
link: /dhi/core-concepts/sscs/
link: /dhi/explore/security-concepts/sscs/
- title: Secure Software Development Lifecycle (SSDLC)
description: See how Docker Hardened Images support a secure SDLC by integrating with scanning, signing, and debugging tools.
icon: wrench-screwdriver
link: /dhi/core-concepts/ssdlc/
link: /dhi/explore/security-concepts/ssdlc/

grid_concepts_structure:
- title: Distroless images
description: Learn how Docker Hardened Images use distroless variants to minimize attack surface and remove unnecessary components.
icon: squares-2x2
link: /dhi/core-concepts/distroless/
link: /dhi/explore/security-concepts/distroless/
- title: glibc and musl support in Docker Hardened Images
description: Compare glibc and musl variants of DHIs to choose the right base image for your application’s compatibility, size, and performance needs.
icon: arrows-up-down
link: /dhi/core-concepts/glibc-musl/
link: /dhi/explore/security-concepts/glibc-musl/
- title: Image immutability
description: Understand how image digests, read-only containers, and signed metadata ensure Docker Hardened Images are tamper-resistant and immutable.
icon: minus-circle
link: /dhi/core-concepts/immutability/
link: /dhi/explore/security-concepts/immutability/
- title: Image hardening
description: Learn how Docker Hardened Images are designed for security, with minimal components, nonroot execution, and secure-by-default configurations.
icon: shield-check
link: /dhi/core-concepts/hardening/
link: /dhi/explore/security-concepts/hardening/

grid_concepts_verification:
- title: Digests
description: Learn how to use immutable image digests to guarantee consistency and verify the exact Docker Hardened Image you're running.
icon: finger-print
link: /dhi/core-concepts/digests/
link: /dhi/explore/security-concepts/digests/
- title: Code signing
description: Understand how Docker Hardened Images are cryptographically signed using Cosign to verify authenticity, integrity, and secure provenance.
icon: key
link: /dhi/core-concepts/signatures/
link: /dhi/explore/security-concepts/signatures/
---

Docker Hardened Images (DHIs) are built on a foundation of secure software
Expand Down
Loading