Docker Hardened Images are built from scratch with the minimal packages to run the image. The hardened images didn't contain any compromised packages for Shai-Hulud.

https://www.docker.com/blog/security-that-moves-fast-dockers...

Note: I work at Docker

▲

wolfi1 5 days ago | parent [-]

yeah, but if you would have installed with npm your software, would the postinstall script have been executed?

▲

kevinb2222 5 days ago | parent | next [-]

Hardened base images don't restrict what you add on top of them. That's where scanners like Docker Scout, Trivy, Grype, and more come in to review the complete image that you have built.

▲

shepherdjerred 5 days ago | parent | prev [-]

Of course? They are only concerned with the base image. What you do with it is your responsibility

This would be like expecting AWS to protect your EC2 instance from a postinstall script

	▲	acdha 5 days ago \| parent [-]
		The difference is that they’re charging extra for it, so people want to see benefits they could take to their management to justify the extra cost. The NPM stuff has a lot of people’s attention right now so it’s natural to ask whether something would have blocked what your CISO is probably asking about since you have an unlimited number of possible security purchase options. One of the Docker employees mentioned one relevant feature: https://socket.dev/blog/socket-firewall-now-available-in-doc... Update the analogy to “like EC2 but we handle the base OS patching and container runtime” and you have Fargate.