Hi, I work at Docker. Really appreciate the thoughtful discussion here. We’re excited to make Hardened Images free and open because we believe secure-by-default should be the starting point for every developer, not something you bolt on later.

A big part of this for us is transparency. That’s why every image ships with VEX statements, extensive attestations, and all the metadata you need to actually understand what you’re running. We want this to be a trustworthy foundation, not just a thinner base image.

We’re also extending this philosophy beyond base images into other content like MCP servers and related components, because the more of the stack that is verifiable and hardened by default, the better it is for the ecosystem.

A few people in the thread asked how this is sustainable. The short answer is that we do offer an enterprise tier for companies that need things like contractual continuous patching SLAs, regulated-industry variants (FIPS, etc.), and secure customizations with full provenance and attestations. Those things carry very real ongoing costs, so keeping them in Enterprise allows us to make the entire hardened catalog free for the community.

Glad to see the conversation happening here. We hope this helps teams ship software with a stronger security posture and a bit more confidence.

What format is the Dockerfile in at, for example, https://hub.docker.com/hardened-images/catalog/dhi/php/image... ? It looks quite different than any Dockerfile I've ever seen. Is there a tool available that builds images from that?

Hi

Don't you personally feel disgust mentioning AI stuff?

Yeah, I realize it is mandatory to mention AI today in every piece of communication of any company; but on a personal level, isn't that something that requires a bit of dying every time?