Docker, Inc. makes hardened images free and open

Docker, Inc. made its Docker Hardened Images (DHI) catalog available as free, open source software under the Apache 2.0 license and offered paid enterprise and extended-support options, while adding AI-assisted scanning and extending the hardening approach to Model Context Protocol (MCP) server images.

The company framed the move as a reset of the container security market and said adoption accelerated since DHI’s launch, with organizations such as Adobe, Attentive, and Crypto.com standardizing on hardened images and existing DHI purchasers upgraded to DHI Enterprise at no additional cost; Docker Hub was noted to handle more than 20 billion pulls each month and a Cybersecurity Ventures figure projected supply chain attacks would cost businesses $60 billion globally in 2025.

DHI images were described as built on Debian and Alpine and available under Apache 2.0, with a distroless runtime that reduced the attack surface while retaining developer tools; Docker said each image included a complete Software Bill of Materials (BOM), transparent public Common Vulnerabilities and Exposures (CVE) data, SLSA Build Level 3 provenance, and cryptographic proof of authenticity, and that DHI reduced vulnerabilities by up to 95 percent compared to traditional community images.

Docker added that its Artificial Intelligence (AI) assistant could scan existing containers and recommend and apply equivalent hardened images, and that the company launched hardened MCP server images for more than ten popular servers including Grafana, MongoDB, GitHub, and Context7, with plans to harden the full MCP catalog in the weeks ahead; DHI Enterprise was offered with SLA-backed CVE remediation in under seven days, FIPS-enabled and STIG-ready images, and customization, while DHI Extended Lifecycle Support provided five additional years of security coverage beyond upstream end-of-life.

“Security has to start at the earliest point in development, and needs to be universally available to every developer,” said Mark Cavage, President and Chief Operating Officer at Docker, Inc. “By making hardened images freely available and providing tooling that works with today’s AI coding agents, we're giving the entire industry and community the best possible baseline to build on. This is a foundational shift that strengthens every part of the software supply chain and the Internet.” “Every hardened image ships with strong provenance, reproducible builds, and clear attestations,” said Tushar Jain, Executive Vice President of Product & Engineering at Docker, Inc. “With DHI Enterprise and DHI ELS, we're giving organizations the control and long-term protection they need to keep critical systems secure.”

Docker said it would harden the full MCP catalog in the weeks ahead and outlined a roadmap toward a 24-hour Service Level Agreement (SLA) for DHI Enterprise.

Recorded Future releases 2026 State of Security report

Sophos promotes executives to align AI across product and security

Ivanti releases 2026 state of cybersecurity report