How to Adopt Docker Hardened Images: A Step-by-Step Guide for Secure Deployments

<h2>Introduction</h2> <p>Securing containerized applications starts with the foundation: your base images. Over the past year, we’ve built Docker Hardened Images (DHI) to give every team a reliable, verifiable, and free way to raise their security baseline. This guide walks you through the practical steps to integrate hardened images into your workflow, from understanding the landscape to leveraging continuous patching and attestations. Whether you’re new to container security or looking to level up, these steps will help you adopt a solution that chose the harder path—building from source, supporting multiple distributions, and staying open source.</p><figure style="margin:20px 0"><img src="https://www.docker.com/app/uploads/2025/03/image.png" alt="How to Adopt Docker Hardened Images: A Step-by-Step Guide for Secure Deployments" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.docker.com</figcaption></figure> <h2>What You Need</h2> <ul> <li><strong>A container runtime</strong> (e.g., Docker Engine ≥ 20.10, Podman, or containerd)</li> <li><strong>Access to a registry</strong> (Docker Hub, GitHub Container Registry, or your private registry)</li> <li><strong>A CI/CD pipeline</strong> (GitHub Actions, GitLab CI, Jenkins, or similar)</li> <li><strong>Familiarity with Dockerfiles</strong> and basic Linux commands</li> <li><strong>Optional but recommended:</strong> SLSA verification tooling (e.g., <code>cosign</code>, <code>slsa-verifier</code>)</li> </ul> <h2>Step-by-Step Guide</h2> <h3 id="step1">Step 1: Understand the Hardened Image Landscape</h3> <p>Before diving in, know what you’re getting. DHI are not another “distroless” lock-in. They are <strong>multi-distro</strong>—built on Debian, Alpine, and other mainstream OSes you already run—so adoption is drop-in. Every OS-level package is <strong>compiled from source</strong> in a <strong>SLSA Build Level 3</strong> pipeline, delivering <strong>signed attestations</strong> (SBOM, provenance, vulnerability data) with each image. Over 2,000+ images are available in the free Community tier, with tens of thousands continuously patched. This foundation means you never inherit vendor-specific migration taxes.</p> <h3 id="step2">Step 2: Get Started with DHI Community</h3> <p>Navigate to <a href="https://hub.docker.com/u/library/" target="_blank">Docker Hub</a> or your preferred registry. Search for <strong>“hardened”</strong> alongside your stack (e.g., <code>hardened-nginx</code>, <code>hardened-node</code>). All DHI Community images are published under the Apache 2.0 license—no paywall, no login required. Simply pull the image:</p> <pre><code>docker pull chainguard/hardened-nginx:latest</code></pre> <p>This gives you a minimal, hardened base with only production dependencies. For a list of all available images, see the <a href="https://www.chainguard.dev/chainguard-images" target="_blank">Chainguard Images catalog</a>.</p> <h3 id="step3">Step 3: Choose Your Base Image – Multi-Distro Strategy</h3> <p>DHI supports multiple distributions. For most workloads, start with <strong>Debian-based</strong> images for broad compatibility. If you need maximum minimalism, use <strong>Alpine-based</strong> images. Here’s how to pick in your Dockerfile:</p> <pre><code>FROM chainguard/hardened-debian:latest # or FROM chainguard/hardened-alpine:latest</code></pre> <p>No need to rewrite your application code. The <strong>drop-in replacement</strong> nature means your existing Dockerfile instructions (RUN, COPY, CMD) work unchanged. Test both variants in your staging environment to verify behavior.</p> <h3 id="step4">Step 4: Integrate into Your Build Pipeline</h3> <p>Update your CI/CD configuration to use DHI as base images. Example with GitHub Actions:</p> <pre><code>jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build hardened image run: docker build -t my-app:latest . - name: Push to registry run: docker push my-app:latest</code></pre> <p>For maximum security, add a step to <strong>verify image attestations</strong> before deploying. Use <a href="#step6">Step 6</a> for detailed verification. Your CI should now pull the hardened base, build your app layer, and tag accordingly.</p><figure style="margin:20px 0"><img src="https://www.docker.com/app/uploads/2025/03/image-1024x1024.png" alt="How to Adopt Docker Hardened Images: A Step-by-Step Guide for Secure Deployments" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.docker.com</figcaption></figure> <h3 id="step5">Step 5: Leverage Continuous Patching</h3> <p>Every artifact in the DHI catalog is <strong>continuously patched</strong>—across CVEs, distributions, and versions. We run over a million builds regularly to keep images up to date. To benefit, simply re-pull the base image tag (e.g., <code>latest</code>) in your CI. For production, pin to a specific digest or use a rolling tag like <code>stable</code>. Set up a weekly scheduled workflow to rebuild your application image and re-pull the hardened base. Example:</p> <pre><code>docker pull chainguard/hardened-nginx:latest</code></pre> <p>This ensures your deployments always include the latest security fixes without manual effort.</p> <h3 id="step6">Step 6: Verify with Signed Attestations</h3> <p>Every DHI image ships with <strong>multiple signed attestations</strong>: software bill of materials (SBOM), SLSA provenance, and vulnerability scanning results. To verify independence, use <code>cosign</code>:</p> <pre><code>cosign verify-attestation --type sbom chainguard/hardened-nginx:latest</code></pre> <p>Or use <a href="https://github.com/slsa-framework/slsa-verifier" target="_blank">SLSA verifier</a> for provenance. Check that the attestations match the image digest. This step ensures you’re running exactly what was built in our pipeline—no tampering.</p> <h3 id="step7">Step 7: Scale and Monitor</h3> <p>As your organization adopts DHI, track usage and vulnerability trends. Since all images are open source, you can also audit the pipeline publicly. Set up alerts for newly published patches via our <a href="https://www.chainguard.dev/" target="_blank">advisory page</a>. With 500k+ daily pulls and growing, DHI is battle-tested. For production at scale, consider the Enterprise tier for extended lifecycle support (ELS) and additional image types (Helm charts, MCP servers).</p> <h2>Tips for Success</h2> <ul> <li><strong>Start with one service.</strong> Replace a non-critical container with a DHI base to test compatibility before rolling out widely.</li> <li><strong>Leverage the free Community tier.</strong> Security shouldn’t be a premium feature—all 2,000+ images are freely available under Apache 2.0.</li> <li><strong>Automate attestation verification</strong> in your CI/CD as a gate before deployment. This builds confidence in the supply chain.</li> <li><strong>Don’t fall for proprietary “distroless” lock-in.</strong> DHI uses distributions you already know—no migration tax.</li> <li><strong>Monitor the continuous patching cadence.</strong> With over a million builds running regularly, you get fast response to new CVEs.</li> <li><strong>Join the community.</strong> Feedback and contributions help improve the catalog for everyone.</li> </ul>