Docker has open sourced its most security-critical container infrastructure, making over 1000 hardened images free under Apache 2.0 to turn secure-by-default containers into an industry-wide baseline rather than a paid feature.
Docker has made more than 1000 Docker Hardened Images (DHI) fully open source and available for free, marking a decisive shift from a commercial-only model to an open standard for container security. Released under the Apache 2.0 license, the images are now subscription-free and accessible to all 26 million-plus developers in the global container ecosystem.
Announcing the move, Docker said: “Today, we are establishing a new industry standard by making DHI freely available and open source to everyone who builds software. All 26 Million+ developers in the container ecosystem.”
Docker further emphasised the absence of licensing barriers, stating: “DHI is fully open and free to use, share, and build on with no licensing surprises, backed by an Apache 2.0 license. DHI now gives the world a secure, minimal, production-ready foundation from the very first pull.”
First launched in May 2025 as a commercial offering, Docker Hardened Images are secure, minimal, production-ready base images maintained directly by Docker. They are designed to reduce attack surface and mitigate supply-chain risk at the container layer, serving as hardened foundations rather than application images.
Technically, DHIs are rootless by default, stripped of unnecessary components, and free of known vulnerabilities at release. They support the Vulnerability Exploitability eXchange (VEX) standard and remain SBOM-verifiable, built with SLSA Build Level 3 provenance, and accompanied by proof of authenticity.
While fixes for vulnerabilities will continue to be provided across tiers, only DHI Enterprise customers receive a guaranteed seven-day CVE patching SLA. Docker has said it aims to reduce enterprise patch timelines to one day or less, alongside offering runtime configuration, image modification, and additional tooling.
