Skip to Content

Docker Hardened Images: What, Why, and How to Customize Securely

Learn what Docker Hardened Images are, why they improve container security, and how to customize them using the Docker Hub UI or multi‑stage Dockerfiles while preserving automatic patching and provenance.
31 January 2026 by
Suraj Barman

What Are Docker Hardened Images?

Docker Hardened Images (DHI) are minimal base images designed for security. They omit package managers, common utilities, and shells, providing a reduced attack surface.

Why Use Hardened Images?

Using DHI offers several security and operational benefits:

  • Smaller footprint reduces vulnerability exposure.
  • Absence of package managers prevents runtime installation of unverified software.
  • Automatic patch propagation through Docker Hub rebuilds keeps images up‑to‑date.
  • Facilitates compliance with standards such as FIPS and SBOM requirements.

How to Customize Hardened Images

There are two primary methods to extend DHI while preserving security.

Option 1 – Docker Hub UI (Golden Image)

  • Upload your custom layer via the Docker Hub interface.
  • Docker tracks the relationship between your layer and the underlying DHI base.
  • When Docker releases a security patch for the base, the UI triggers an automatic rebuild of your custom image.

Option 2 – Multi‑Stage Dockerfile

  • Define a build stage that includes any tools, libraries, or agents you need.
  • In a second stage, copy only the final artifacts into a clean DHI base.
  • Resulting image remains minimal, non‑root, and signed by Docker for the base layers.

Step‑by‑Step Tutorial: Adding a Monitoring Agent

  • Create a project directory and add server.js that loads the dd-trace library.
  • Write a multi‑stage Dockerfile that installs the library in the builder stage and copies the node_modules into the DHI runtime stage.

  • Build and run the image:

    docker build -t dhi‑monitoring‑test .
    docker run --rm dhi‑monitoring‑test
  • Verify output shows successful library load and non‑root execution.

Verifying Security After Customization

  • Run docker scout cves to scan for critical and high severity vulnerabilities.
  • Check that only your added dependencies introduce new CVEs; base layers retain Docker attestations.
  • Use SBOM tools to confirm the software bill of materials matches expectations.

Provenance and Signature Chain

  • The original DHI base layers keep Docker’s cryptographic attestations.
  • Your custom image receives a new digest because you are the builder.
  • Chain of trust remains intact for the base; you can add your own signatures if required.

Best Practices and ROI Considerations

  • Prefer multi‑stage builds for reproducibility and local development.
  • Leverage the Hub UI when you want automatic patch updates without maintaining a Dockerfile.
  • Measure engineering effort saved by reduced patch management and vulnerability triage.
  • Track compliance metrics such as FIPS validation and SBOM completeness.