Docker Inc. makes hardened images available for free
Hardened Docker images are reduced to a minimum, leaving as little attack surface as possible. Docker Inc. is now making these available free of charge.
(Image: Merlin Schumacher (c't magazin))
Docker Inc. has announced that a previously paid product will now be offered for free: Docker Hardened Images (DHI). The inventor of the Docker software and operator of Docker Hub explains that this is a response to supply chain attacks that also occur in the container environment. The hardened images contain a userland of a distribution reduced to the absolute essentials and thus differ from the so-called "Official Images" that can be found on Docker Hub (hub.docker.com) for many applications without logging in.
Fewer Traces of the Distribution
As an example, a look at the Nginx web server and its image is sufficient: In the public hub, there are images named nginx that are based on the Alpine or Debian distributions. In addition to the web server itself, parts of the distribution are included. Most components are not necessary for the operation of the web server and are at most helpful if you jump into a container with tools like docker exec to search for errors. Via the built-in package manager (apt or apk), you can, for example, install a text editor and search for errors in the container. However, such tools can also become an entry point for attackers.
The hardened images contain fewer traces of the distribution and thus fewer entry points – but in return, no tools for spontaneous error searching. For comparison: The official Nginx image based on Alpine (nginx:alpine) is 21 MB in size and comes with a known medium-severity security vulnerability for which there is a CVE entry. The Debian variant (nginx:stable-bookworm) is even 67 MB in size, has three high-severity vulnerabilities, three medium-severity, and a whole 61 with the "low" classification. The hardened version based on Alpine (dhi.io/nginx:1-alpine3.21) is only 4 MB in size, and Docker lists not a single known security vulnerability. A look inside the container shows: the package manager apk, which belongs to Alpine, is missing in the image.
Hardened images are available for many applications for which official images also exist – including MySQL, PHP, Node.js, Traefik, and MongoDB. We did not find a hardened image for the MySQL alternative MariaDB. To find the images, you need to log in to Docker Hub with a free account; they are currently not available through the public area of the hub. After logging in, you will land in an overview called "My Hub" and find the "Hardened Images" option in the menu on the left. To use the images on a server, a development machine, or in a CI/CD environment, you must first execute the command docker login dhi.io and log in with your username and a personal access token. You can generate such a token by clicking on your initials in the top right corner, opening "Account Settings," and generating a token with read permissions under "Personal access tokens" on the left.
More Service for a Fee
In addition to the images, Docker Inc. has also released Helm charts for Kubernetes users that utilize the hardened images.
Docker Inc. also intends to make money with hardened images in the future, as the blog post announcing the news explains. Those with regulatory requirements, who need FIPS-compliant images for example, or who need a contractual guarantee of a response to critical CVEs within seven days, can opt for the paid "Docker Hardened Images Enterprise." Furthermore, Docker promises extended support for applications in versions that are no longer supported by the application developers ("DHI Extended Lifecycle Support").
(jam)
