Docker Makes 1,000+ Hardened Container Images Free Under Apache 2.0
Previously commercial offering now open source with SLSA Build Level 3 provenance, non-root defaults, and complete SBOMs.
Docker has made its catalogue of more than 1,000 hardened container images freely available under the Apache 2.0 license. Previously a commercial offering launched in May 2025, Docker Hardened Images are now accessible to all developers.
Security by Default
The hardened images are built on Debian and Alpine Linux distributions, designed to reduce attack surfaces by eliminating unnecessary components such as package managers and shells. Images run as non-root users by default, addressing one of the most common container security misconfigurations.
Supply Chain Security
Each hardened image includes complete software bills of materials (SBOMs), transparent vulnerability data, and cryptographic proof of authenticity with SLSA Build Level 3 provenance. This comprehensive documentation enables organizations to verify exactly what's running in their containers.
AI-Assisted Migration
Docker has extended its AI tool, the Docker AI Assistant, to scan existing containers and recommend equivalent hardened images. This automation simplifies the migration path for organizations looking to improve their container security posture without manual image auditing.
MCP Server Hardening
Docker is extending its hardening methodology to Model Context Protocol (MCP) servers, recognizing the growing importance of securing AI agent infrastructure. This expansion addresses emerging security needs as agentic AI becomes more prevalent in production environments.
Related Articles
GitHub Expands Developer Platform with Actions Artifacts v5 and Copilot Extensions GA
GitHub has shipped Actions Artifacts v5 with immutable storage and artifact attestation for tamper-proof build outputs, alongside the general availability of Copilot Extensions that let third-party tools integrate directly into the Copilot chat experience. The platform also expanded GitHub Models with seven new providers.
Docker Engine 29.3 Ships with Native gRPC Support and BuildKit v0.28
Docker Engine 29.3.0 introduces native gRPC support on listening sockets, BuildKit v0.28.0, and a new bind-create-src option for flexible volume mounting. The release lowers the minimum API version to v1.40 for broader backward compatibility and fixes DNS configuration corruption during daemon reloads.
GitHub Adds Dependabot Pre-Commit Support and 28 New Secret Scanning Detectors
GitHub has shipped two major supply chain security features: Dependabot now parses .pre-commit-config.yaml files and opens PRs to update hook versions, while secret scanning gains 28 new detectors from 15 providers including Snowflake, Supabase, and Vercel. Push protection is now enabled by default for 39 secret types.