• DHI removes package managers and shells to limit attack surface, but developers still need tools for setup. • Customizing DHI via Docker Hub UI lets platform teams create “golden images” with added CA certs and agents. • The Hub UI auto‑rebuilds custom layers when the base DHI receives security patches, eliminating manual CI triggers. • Multi‑stage builds give developers fine‑grained control, allowing them to add only required libraries before slimming to DHI. • Golden images ensure consistent, compliant foundations across internal teams while preserving minimal runtime footprint. • Both strategies keep vulnerability count at zero, maintain SLSA provenance, and simplify patch management.
Article Summaries:
- Customizing Docker Hardened Images In Part 1 and Part 2, we established the baseline. You migrated a service to a Docker Hardened Image (DHI), witnessed the vulnerability count drop to zero, and verified the cryptographic signatures and SLSA provenance that make DHI a compliant foundation. But no matter how secure a base image is, it is useless if you can’t run your application on it. This brings us to the most common question engineers ask during a DHI trial: what if I need a custom image? Hardened images are minimal by design. They lack package managers (apt, apk, yum), utilities (wget, curl
Sources: