Just over a year ago, we launched Docker Hardened Images (DHI) with a clear mission: make it easier for every development team to deploy secure container images without compromise. To mark this anniversary, we're sharing the key decisions, numbers, and principles that have shaped our journey so far. These aren't just statistics—they reflect a deliberate choice to build differently, prioritizing security, openness, and usability at every step.
From surpassing half a million daily pulls to building a multi-distro pipeline that respects your existing workflows, here are the ten things that define what we've built and why it matters.
1. Half a Million Daily Pulls and Growing
Earlier this month, our Docker Hardened Images crossed over 500,000 pulls per day. That's a lot of containers starting up with a higher security baseline. But the real story isn't the sheer volume—it's the trust those numbers represent. Every pull means a team chose to rely on our images for production security. And we're just getting started: the pipeline keeps expanding, and the daily count is climbing steadily.
2. Over 25,000 Continuously Patched OS Artifacts
Our SLSA Build Level 3 pipeline now processes more than 25,000 OS-level artifacts on a continuous basis. Every package is rebuilt and patched as soon as a new fix is available—no waiting for upstream releases. This means that every image in our catalog benefits from a proactive security posture that catches vulnerabilities before they become problems. The result: a constantly refreshed set of hardened components that protect your supply chain.
3. A Growing Catalog of 2,000+ Hardened Artifacts
Since launch, and especially after we introduced the free DHI Community tier, our catalog has expanded to over 2,000 items. This includes hardened container images, MCP servers, Helm charts, and ELS (Extended Lifecycle Support) images. And we're still adding more, with additional Debian packages and newer artifact types on the horizon. The goal is to cover the most common building blocks of cloud-native applications so teams don't have to compromise on security for any component.
4. Tens of Millions of Builds—and Counting
Continuous patching across multiple distros and versions means we're regularly running over a million builds per cycle. It's a massive engineering effort, but it's the only way to guarantee that every image is up to date. This scale is possible because we've automated the entire pipeline from source code to signed image, and we keep improving it every week. The result: a catalog where freshness is guaranteed, not just promised.
5. Choosing the Harder Path—on Purpose
In every product decision, we deliberately chose the harder path because it was better for developers and for ecosystem security. That meant making images free and open source instead of gated behind paywalls. It meant building a multi-distro product so adoption doesn't require migrating to a vendor's proprietary OS. It meant rebuilding every system package from source for the distros you already use. And it meant shipping comprehensive attestations with every image because true verifiability demands transparency. The harder path is the right path.
6. Free and Open Source: Security Is Not a Premium Feature
We released the complete DHI Community catalog under a permissive Apache 2.0 license, making hardened images freely available to every developer. Security should never be a luxury that only well-funded teams can afford. By removing the paywall, we raised the security baseline of the entire container ecosystem. And we've been doing this for over a decade with Docker Official Images—free for the community. Open foundation is the only way to achieve impact at scale.
7. Multi-Distro Architecture Avoids Migration Tax
Some vendors in this space have created entirely new Linux distributions and branded them as “distroless.” That's a proprietary OS your teams have never run, tested, or audited. We went a different route: we support the very distros you already use—Debian, Alpine, and more. Our hardened images are drop-in replacements. No need to migrate your tooling, change your package managers, or learn a new system. The migration tax is zero because we built for the real world.
8. Building from Source for Distros You Trust
Every system package in our pipeline is built directly from source code for the specific distribution and version you're running. This ensures that you get the exact dependencies your application expects, but with all known CVEs patched at compile time. There's no black-box binary swapping or opaque patching layers. You can see exactly what's in each image, because we publish the full source-to-image chain. Trust is earned through transparency.
9. Signed Attestations for Independent Verifiability
We ship a wide range of signed attestations with every image: SBOMs, provenance records, vulnerability scan results, and more. This isn't just for compliance checkboxes—it's for independent verifiability. Security teams need to be able to prove that an image was built honestly and hasn't been tampered with. Our SLSA Build Level 3 pipeline, combined with signed metadata, gives you that proof. No one should trust a container they can't verify.
10. Changing the Industry Standard for Hardened Images
As we looked at how other providers approach the same problems, we found troubling patterns: slow patch timelines, incomplete SBOMs, and sparse advisory coverage. Our approach—free, multi-distro, continuously patched, fully attested—aims to set a new standard. We're not just building a product; we're raising the bar for what “hardened” means. The industry has a long way to go, but with over half a million daily pulls, the shift is already underway.
This first year has been a testament to the power of choosing the harder path. We've proven that security, openness, and ease of use can coexist. The numbers are gratifying, but what matters most is the trust we've earned from the developer community. We'll keep building, patching, and improving—because the internet's security baseline depends on it.