It's been nearly a year since we launched Docker Hardened Images (DHI), and earlier this month, we passed a major milestone: over 500,000 daily pulls and more than 25,000 continuously patched OS-level artifacts flowing through our SLSA Build Level 3 pipeline. Looking back, it's not the numbers that stand out—it's the deliberate choices we made along the way. Every product and engineering decision was consistently harder to build and operate, but better for developers and for ecosystem security. Here are 10 things you need to know about how we chose the harder path—and why it matters.

1. The 500k Daily Pulls Milestone Is Just the Start

Crossing 500,000 daily pulls of Docker Hardened Images isn't just a vanity metric—it's a signal of trust. Behind that number is a pipeline that runs over a million builds regularly, patching every artifact across CVEs, distros, and versions. We've grown from a handful of images to a catalog of 2,000+ hardened images, MCP servers, Helm charts, and ELS images. And we're just getting started: more Debian packages, ELS images, and newer artifact types are coming soon. The milestone shows that developers are willing to adopt a harder path when it means better security out of the box.

2. We Chose Open Source Over a Paywall

Security shouldn't be a premium feature. That's why we made Docker Hardened Images freely available under a permissive Apache 2.0 license. While the industry norm is to gate hardened images behind paid subscriptions, we open-sourced the entire catalog. This decision was harder to sustain—building and maintaining a hardened image pipeline at this scale isn't cheap—but it raised the security baseline for the entire ecosystem. Every team, from startups to large enterprises, gets the same level of hardened artifacts without a financial barrier.

3. Multi-Distro Means No Migration Tax

Some vendors in this space created their own Linux distribution, often branded as 'distroless,' and call it a security improvement. In practice, that's a proprietary OS your teams have never run, tested, or audited. Docker Hardened Images take a different approach: we build for established Linux distributions like Debian and Alpine, which you already use. Adoption is drop-in, and there's no migration tax. You keep your existing tooling, testing, and expertise—and you get hardened images that work out of the box.

4. We Build Every System Package from Source

To maximize transparency and verifiability, we compile every system package from source for the distributions you already run. That's much harder than repackaging pre-built binaries, but it's the only way to ensure every dependency is patched, audited, and built with the same SLSA Level 3 guarantees. This approach also allows us to provide signed attestations for every artifact, so you can independently verify the integrity of each package.

5. Every Image Ships Signed Attestations for Independent Verifiability

Shipping a container image is one thing; shipping all the evidence needed to trust it is another. Every Docker Hardened Image comes with a rich set of signed attestations: SBOMs, provenance statements, and build metadata. These are not optional extras—they're requirements for SLSA Build Level 3 compliance. Independent verifiability means you don't have to take our word for it; you can check the signatures, inspect the SBOM, and confirm the build pipeline yourself.

6. Continuous Patching Means Never Outdated

Most software supply chain attacks exploit known vulnerabilities that should have been patched weeks or months ago. Our pipeline continuously patches every artifact in the catalog—across CVEs, distros, and versions—the moment a fix is available. We don't batch updates into quarterly releases. This is operationally demanding: we're currently running over a million builds regularly just to keep everything fresh. But it eliminates the 'window of exposure' that other providers accept.

7. A Decade of Hard Work with Docker Official Images

Docker Hardened Images didn't come out of nowhere. They build on over a decade of experience with Docker Official Images, which we've maintained freely for the community. That long history taught us what works at scale, what developers need, and where the industry falls short. The hardened pipeline is the natural evolution of that commitment, not a pivot from a proprietary model. We've been choosing the harder path for ten years, and DHI is the next step.

8. The Community Tier Proves Security Can Be Free

With the release of the DHI Community tier under Apache 2.0, we've demonstrated that security does not have to be a premium add-on. The community tier covers the most popular images and is fully functional—no artificial limits. This makes it possible for students, hobbyists, small teams, and even large organizations to use hardened images without negotiating a budget. The impact at scale is only possible because the foundation is open.

9. We Don't Create a Proprietary OS—We Enhance the Ones You Love

The 'distroless' craze convinced many teams to abandon the OS they know for a black box. Docker Hardened Images take the opposite approach: we harden the distributions you already trust—Debian, Alpine, and soon more. Instead of forcing you to learn a new package manager, audit a new kernel, or debug a new init system, we just make your existing base images more secure. That's a harder engineering challenge because we have to support a broader surface, but it's better for your team.

10. Transparency in Patching Outshines the Competition

We looked closely at how other hardened image providers handle patching timelines, SBOM completeness, and advisory coverage. Many batch fixes, delay disclosure, or ship incomplete metadata. Docker Hardened Images are designed for transparency: our patching is continuous, our SBOMs are comprehensive, and our advisory coverage includes both severity and provenance. When you evaluate a hardened image provider, these are the criteria that matter—and it's why we chose the harder path on every front.

Looking back on the first year, the numbers are encouraging, but the real story is the philosophy behind them. We chose the harder path because it's the right one for developers and for the security of the ecosystem. Open source, multi-distro, continuous patching, independent verifiability—these aren't trade-offs; they're commitments. And we're just getting started. If you haven't tried Docker Hardened Images yet, give them a spin. The catalog is free, open, and built for you.