Using Docker Hardened Images (DHI)

Posted on by

Container security has become a key concern for modern software development, as Docker images are increasingly used across development, testing, and production environments. Docker Hardened Images (DHI) provide a solution focused on improving security, reducing attack surfaces, and creating more reliable container workloads. By starting from carefully maintained and security-oriented base images, DHI helps organizations build applications with stronger foundations. More information is available from Docker.

One of the main advantages of Docker Hardened Images is their minimal and optimized design. Traditional container images often include unnecessary packages, tools, or system components that increase the potential attack surface. DHI follows a different approach by reducing the number of included components while maintaining the required runtime environment. This makes vulnerability management easier and allows teams to focus on the application itself rather than maintaining unnecessary dependencies.

Docker Hardened Images also improve software supply chain security. They are built with security practices in mind, helping developers use trusted and regularly maintained foundations for their applications. This approach supports DevSecOps practices by making security an integral part of the image creation process, from the initial build stage through deployment and maintenance.

Another important benefit of DHI is operational efficiency. Smaller and cleaner images generally lead to faster transfers, reduced storage requirements, and simpler lifecycle management. They also improve reproducibility by providing a consistent base environment across development and production, which reduces unexpected differences between environments.

However, using Docker Hardened Images alone is not always enough to eliminate as many vulnerabilities as possible. Some components may still require additional attention, especially when security fixes or newer stable versions are available upstream but not yet included in the base image. For example, rebuilding specific tools such as Git LFS from source can provide access to the latest stable release and reduce exposure to known issues or CVEs. This compilation process should be performed in a dedicated intermediate build image so that compilers, development libraries, and temporary build dependencies do not remain in the final production image. A multi-stage build approach is commonly used for this purpose, as described in the Docker documentation.

For our use case, Debian was selected as the base image because it provides excellent compatibility with tools such as Playwright, making browser automation easier to integrate without complex dependency management. The previous images were already carefully optimized, so the expected improvement was not only a result of removing obvious unused components. Moving to Docker Hardened Images still achieved a significant reduction of around 30% in image size, demonstrating that DHI can provide additional optimization and security benefits even when starting from an already streamlined container image.