How to Adopt Docker Hardened Images: A Step-by-Step Guide for Secure Deployments

Introduction

Securing containerized applications starts with the foundation: your base images. Over the past year, we’ve built Docker Hardened Images (DHI) to give every team a reliable, verifiable, and free way to raise their security baseline. This guide walks you through the practical steps to integrate hardened images into your workflow, from understanding the landscape to leveraging continuous patching and attestations. Whether you’re new to container security or looking to level up, these steps will help you adopt a solution that chose the harder path—building from source, supporting multiple distributions, and staying open source.

What You Need

• A container runtime (e.g., Docker Engine ≥ 20.10, Podman, or containerd)
• Access to a registry (Docker Hub, GitHub Container Registry, or your private registry)
• A CI/CD pipeline (GitHub Actions, GitLab CI, Jenkins, or similar)
• Familiarity with Dockerfiles and basic Linux commands
• Optional but recommended: SLSA verification tooling (e.g., cosign, slsa-verifier)

Step-by-Step Guide

Step 1: Understand the Hardened Image Landscape

Before diving in, know what you’re getting. DHI are not another “distroless” lock-in. They are multi-distro—built on Debian, Alpine, and other mainstream OSes you already run—so adoption is drop-in. Every OS-level package is compiled from source in a SLSA Build Level 3 pipeline, delivering signed attestations (SBOM, provenance, vulnerability data) with each image. Over 2,000+ images are available in the free Community tier, with tens of thousands continuously patched. This foundation means you never inherit vendor-specific migration taxes.

Step 2: Get Started with DHI Community

Navigate to Docker Hub or your preferred registry. Search for “hardened” alongside your stack (e.g., hardened-nginx, hardened-node). All DHI Community images are published under the Apache 2.0 license—no paywall, no login required. Simply pull the image:

docker pull chainguard/hardened-nginx:latest

This gives you a minimal, hardened base with only production dependencies. For a list of all available images, see the Chainguard Images catalog.

Step 3: Choose Your Base Image – Multi-Distro Strategy

DHI supports multiple distributions. For most workloads, start with Debian-based images for broad compatibility. If you need maximum minimalism, use Alpine-based images. Here’s how to pick in your Dockerfile:

FROM chainguard/hardened-debian:latest
# or
FROM chainguard/hardened-alpine:latest

No need to rewrite your application code. The drop-in replacement nature means your existing Dockerfile instructions (RUN, COPY, CMD) work unchanged. Test both variants in your staging environment to verify behavior.

Step 4: Integrate into Your Build Pipeline

Update your CI/CD configuration to use DHI as base images. Example with GitHub Actions:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build hardened image
        run: docker build -t my-app:latest .
      - name: Push to registry
        run: docker push my-app:latest

For maximum security, add a step to verify image attestations before deploying. Use Step 6 for detailed verification. Your CI should now pull the hardened base, build your app layer, and tag accordingly.

Step 5: Leverage Continuous Patching

Every artifact in the DHI catalog is continuously patched—across CVEs, distributions, and versions. We run over a million builds regularly to keep images up to date. To benefit, simply re-pull the base image tag (e.g., latest) in your CI. For production, pin to a specific digest or use a rolling tag like stable. Set up a weekly scheduled workflow to rebuild your application image and re-pull the hardened base. Example:

docker pull chainguard/hardened-nginx:latest

This ensures your deployments always include the latest security fixes without manual effort.

Step 6: Verify with Signed Attestations

Every DHI image ships with multiple signed attestations: software bill of materials (SBOM), SLSA provenance, and vulnerability scanning results. To verify independence, use cosign:

cosign verify-attestation --type sbom chainguard/hardened-nginx:latest

Or use SLSA verifier for provenance. Check that the attestations match the image digest. This step ensures you’re running exactly what was built in our pipeline—no tampering.

Step 7: Scale and Monitor

As your organization adopts DHI, track usage and vulnerability trends. Since all images are open source, you can also audit the pipeline publicly. Set up alerts for newly published patches via our advisory page. With 500k+ daily pulls and growing, DHI is battle-tested. For production at scale, consider the Enterprise tier for extended lifecycle support (ELS) and additional image types (Helm charts, MCP servers).

Tips for Success

• Start with one service. Replace a non-critical container with a DHI base to test compatibility before rolling out widely.
• Leverage the free Community tier. Security shouldn’t be a premium feature—all 2,000+ images are freely available under Apache 2.0.
• Automate attestation verification in your CI/CD as a gate before deployment. This builds confidence in the supply chain.
• Don’t fall for proprietary “distroless” lock-in. DHI uses distributions you already know—no migration tax.
• Monitor the continuous patching cadence. With over a million builds running regularly, you get fast response to new CVEs.
• Join the community. Feedback and contributions help improve the catalog for everyone.