More than a 1,000 Docker Hardened Images (DHI) are now freely available and open source for software builders, under the Apache 2.0 license.

Docker is a popular platform that enables developers to build, test, and deploy applications quickly inside container images that include the required dependencies, allowing for predictable and repeatable results across various systems and environments.

DHIs, launched in May this year, are secure, minimal, production-ready Docker base images maintained directly by Docker. They are designed to reduce the attack surface and supply-chain risks at the container layer.

DHIs are rootless, stripped of unnecessary components, free of known vulnerabilities, and support the Vulnerability Exploitability eXchange (VEX) standard for leaner security management.

They are also guaranteed to push fixes for new flaws in existing DHI components within 7 days of their disclosure.

In October, the Docker team announced that it would open unlimited access to its entire DHI catalog of 1,000 images to all developer teams and also offer a 30-day free trial to all subscribers.

However, Docker decided to move DHIs from being a commercial offering to making them available subscription-free for all developers.

“Today, we are establishing a new industry standard by making DHI freely available and open source to everyone who builds software. All 26 Million+ developers in the container ecosystem,” reads the announcement.

“DHI is fully open and free to use, share, and build on with no licensing surprises, backed by an Apache 2.0 license. DHI now gives the world a secure, minimal, production-ready foundation from the very first pull,” the company said.

Docker has highlighted that the move does not come with security discounts for DHI, as the images remain SBOM-verifiable, the builds provide SLSA Build Level 3 provenance, and every image is accompanied by proof of authenticity.

However, the 7-day critical CVE patching commitment (SLA) is still exclusive to the commercial tier, DHI Enterprise, which is still available. Patches will still be provided to the free tier, but not within a pre-defined time period.

Regarding DHI Enterprise and the time to fix flaws, Docker states it aims to reduce it to a single day or even less. The commercial tier also allows modifying DHI images, configuring runtimes, and installing additional tools.

Docker users can access the full DHI catalog and subscription options from here.