Tools

Tools: Introduction to DHI (2026)

2026-04-04 0 views admin
Tools: Introduction to DHI (2026)

What is DHI?

Why does it matter?

When should you use it?

How does it work?

Security by Default

Full Transparency

Hardened Supply Chain

Developer Friendly

How to Get Started?

1. Authenticate to the DHI Registry

2. Update your Dockerfile

Best Practices: Implementation Strategies

Adopt Multi-Stage Builds

Deep Debugging with "docker debug"

Conclusion Containers have become the core of modern application delivery. But as adoption grows, so does the attack surface. From vulnerable base images to supply chain risks, security is no longer optional—it’s foundational. This is where Docker Hardened Images (DHI) come into play. Docker Hardened Images are minimal, secure, and production-ready container images maintained directly by Docker. They are designed to reduce vulnerabilities from the start while simplifying compliance and integration into existing workflows. Docker Hardened Images features Instead of relying on generic base images and fixing issues later with scanners, DHI focuses on building a secure foundation from the beginning. Docker Hardened Images (DHI) are curated container images built with a strong focus on security, minimalism, and maintainability. They are designed to reduce the number of known vulnerabilities by limiting unnecessary packages and continuously applying patches. Most container vulnerabilities originate from base images. If your foundation is already risky, everything built on top inherits that risk. DHI minimizes this exposure early in the lifecycle. DHI combines multiple security layers: Using DHI doesn’t require additional software installation because it’s integrated directly into the Docker Engine. However, since it uses a specialized registry, you must first authenticate. Open your terminal and run the login command for the official dhi.io registry: You will be prompted for your Docker ID and Personal Access Token (PAT). Ensure your account has access to a Docker tier that supports DHI (Select or Enterprise tiers). Implementation is as simple as updating a single line in your Dockerfile. Just replace your standard image prefix with dhi.io/. Example: Standard Node.js Image Example: Hardened Node.js Image Since DHI images are designed to be extremely minimal—often lacking a shell (like /bin/sh) or a package manager (like apt/apk)—you should adopt the following strategies: DHI is a runtime-optimized image, not a build-time environment. Perform your compilation and dependency installation in a standard "builder" image, then copy only the necessary artifacts into the final DHI layer. Because DHI images lack an interactive shell, docker exec -it will not work by default. Instead, use the new Docker Debug capability to inspect your running containers: DHI represents a shift in how we think about container security. Instead of reacting to vulnerabilities after scanning, DHI helps prevent them from being introduced in the first place—starting from the base image. It doesn’t replace tools like Trivy or other scanners, but it significantly reduces the noise and risk those tools have to deal with. If you’re already building containers, adopting hardened images is one of the lowest-effort, highest-impact improvements you can make. Aight, thanks for taking the time read this post. Happy containerazation 🚀 Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 500;">docker login dhi.io -weight: 500;">docker login dhi.io -weight: 500;">docker login dhi.io FROM node:22-alpine # ... rest of your build FROM node:22-alpine # ... rest of your build FROM node:22-alpine # ... rest of your build FROM dhi.io/node:22 # ... rest of your build FROM dhi.io/node:22 # ... rest of your build FROM dhi.io/node:22 # ... rest of your build # Stage 1: Build (Standard Image) FROM node:22 AS builder WORKDIR /app COPY . . RUN -weight: 500;">npm -weight: 500;">install && -weight: 500;">npm run build # Stage 2: Runtime (Hardened Image) FROM dhi.io/node:22 WORKDIR /app COPY --from=builder /app/dist ./dist # DHI runs as a non-root user by default CMD ["node", "dist/index.js"] # Stage 1: Build (Standard Image) FROM node:22 AS builder WORKDIR /app COPY . . RUN -weight: 500;">npm -weight: 500;">install && -weight: 500;">npm run build # Stage 2: Runtime (Hardened Image) FROM dhi.io/node:22 WORKDIR /app COPY --from=builder /app/dist ./dist # DHI runs as a non-root user by default CMD ["node", "dist/index.js"] # Stage 1: Build (Standard Image) FROM node:22 AS builder WORKDIR /app COPY . . RUN -weight: 500;">npm -weight: 500;">install && -weight: 500;">npm run build # Stage 2: Runtime (Hardened Image) FROM dhi.io/node:22 WORKDIR /app COPY --from=builder /app/dist ./dist # DHI runs as a non-root user by default CMD ["node", "dist/index.js"] -weight: 500;">docker debug <container_id> -weight: 500;">docker debug <container_id> -weight: 500;">docker debug <container_id> - Secure, minimal, production-ready container images by Docker - Near-zero CVEs with continuous patching - Built-in SBOM, provenance (SLSA L3), and signed metadata - Drop-in replacement for existing Docker workflow - Available in Community, Select, and Enterprise tiers - When building production-grade applications - When compliance and security are priorities - When you want to reduce dependency on reactive scanning - Near-zero known vulnerabilities (CVEs) - Non-root containers by default - Minimal packages → smaller attack surface - Signed SBOM (Software Bill of Materials) - SLSA Level 3 build provenance - VEX (context about exploitability) - Cryptographic signatures for integrity - Packages built from source by Docker - Signed and verified artifacts - Reduced risk from compromised public registries - Built on Alpine and Debian, requiring minimal changes to adopt. Full support glibc and musl available in both variants for broad application compatibility - Compatible with existing CI/CD - No major workflow changes required - Docker Hardened Images - Docker Hardened Images Features

🏷️ Tags

toolsutilitiessecurity toolsintroductionmattershouldsecuritydefault

More from Tools

Tools: How SSH Actually Works (Step-by-Step for Developers) - Expert Insights

Tools: How SSH Actually Works (Step-by-Step for Developers) - Expert Insights

2026-04-04 0
Tools: Latest: Building a Production-Ready Full Stack App with Flutter, Django & PostgreSQL

Tools: Latest: Building a Production-Ready Full Stack App with Flutter, Django & PostgreSQL

2026-04-04 0
Tools: Docker vs Virtual Machines: When to Use Each in 2026

Tools: Docker vs Virtual Machines: When to Use Each in 2026

2026-04-04 0
Tools: Build Your First AI Agent with LangGraph — Step-by-Step Python Tutorial (2026)

Tools: Build Your First AI Agent with LangGraph — Step-by-Step Python Tutorial (2026)

2026-04-04 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views