Yet another provider jumps on the hardened image bandwagon. But since it's Docker, the main player in the container space, this is very important.

At IProgrammer we follow the hardened images collective closely. We recently covered such a move from Bellsoft, see BellSoft Introduces Hardened Container Images, where we described the issues arising from running container images, and how they are resolved by locked down images comprising the bare essentials.

But before comparing Docker's to Bellsoft's solution, let's first examine what the Docker move means. Docker is, of course, the king of the base images affecting 26 Million+ developers in the container ecosystem. In fact Docker Hardened Images (DHI) have been released as of May 2025. These images were minimal, secure and production-ready, but not free. So, since December, they were fully open sourced and made free to use, under the permissive Apache 2.0 license.

This is important because it means that a secure-by-default foundation for the entire software ecosystem is now established, ensuring that high-level security is no longer a "premium feature" reserved for large enterprises; every developer and every application should use DHI without restrictions, to enjoy the following key advantage points:

• Minimalist Design: DHI uses a distroless runtime to shrink the attack surface by removing non-essential tools that attackers exploit, while retaining the tools developers need.

• Significant Size Reduction: These images are up to 95% smaller than standard images.

• Reduced CVE surface: By reducing the code footprint, the number of vulnerabilities is minimized—guaranteed near-zero in the Enterprise version.

• Verifiable Evidence: Every image comes with a complete and verifiable Software Bill of Materials (SBOM) and provides SLSA Build Level 3 provenance, allowing teams to prove exactly what is in their images and where they came from.

• Broad Compatibility: DHI principles are extended across the software stack, including Hardened Helm Charts and Hardened MCP Servers for databases like MongoDB and Grafana

• Regulatory Compliance: Includes images that are FIPS-enabled, STIG-ready, and compliant with CIS benchmarks

All fine, but in the end what is the difference to other hardened images provided by other vendors? We'll take Bellsoft's images as the example.

1. Underlying Operating System & Foundation

Docker Hardened Images (DHI): These are built on Alpine and Debian. Docker chose these because they are trusted, open-source foundations that most development teams are already familiar with, allowing for adoption with minimal friction.

BellSoft Hardened Images: These are exclusively based on Alpaquita Linux. BellSoft uses this specific Linux distribution to provide a specialized, minimized environment tailored for their supported runtimes.

2. Primary Focus and Specialization

Docker’s approach is broad, aiming to secure the "universal path to production" for all developers, while BellSoft’s offering is highly specialized, particularly for Java workloads (like incorporating CRaC), offering a "single accountability" model where one vendor supports both the OS and the runtime.

3. Licensing and Commercial Model

DHI as already said are now free and open source (Apache 2.0) for all developers. Docker retains a commercial "Enterprise" tier for organizations needing guaranteed SLAs (7-day critical CVE remediation), FIPS compliance, or Extended Lifecycle Support (ELS).

BellSoft's images are available for free on various registries. Their value proposition leans heavily on the integrated support model ("Single SLA") covering the OS, runtime, and vulnerability management together.

So which to go for? Answer: it depends. Choose Docker Hardened Images if you want a general-purpose, open-source secure foundation based on familiar OSs (Debian/Alpine) or if you are working with AI agents and MCP servers. Choose BellSoft Hardened Images if you are running Java workloads (specifically OpenJDK/Liberica) and want to leverage performance features like CRaC or require a single vendor to support both your Linux OS and your Language Runtime.

In any case, hardened images are the way to go in securing the  software supply chain and the industry is waking up to that fact.

More Information

A Safer Container Ecosystem with Docker: Free Docker Hardened Images

Docker Hardened Images quickstart  

Related Articles

BellSoft Introduces Hardened Container Images

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info