Docker Open-Sources Hardened Container Images with SBOM and VEX Support

Docker has released its catalog of hardened container images under the Apache 2.0 license, making them freely available to all users. These images, such as dhi.io/node:24, serve as direct replacements for standard images like node:24 but with significant security and efficiency improvements. Notably, the hardened Node image is substantially smaller at 56 MB compared to the standard 400 MB image, containing 722 fewer packages. This reduction in size and complexity directly translates to a smaller attack surface and fewer potential vulnerabilities. Additionally, the images include Software Bill of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX) documents, which enhance supply chain security by providing transparency into software components and their associated risks. The inclusion of SBOMs and VEX aligns with modern cybersecurity best practices, enabling organizations to better assess and mitigate risks. This move by Docker is likely to accelerate the adoption of secure container practices across the industry. However, it is important to note that the full implications may depend on the specific implementation details and ongoing maintenance of these images.