Making the Most of Your Docker Hardened Images Enterprise Trial - Part 2 (opens in new tab)

docker.com·11w·Open original (opens in new tab)

Verifying Security and Compliance of Docker Hardened Images

In Part 1 of this series, we migrated a Node.js service to Docker Hardened Images (DHI) and measured impressive results: 100% vulnerability elimination, 90% package reduction, and 41.5% size decrease. We extracted the SBOM and saw compliance labels for FIPS, STIG, and CIS.

The numbers look compelling. But how do you verify these claims independently?

Security tools earn trust through verification, not promises. When evaluating a security product for production, you need cryptographic proof. This is especially true for images that form the foundation of every container you deploy.This post walks through the verification process: signature validation, provenance analysis, compliance evidence examination, and SBOM analysis. We’ll focus on practical verification you can run during your trial, with links to the official DHI documentation for deeper technical details. By the end, you’ll have independently confirmed DHI’s security posture and built confidence for a production scenario.

Understanding Security Attestations available with Docker Hardened Images

Before diving into verification, you need to understand what you’re verifying.

Docker Hardened Images include attestations: cryptographically-signed metadata about the image’s build process, contents, and compliance posture. These are signed statements that can be independently verified.

Important: If you’ve pulled the image locally, you need to use the registry:// prefix when working with attestations. This tells Docker Scout to look for attestations in the registry, not just the local image cache.

List all attestations for your hardened image:

docker scout attestation list registry://<your-org-namespace>/dhi-node:24.11-debian13-fips

This shows 16 different attestation types:

https://slsa.dev/provenance/v0.2            SLSA provenance
https://docker.com/dhi/fips/v0.1            FIPS compliance
https://docker.com/dhi/stig/v0.1            STIG scan
https://cyclonedx.org/bom/v1.6              CycloneDX SBOM
https://spdx.dev/Document                   SPDX SBOM
https://scout.docker.com/vulnerabilities    Scout vulnerabilities
https://scout.docker.com/secrets/v0.1       Scout secret scan
https://scout.docker.com/virus/v0.1         Scout virus/malware
https://scout.docker.com/tests/v0.1         Scout test report
https://openvex.dev/ns/v0.2.0               OpenVEX
...

Each attestation is a JSON document describing a specific aspect of the image. The most critical attestations for verification:

Loading more...

Keyboard Shortcuts

Navigation
Next / previous item
j/k
Open post
oorEnter
Preview post
v
Post Actions
Love post
a
Like post
l
Dislike post
d
Undo reaction
u
Save / unsave
s
Recommendations
Add interest / feed
Enter
Not interested
x
Go to
Home
gh
Interests
gi
Feeds
gf
Likes
gl
History
gy
Changelog
gc
Settings
gs
Browse
gb
Search
/
General
Show this help
?
Submit feedback
!
Close modal / unfocus
Esc

Press ? anytime to show this help