Docker has made its entire catalog of more than 1,000 hardened container images available for free under an Apache 2.0 open source license, as the market for open source software security and supply chain security evolves.
Docker, which introduced Hardened Images in May, has multiple competitors that offer similar products. Hardened container images are minimal instances of container software that strip out most standard software packages, along with most known security vulnerabilities. The free catalog also includes hardened versions of Model Context Protocol servers used to link AI agents with tools and data sources.
Vendors including ActiveState, BellSoft, Broadcom, Cloudsmith, Echo, Lineaje, Minimus, RapidFort, Red Hat, Seal Security, SUSE and Wiz offer hardened images, as does the U.S. Air Force's Iron Bank. But Docker also specifically referenced Chainguard, which established the market for hardened images, and its recent $280 million funding round, in materials sent to press this week.
"Docker is forcing an industry security reset," according to an email sent by a Docker spokesperson. "With Docker’s scale, this move effectively raises the security baseline for millions of developers and puts real pressure on vendors who have been selling hardening as their core business."
Docker's email linked directly to a report about Chainguard funding in the part of the sentence that read "pressure on vendors who have been selling hardening as their core business."
In an interview with Informa TechTarget, Docker VP of product Michael Donovan added that the proliferation of vendors selling hardened container images has also created confusion in the market. Docker touts its approach of building hardened images from existing Linux distributions Debian and Alpine, which it claims enables easier adoption with no changes to existing workflows.
"Our approach has been to create the most seamless way to migrate to hardened images," Donovan said. "That's why our catalog has compatibility with multiple [Linux] distros. That's the standard that needs to be set for the industry."
Chainguard also offers a free tier for its Chainguard Images, but Donovan critiqued its approach of offering only the latest version of images for free, which he called "the first anti-pattern in any secure deployment."
Donovan also cited a change to Chainguard's free tier in August that reduced the number of images available free of charge, describing the change as "a rug-pull" for customers.
Docker Hardened Images previously required an add-on subscription, pricing for which was never publicly disclosed. Docker Hardened Images now have two new paid tiers.
Docker Hardened Images Enterprise includes a service-level agreement that critical CVEs will be remediated in less than seven days, with same-day fixes on the roadmap. The paid version also includes support for image customization and images that comply with specific standards and regulations such as Federal Information Processing Standards, the U.S. Department of Defense's Secure Technical Implementation Guide, Payment Card Industry Data Security Standard, and Center for Internet Security benchmarks...
Another add-on service, Extended Lifecycle Support, offers CVE remediation and patching for hardened images five years past their upstream end-of-life date. Pricing for Docker Hardened Images Enterprise and Extended Lifecycle Support is also not publicly available.
Donovan said the demand for Docker Hardened Images has been strong since the May launch, and named Adobe, Attentive and Bell Canada as early users. He declined to disclose the total number of customers Docker has for Hardened Images.
Chainguard and industry analysts react to Docker news
Chainguard founder and CEO Dan Lorenc responded to Docker's critique of its free tier change, stating that the most commonly used hardened images remain free for Chainguard customers. Additionally, the company has updated its subscription terms to include its full catalog. Lorenc also disagreed with Donovan's characterization of using the latest image version, saying, "It's actually security best practice for people to be updated to the latest version." Chainguard also supports older versions of images as part of its paid product.
Lorenc argued that Chainguard's built-from-scratch images are more secure than "mixing and matching components of other images," in contrast to Docker Hardened Images being based on Debian and Alpine.
By making a large collection of images free, Docker removes many of the barriers that limit how easily developers can explore or evaluate hardened images.
Katie Norton, Analyst, IDC
"If I were a user, I'd be pretty cautious about this from Docker," Lorenc added. "Its business model is [based on] the Docker Desktop client that it gave away for free for years and then started charging for."
One industry analyst said any effort to make software supply chain security practices easier to adopt is a welcome development.
"By making a large collection of images free, Docker removes many of the barriers that limit how easily developers can explore or evaluate hardened images," said Katie Norton, an analyst at IDC. "Wider exposure to these artifacts creates more opportunities for teams to understand what a hardened image looks like in practice and how it might fit into their workflows."
Hardened container images tend to be low on the priority list for enterprises when it comes to software supply chain security, according to IDC research. The IDC DevSecOps and Software Supply Chain Security Survey of 511 respondents in July 2025 found that 8.8% of respondents said hardened container images and trusted open source software were among their top three spending priorities for application and software supply chain security in the next 12 months.
Another analyst questioned the timing of Docker's move.
"While the free on-ramp is interesting, especially if you are a developer using Docker Desktop, why did they not do that when they released this capability earlier this year?" said Jason Andersen, an analyst at Moor Insights & Strategy.
Donovan said during this week's interview that Docker was focused on expanding its hardened image catalog before making a revision to pricing.
"It was always our intention to do this," Donovan said.
Chainguard expands open source security support
Chainguard also launched a new service this week called EmeritOSS, which provides a secure home for mature and deprecated open source projects. It starts with Kaniko, a Google tool that builds container images from a Dockerfile; Kubeapps, a web-based UI for launching applications on Kubernetes originally developed by VMware; and ingress-nginx, a reverse proxy for Kubernetes that has been deprecated in favor of the Kubernetes Ingress API. The EmeritOSS program will fork each of these projects and continue to build and patch them while operations teams that depend on them plan migrations to other tools.
Chainguard has created similar forks for customers in about a dozen cases so far, Lorenc said.
"In some of these cases, we maintain the fork long-term," he said. "In other cases, we've just done it for two or three months until a new community version appears. … Our customers just kind of get to ignore all of this mess that's happening behind the scenes. Now, with the advanced automation we have, we're going to try to see how far we can scale this."
EmeritOSS forks will be available for free in source form on GitHub; organizations that want continuous maintenance on these projects must use the commercial distribution, according to a Chainguard blog post. Chainguard also does not publish specific pricing numbers.
IDC's Norton noted that Chainguard has already begun to diversify beyond hardened container images with the addition of Chainguard Libraries and Chainguard VMs earlier this year.
"At the same time, as more vendors enter the market, pricing continues to be a headwind that Chainguard must navigate, making competitive differentiation increasingly important in a market that is both expanding and becoming more crowded," she said.
Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
