Feedback on Docker Hardened Images: authentication requirement and debug support

[palemoky]

Docker Hardened Images are now free and available to all users, which is great news. They solve several long-standing pain points for me, especially running as non-root by default, reducing image size, and improving security posture overall.

After starting to use DHI more seriously, I ran into two issues that I’d like to get feedback on from the Docker team. I’m not sure whether these are expected design decisions or just current limitations.

1. Authentication is still required to pull DHI images

Even though Docker Hardened Images are now free and publicly available, pulling them still requires logging in.

This becomes inconvenient during image builds, especially in CI environments like GitHub Actions, where additional authentication steps are required. For many open-source or public projects, this extra friction may discourage adoption of DHI.

Is this authentication requirement intentional, and is there any plan to allow unauthenticated pulls for regular users in the future?

2. docker debug is only supported in Docker Desktop

According to the documentation, the docker debug command is currently only supported in Docker Desktop, but not in Docker Engine.

This makes debugging Hardened Images difficult in common environments such as:

• CI/CD pipelines
• Servers
• Kubernetes clusters

These environments typically do not run Docker Desktop. As a result, debugging DHI in real-world production-like setups becomes quite inconvenient.

Is there any plan to support docker debug, or an alternative debugging workflow, directly in Docker Engine?

Overall, Docker Hardened Images are a great addition, and I’d love to adopt them more broadly. These two points are the main blockers I’ve encountered so far, so I wanted to share this feedback and better understand the current design direction.

Thanks!

[danielgraycode]

+1 on allowing unauthenticated pulls

[cdupuis]

@palemoky, thanks for taking the time to put this feedback here. Really appreciate it. Let me respond to your questions.

Authentication Requirements

You’re right that authentication is currently required to pull DHIs. It's important to differentiate DHI OSS from Hub which is a service Docker runs. Authentication is required to pull from Hub in order to prevent abuse and better improve the experience over time.

As an open source contributor and consumer for over two decades, I understand that this might cause friction. We are actively working on mitigating the login friction. Today it's very easy to create an account at https://app.docker.com/signup, even using your Google or GitHub accounts.

We are also adding OIDC-based login for GitHub and other CI providers. Timeline TBD but coming soon.

Debugging DHI

Like with any other hardened, shell-less container image, debugging a running DHI might be challenging as you point out.

We provide several options to mitigate this:

• Each DHI will eventually come with a -dev variant which contains a shell and package manager for debugging purposes
• With the upcoming DHI builder, you can add required debugging tools to each DHI yourself
• @LaurentGoderre added an type=image mount feature to Docker Engine that allows you to mount tools into a DHI for further debugging:

$ docker run --rm -it -u 0:0 --mount type=image,source=busybox:uclibc,target=/busybox --entrypoint /busybox/bin/sh dhi.io/python:3.13
WARNING: Image mount is an experimental feature
~ #

• Docker made docker debug free with Docker Desktop release 4.49.0 in Oct 2025 (https://docs.docker.com/desktop/release-notes/#4490), recognising the importance of debugging hardened containers. We're also evaluating adding the functionality outside of DD.

Hope this helps.

cd

[pascalgulikers]

@cdupuis We would like to adopt the free DHIs in our CI/CD workflows (GitHub Actions), what should we do? Because probably we'll need to run docker login dhi.io in our workflow, but with which credentials? (we should not use personal tokens)
We're having a Docker Business account though, any thoughts? I tried to add a mirror repository there, but it seems that mirroring is not an option there

[mathiasror]

@cdupuis are there any updates regarding OIDC-based login for GitHub?

[86dd]

Hey, I kinda don't get the point why you need to authenticate to pull the free images.
Adding other OIDC logins isn't really gonna get rid of this issue.
I don't feel like signing up for a docker account just to pull images and this can be really annoying in ci/cd pipelines.