From 2f6af4a6c2cc2b6ff61244a625be1da24e8ba2fc Mon Sep 17 00:00:00 2001 From: Craig Osterhout Date: Wed, 5 Nov 2025 09:19:56 -0800 Subject: [PATCH] dhi: add auto build info for customization (#23651) ## Description Added when customized images are rebuilt based on https://www.docker.com/blog/the-next-evolution-of-docker-hardened-images Updated topics: - https://deploy-preview-23651--docsdocker.netlify.app/dhi/how-to/customize/ - https://deploy-preview-23651--docsdocker.netlify.app/dhi/features/patching/#automatic-patching-for-customized-images ## Related issues or tickets [ENGDOCS-3098](https://docker.atlassian.net/browse/ENGDOCS-3098) https://docker.slack.com/archives/C04M34MRQS1/p1762150009971479?thread_ts=1762149292.279889&cid=C04M34MRQS1 ## Reviews - [ ] Editorial review - [ ] Product review [ENGDOCS-3098]: https://docker.atlassian.net/browse/ENGDOCS-3098?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ Signed-off-by: Craig Osterhout --- content/manuals/dhi/features/patching.md | 13 ++++++++++++- content/manuals/dhi/how-to/customize.md | 16 ++++++++++++---- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/content/manuals/dhi/features/patching.md b/content/manuals/dhi/features/patching.md index 5c49fe74ce..16a254b0ba 100644 --- a/content/manuals/dhi/features/patching.md +++ b/content/manuals/dhi/features/patching.md @@ -39,4 +39,15 @@ Docker Hardened Images are automatically rebuilt and tested. Updated images are published with cryptographic provenance attestations to support verification and compliance workflows. This automated process reduces the operational burden of manual patching and helps teams stay aligned with -secure software development practices. \ No newline at end of file +secure software development practices. + +## Automatic patching for customized images + +When you [customize a Docker Hardened Image](../how-to/customize.md), your +customized images also benefit from automatic patching. When the base Docker +Hardened Image receives a security update, Docker automatically rebuilds your +customized images in the background, ensuring they stay current with the latest +security patches without requiring manual intervention. + +This means your customizations maintain continuous compliance and protection by +default, with no additional operational overhead. \ No newline at end of file diff --git a/content/manuals/dhi/how-to/customize.md b/content/manuals/dhi/how-to/customize.md index 300df87343..04dbb68f10 100644 --- a/content/manuals/dhi/how-to/customize.md +++ b/content/manuals/dhi/how-to/customize.md @@ -8,16 +8,24 @@ description: Learn how to customize a Docker Hardened Images (DHI). You can customize a Docker Hardened Image (DHI) to suit your specific needs using the Docker Hub UI. This allows you to select a base image, add packages, -add artifacts, and configure settings. In addition, the build pipeline ensures that -your customized image is built securely and includes attestations. +add OCI artifacts (such as custom certificates or additional tools), and +configure settings. In addition, the build pipeline ensures that your customized +image is built securely and includes attestations. + +Your customized images stay secure automatically. When the base Docker Hardened +Image receives a security patch or your OCI artifacts are updated, Docker +automatically rebuilds your customized images in the background. This ensures +continuous compliance and protection by default, with no manual work required. +The rebuilt images are signed and attested to the same SLSA Build Level 3 +standard as the base images, ensuring a secure and verifiable supply chain. + +## Customize a Docker Hardened Image To add a customized Docker Hardened Image to your organization, an organization owner must first [mirror](./mirror.md) the DHI repository to your organization. Once the repository is mirrored, any user with access to the mirrored DHI repository can create a customized image. -## Customize a Docker Hardened Image - To customize a Docker Hardened Image, follow these steps: 1. Sign in to [Docker Hub](https://hub.docker.com).