Update base images in `Dockerfile` with `dhi.io` #391

mathieu-benoit · 2025-12-17T19:29:18Z

Update base images in Dockerfile with dhi.io

As part of #376, we now also have access to https://www.docker.com/blog/docker-hardened-images-for-every-developer/.

Update Dockerfile with dhi.io images
Update ci-pr pipeline
Update release pipeline
Update Dependabot
DHI Policy added in Docker Scout: Valid Docker Hardened Image (DHI) or DHI base image
- A warning is still raised here, it's a known issue, to be fixed.
Document the differences between before, after (before, dhi-alpine / dhi-debian)

Note: We are moving from a final base image in gcr.io/distroless/static-debian13 to dhi.io/static. Even if there is the option to stay in debian with dhi.io/static, we have made the choice to go with alpine.

docker images

IMAGE                      ID             DISK USAGE   CONTENT SIZE   EXTRA
score-compose:before       14726389d9e2       23.7MB         6.57MB        
score-compose:dhi-alpine   1d71879f378c       22.1MB         6.28MB        
score-compose:dhi-debian   88de887602e0       24.4MB         6.58MB

docker scout compare --ignore-unchanged --to score-compose:before score-compose:dhi-debian

  ## Overview
  
                     │               Analyzed Image                │              Comparison Image               
  ───────────────────┼─────────────────────────────────────────────┼─────────────────────────────────────────────
   Target            │  score-compose:dhi-debian                   │  score-compose:before                       
     digest          │  189d708cc1a3                               │  ca925c739d0d                               
     tag             │  latest                                     │  latest                                     
     platform        │ linux/amd64                                 │ linux/amd64                                 
     provenance      │ https://github.com/score-spec/score-compose │ https://github.com/score-spec/score-compose 
                     │  663cba54f7d249d07701e68ab9e0319b775596d7   │  663cba54f7d249d07701e68ab9e0319b775596d7   
     vulnerabilities │    0C     0H     0M     0L                  │    0C     0H     0M     0L                  
                     │                                             │                                             
     size            │ 6.1 MB (-91 kB)                             │ 6.1 MB                                      
     packages        │ 54                                          │ 54                                          
                     │                                             │                                             
  
  
  ## Environment Variables
  
  
      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
  
  
  
  ## Labels
  
  
    + com.docker.dhi.compliance=
    + com.docker.dhi.created=2025-08-28T21:16:12Z
    + com.docker.dhi.distro=debian-13
    + com.docker.dhi.name=dhi/static
    + com.docker.dhi.package-manager=
    + com.docker.dhi.shell=
    + com.docker.dhi.title=Static (Debian)
    + com.docker.dhi.url=https://hub.docker.com/hardened-images/dhi/static
    + com.docker.dhi.variant=runtime
    + com.docker.dhi.version=20250419-debian13
  
  
  
  ## Policies
  
  
  0 improved, 0 worsened, 1 missing data
  
    Policy                                       Analyzed   Comparison  Change             
  
    Default non-root user                        ✓          ✓                   No Change  
    No AGPL v3 licenses                          ✓          ✓                   No Change  
    No fixable critical or high vulnerabilities  ✓          ✓                   No Change  
    No high-profile vulnerabilities              ✓          ✓                   No Change  
    No outdated base images                      ? No data  ✓                              
    No unapproved base images                    ✓          ✓                   No Change  
    Supply chain attestations                    ✓          ✓                   No Change  
  
      View policy details → docker scout policy score-compose:dhi-debian
  
  
  ## Packages and Vulnerabilities
  
  
    +    2 packages added  
    -    2 packages removed  
    ⎌    3 packages changed (↑ 0 upgraded, ↓ 3 downgraded)  
        48 packages unchanged
  
  
  
  
     Package                              Type    Version                                  Compared Version  
  
  ↓  base-files                           deb     13.8                                     13.8+deb13u2      
  +  ca-certificates                      deb     20250419                                                   
  ↓  github.com/score-spec/score-compose  golang  0.0.0-20251222174410-663cba54f7d2+dirty  0.0.0             
  -  media-types                          deb                                              13.0.0            
  -  netbase                              deb                                              6.5               
  +  static                               docker  20250419-debian13                                          
  ↓  tzdata                               deb     2025b-4                                  2025b-4+deb13u1

docker scout compare --ignore-unchanged --to score-compose:before score-compose:dhi-alpine

  ## Overview
  
                     │               Analyzed Image                │              Comparison Image               
  ───────────────────┼─────────────────────────────────────────────┼─────────────────────────────────────────────
   Target            │  score-compose:dhi-alpine                   │  score-compose:before                       
     digest          │  e20d1815766d                               │  ca925c739d0d                               
     tag             │  latest                                     │  latest                                     
     platform        │ linux/amd64                                 │ linux/amd64                                 
     provenance      │ https://github.com/score-spec/score-compose │ https://github.com/score-spec/score-compose 
                     │  663cba54f7d249d07701e68ab9e0319b775596d7   │  663cba54f7d249d07701e68ab9e0319b775596d7   
     vulnerabilities │    0C     0H     0M     0L                  │    0C     0H     0M     0L                  
                     │                                             │                                             
     size            │ 5.8 MB (-368 kB)                            │ 6.1 MB                                      
     packages        │ 54                                          │ 54                                          
                     │                                             │                                             
  
  
  ## Environment Variables
  
  
      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
  
  
  
  ## Labels
  
  
    + com.docker.dhi.chain-id=sha256:5fde31ef5f6366eb9a932bd1a1a24b143813f793b3fe398a9bb75195f65769a7
    + com.docker.dhi.compliance=cis
    + com.docker.dhi.created=2025-11-14T17:35:29Z
    + com.docker.dhi.definition=image/static/alpine/static
    + com.docker.dhi.distro=alpine-3.22
    + com.docker.dhi.flavor=
    + com.docker.dhi.name=dhi/static
    + com.docker.dhi.package-manager=
    + com.docker.dhi.shell=
    + com.docker.dhi.title=Static (Alpine)
    + com.docker.dhi.url=https://dhi.docker.com/catalog/static
    + com.docker.dhi.variant=runtime
    + com.docker.dhi.version=20250911-alpine3.22
  
  
  
  ## Policies
  
  
  0 improved, 0 worsened, 1 missing data
  
    Policy                                       Analyzed   Comparison  Change             
  
    Default non-root user                        ✓          ✓                   No Change  
    No AGPL v3 licenses                          ✓          ✓                   No Change  
    No fixable critical or high vulnerabilities  ✓          ✓                   No Change  
    No high-profile vulnerabilities              ✓          ✓                   No Change  
    No outdated base images                      ? No data  ✓                              
    No unapproved base images                    ✓          ✓                   No Change  
    Supply chain attestations                    ✓          ✓                   No Change  
  
      View policy details → docker scout policy score-compose:dhi-alpine
  
  
  ## Packages and Vulnerabilities
  
  
    +    4 packages added  
    -    4 packages removed  
    ⎌    1 packages changed (↑ 0 upgraded, ↓ 1 downgraded)  
        48 packages unchanged
  
  
  
  
     Package                              Type    Version                                  Compared Version  
  
  +  alpine-baselayout-data               apk     3.7.0-r0                                                   
  -  base-files                           deb                                              13.8+deb13u2      
  +  ca-certificates-bundle               apk     20250911-r0                                                
  ↓  github.com/score-spec/score-compose  golang  0.0.0-20251222174410-663cba54f7d2+dirty  0.0.0             
  -  media-types                          deb                                              13.0.0            
  -  netbase                              deb                                              6.5               
  +  static                               docker  20250911-alpine3.22                                        
  +  tzdata                               apk     2025c-r0                                                   
  -  tzdata                               deb                                              2025b-4+deb13u1

Signed-off-by: Mathieu Benoit <[email protected]>

Added Docker login step for Scout registry and updated CI workflow. Signed-off-by: Mathieu Benoit <[email protected]>

Signed-off-by: Mathieu Benoit <[email protected]>

mathieu-benoit · 2025-12-22T16:55:32Z

DHI policy added in Docker Scout:

Signed-off-by: Mathieu Benoit <[email protected]>

github-actions · 2025-12-22T17:11:58Z

Overview

Image reference	`score-compose:latest`	`score-compose:latest`
- digest	`19b8b49575af`	`82f3d8f557e5`
- tag	`latest`	`latest`
- provenance	`4932e67`	`bf88c89`
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	6.1 MB	5.8 MB (-368 kB)
- packages	54	54

Labels (13 changes)

+ 13 added

+com.docker.dhi.chain-id=sha256:5fde31ef5f6366eb9a932bd1a1a24b143813f793b3fe398a9bb75195f65769a7
+com.docker.dhi.compliance=cis
+com.docker.dhi.created=2025-11-14T17:35:29Z
+com.docker.dhi.definition=image/static/alpine/static
+com.docker.dhi.distro=alpine-3.22
+com.docker.dhi.flavor=
+com.docker.dhi.name=dhi/static
+com.docker.dhi.package-manager=
+com.docker.dhi.shell=
+com.docker.dhi.title=Static (Alpine)
+com.docker.dhi.url=https://dhi.docker.com/catalog/static
+com.docker.dhi.variant=runtime
+com.docker.dhi.version=20250911-alpine3.22

Policies (1 improved, 0 worsened, 1 missing data)

Policy Name	`score-compose:latest`	`score-compose:latest`	Change	Standing
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	✅	✅		No Change
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	✅	❓ No data
No unapproved base images	✅	✅		No Change
Supply chain attestations	✅	✅		No Change
Valid Docker Hardened Image (DHI) or DHI base image	⚠️ 2	⚠️ 1	-1	Improved

Packages and Vulnerabilities (9 package changes and 0 vulnerability changes)

➕ 4 packages added

➖ 4 packages removed

♾️ 1 packages changed

48 packages unchanged

Changes for packages of type apk (3 changes)

	Package	Version `score-compose:latest`
➕	alpine-baselayout-data	`3.7.0-r0`
➕	ca-certificates-bundle	`20250911-r0`
➕	tzdata	`2025c-r0`

Changes for packages of type deb (4 changes)

	Package	Version `score-compose:latest`
➖	base-files	`13.8+deb13u2`
➖	media-types	`13.0.0`
➖	netbase	`6.5`
➖	tzdata	`2025b-4+deb13u1`

Changes for packages of type docker (1 changes)

	Package	Version `score-compose:latest`	Version `score-compose:latest`
➕	static		`20250911-alpine3.22`

Changes for packages of type golang (1 changes)

	Package	Version `score-compose:latest`	Version `score-compose:latest`
♾️	github.com/score-spec/score-compose	`0.0.0`	`0.0.0-20251222174415-bf88c896c772+dirty`

Signed-off-by: Mathieu Benoit <[email protected]>

Update base images in Dockerfile with dhi.io

2256ec8

Signed-off-by: Mathieu Benoit <[email protected]>

mathieu-benoit marked this pull request as draft December 17, 2025 19:29

mathieu-benoit added 6 commits December 17, 2025 14:35

registry: dhi.io

18ecd8e

Signed-off-by: Mathieu Benoit <[email protected]>

secrets.DOCKER_HUB_CI_

0109713

Signed-off-by: Mathieu Benoit <[email protected]>

DOCKER_HUB_USERNAME

0bc0e06

Signed-off-by: Mathieu Benoit <[email protected]>

Enhance CI workflow with Docker login for Scout

6c0b5f6

Added Docker login step for Scout registry and updated CI workflow. Signed-off-by: Mathieu Benoit <[email protected]>

Merge branch 'main' into dhi-io

c3277e0

Signed-off-by: Mathieu Benoit <[email protected]>

Merge branch 'main' into dhi-io

1f4b761

Signed-off-by: Mathieu Benoit <[email protected]>

mathieu-benoit had a problem deploying to ci-pr December 18, 2025 14:35 — with GitHub Actions Failure

Update CI workflow configuration

869912b

Signed-off-by: Mathieu Benoit <[email protected]>

mathieu-benoit temporarily deployed to ci-pr December 18, 2025 14:38 — with GitHub Actions Inactive

Merge branch 'main' into dhi-io

d957b19

Signed-off-by: Mathieu Benoit <[email protected]>

mathieu-benoit temporarily deployed to ci-pr December 18, 2025 16:01 — with GitHub Actions Inactive

mathieu-benoit mentioned this pull request Dec 22, 2025

[feature request] Use the Docker’s Sponsored Open Source Program #376

Open

25 tasks

Merge branch 'main' into dhi-io

3e6a2c2

Signed-off-by: Mathieu Benoit <[email protected]>

mathieu-benoit temporarily deployed to ci-pr December 22, 2025 16:44 — with GitHub Actions Inactive

score-spec deleted a comment from github-actions bot Dec 22, 2025

dependabot - docker-registry

aa42d0c

Signed-off-by: Mathieu Benoit <[email protected]>

mathieu-benoit temporarily deployed to ci-pr December 22, 2025 17:09 — with GitHub Actions Inactive

Login to Docker Hardened Images (dhi.io)

663cba5

Signed-off-by: Mathieu Benoit <[email protected]>

mathieu-benoit temporarily deployed to ci-pr December 22, 2025 17:44 — with GitHub Actions Inactive

mathieu-benoit marked this pull request as ready for review December 22, 2025 18:17

mathieu-benoit merged commit e76f054 into main Dec 22, 2025
7 checks passed

mathieu-benoit deleted the dhi-io branch December 22, 2025 20:10

mathieu-benoit changed the title ~~Update base images in Dockerfile with dhi.io~~ Update base images in Dockerfile with dhi.io Dec 22, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update base images in `Dockerfile` with `dhi.io` #391

Update base images in `Dockerfile` with `dhi.io` #391

Uh oh!

mathieu-benoit commented Dec 17, 2025 •

edited

Loading

Uh oh!

mathieu-benoit commented Dec 22, 2025

Uh oh!

github-actions bot commented Dec 22, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Update base images in Dockerfile with dhi.io #391

Update base images in Dockerfile with dhi.io #391

Uh oh!

Conversation

mathieu-benoit commented Dec 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mathieu-benoit commented Dec 22, 2025

Uh oh!

github-actions bot commented Dec 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Overview

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Update base images in `Dockerfile` with `dhi.io` #391

Update base images in `Dockerfile` with `dhi.io` #391

mathieu-benoit commented Dec 17, 2025 •

edited

Loading

github-actions bot commented Dec 22, 2025 •

edited

Loading