Goal
Adopt Docker Hardened Images as base images for service containers.
Docker Hardened Images use a distroless runtime that reduces CVEs by up to 95% compared to standard community images. Every image ships with:
- Complete and verifiable SBOM
- SLSA Build Level 3 provenance
- Cryptographic proof of authenticity
- Transparent public CVE data
They are free and Apache 2.0 licensed.
Required changes
- Identify DHI equivalents for current base images (e.g. Bun runtime).
- Update final-stage
FROM in both Dockerfiles to use DHI bases.
- Parameterise base image in
docker-bake.hcl if needed.
- Verify services start and pass smoke flow on the new images.
Files to change
services/attestation/Dockerfileservices/topup/Dockerfiledocker-bake.hcl (if base image is parameterised)
Acceptance criteria
- Final-stage image uses a Docker Hardened Image base.
- No shell or package manager in production image.
- Image runs as non-root.
- Existing
bun run docker:build workflow remains unchanged.
Validation
- Build images and verify services start and pass smoke flow.
- Compare image size before/after.
- Confirm minimal binary set in final layer.
Non-goals
- No CI image-scanning pipeline in this issue.
- No runtime security policy (seccomp/AppArmor) changes.
Goal
Adopt Docker Hardened Images as base images for service containers.
Docker Hardened Images use a distroless runtime that reduces CVEs by up to 95% compared to standard community images. Every image ships with:
They are free and Apache 2.0 licensed.
Required changes
FROMin both Dockerfiles to use DHI bases.docker-bake.hclif needed.Files to change
services/attestation/Dockerfileservices/topup/Dockerfiledocker-bake.hcl(if base image is parameterised)Acceptance criteria
bun run docker:buildworkflow remains unchanged.Validation
Non-goals