Unacceptable authentication practices

[mathiasror]

I was quite excited when it was announced that DHI now would be free, but that excitement quickly turned into disappointment and huge frustration.

It is essentially unusable in a professional setting. Having personal access tokens in a company CI/CD pipeline is a potential security risk and not acceptable. The only way of obtaining a non-personal token is through a Docker Team subscription, which isn't free. This is immensely disappointing, because something like DHI is exactly what I am looking for.

In the announcement it is claimed that "DHI now gives the world a secure, minimal, production-ready foundation from the very first pull", but if you cannot obtain the images in any other way than using a personal access token, it is most definitely not production ready.

[tommad]

I absolutely agree. This is incredibly frustrating.

[cdupuis]

Thanks for raising this concern – I understand the frustration around authentication requirements for CI/CD pipelines.

I'd like to clarify a few points that might help:

The DHI images are free to use. There's no cost associated with pulling or using the images themselves in your environments.

You have several options for accessing them if you can't use a PAT:

• Mirror the images – You can pull the DHI images and mirror them into your own private registry or infrastructure, then reference them from there in your CI/CD pipelines. This gives you full control over access and distribution within your organization.
• Build from source – All DHI images can now be built from source. You can clone the repositories and build the images yourself, giving you complete control over the build process and eliminating the need for authentication entirely.
• Use an organizational access token – For organizations that prefer to pull directly from dhi.io in CI/CD, you can sign up for a Docker Team subscription (currently $16/month per seat) to obtain organizational access tokens designed for company CI/CD environments.

We're also actively working on OIDC support, which will provide additional authentication options for automated workflows in the future.

I hope one of these options works for your setup. If you have questions about mirroring or building from source, please let me know!

cd

[jackdesert]

All DHI images can now be built from source. You can clone the repositories and build the images yourself, giving you complete control over the build process and eliminating the need for authentication entirely.

How to get started building a DHI image from source?

I cloned https://github.com/docker-hardened-images/catalog . The accompanying README says the repo contains the definitions required for building. But when it gets to the Getting Started section it says to pull from pre-built images from Docker's registry.

[mathiasror]

As far as I know, there is currently no way of building the images without authenticating against dhi.io and pulling the build image.

Instructions are available here. Don't think there's any actual sources publicly available yet, just the definitions.