From f5ead437dde8afdee23f9209c6d69da46f0ef772 Mon Sep 17 00:00:00 2001 From: Craig Osterhout Date: Mon, 3 Nov 2025 11:12:54 -0800 Subject: [PATCH] dhi: add auto build info for customization Signed-off-by: Craig Osterhout --- content/manuals/dhi/features/patching.md | 13 ++++++++++++- content/manuals/dhi/how-to/customize.md | 16 ++++++++++++---- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/content/manuals/dhi/features/patching.md b/content/manuals/dhi/features/patching.md index 5c49fe74ce02..16a254b0ba0d 100644 --- a/content/manuals/dhi/features/patching.md +++ b/content/manuals/dhi/features/patching.md @@ -39,4 +39,15 @@ Docker Hardened Images are automatically rebuilt and tested. Updated images are published with cryptographic provenance attestations to support verification and compliance workflows. This automated process reduces the operational burden of manual patching and helps teams stay aligned with -secure software development practices. \ No newline at end of file +secure software development practices. + +## Automatic patching for customized images + +When you [customize a Docker Hardened Image](../how-to/customize.md), your +customized images also benefit from automatic patching. When the base Docker +Hardened Image receives a security update, Docker automatically rebuilds your +customized images in the background, ensuring they stay current with the latest +security patches without requiring manual intervention. + +This means your customizations maintain continuous compliance and protection by +default, with no additional operational overhead. \ No newline at end of file diff --git a/content/manuals/dhi/how-to/customize.md b/content/manuals/dhi/how-to/customize.md index 300df8734316..04dbb68f1020 100644 --- a/content/manuals/dhi/how-to/customize.md +++ b/content/manuals/dhi/how-to/customize.md @@ -8,16 +8,24 @@ description: Learn how to customize a Docker Hardened Images (DHI). You can customize a Docker Hardened Image (DHI) to suit your specific needs using the Docker Hub UI. This allows you to select a base image, add packages, -add artifacts, and configure settings. In addition, the build pipeline ensures that -your customized image is built securely and includes attestations. +add OCI artifacts (such as custom certificates or additional tools), and +configure settings. In addition, the build pipeline ensures that your customized +image is built securely and includes attestations. + +Your customized images stay secure automatically. When the base Docker Hardened +Image receives a security patch or your OCI artifacts are updated, Docker +automatically rebuilds your customized images in the background. This ensures +continuous compliance and protection by default, with no manual work required. +The rebuilt images are signed and attested to the same SLSA Build Level 3 +standard as the base images, ensuring a secure and verifiable supply chain. + +## Customize a Docker Hardened Image To add a customized Docker Hardened Image to your organization, an organization owner must first [mirror](./mirror.md) the DHI repository to your organization. Once the repository is mirrored, any user with access to the mirrored DHI repository can create a customized image. -## Customize a Docker Hardened Image - To customize a Docker Hardened Image, follow these steps: 1. Sign in to [Docker Hub](https://hub.docker.com).