Posted in

Escaping Docker Hub

by Sebastian Sejzer0

For years, Docker Hub has been the default source of container images and also a major source of risk.
Anyone can publish an image, and millions of developers pull them every day without verifying what’s inside. As recent supply chain incidents have shown, one compromised image can lead to production breaches, data leaks, or cryptominer infections.

If you’ve ever asked yourself, “where can I get images I can actually trust?” — this article is for you.

The Problem With Docker Hub

Docker Hub is convenient, but convenience comes with trade-offs:

  • No strong identity: anyone can publish under a new namespace.
  • No guaranteed signatures or provenance.
  • Tag reuse: the same tag (like latest) can silently change content.
  • Many abandoned or outdated images

In short: Docker Hub is great for exploration, but risky as a production dependency.

What “Trusted” Really Means

When we say an image is “trusted,” we’re talking about a few key things:

  • Signed — you can verify who built it and that it hasn’t been modified.
  • Scanned — for vulnerabilities and patched regularly.
  • Reproducible — ideally built from source with transparent tooling.
  • Minimal — fewer packages and binaries means fewer attack surfaces.
  • Immutable — tags don’t silently change under you.

Below is a curated list of real alternatives where you can safely pull base images for your projects.

1. Chainguard ImagesSecurity by Design

🔗 https://images.chainguard.dev

Chainguard is redefining container trust. Every image is built from source, signed with Sigstore, and comes with a Software Bill of Materials (SBOM) and SLSA Level 3 provenance.

  • Fully reproducible builds.
  • Rebuilt and patched daily.
  • Minimal images (no shell, no package manager).
  • Built on Wolfi, a purpose-built distro for containers.

Example:

docker pull cgr.dev/chainguard/python

If you want “zero-trust” foundations, this is the gold standard.

2. Google Distroless Images

🔗 gcr.io/distroless/ or ghcr.io/distroless/

Google’s Distroless images strip out everything that’s not absolutely required to run your app — no shell, no package manager, no extra binaries.

They’re ideal for production: small, signed, and extremely stable.

Example:

docker pull gcr.io/distroless/base-debian12

🔗 registry.access.redhat.com/ubi8/...

Red Hat’s UBI images are enterprise-grade and freely redistributable — you don’t need a RHEL subscription to use them.

  • CVE scanning and patch management by Red Hat.
  • Signed and verified through their infrastructure.
  • Ideal if your stack already touches Red Hat or OpenShift.

Example:

docker pull registry.access.redhat.com/ubi8/ubi

4. Canonical (Ubuntu) Images

🔗 public.ecr.aws/ubuntu/ubuntu

Canonical’s official Ubuntu images are now mirrored on AWS ECR and signed with their GPG keys.

Example:

docker pull public.ecr.aws/ubuntu/ubuntu:24.04

They’re a good middle ground between convenience and verifiable trust.

Best Practices for Image Trust

Even when pulling from a “trusted” registry:

  1. Pin by digest, not by tag FROM cgr.dev/chainguard/python@sha256:abc123... This ensures the image you build today is the one you deploy tomorrow.
  2. Verify signatures with cosign. cosign verify cgr.dev/chainguard/python
  3. Run vulnerability scans using tools like Trivy or Grype.
  4. Use SBOMs for full visibility into what’s inside your images.
  5. Limit base image sources — whitelist only trusted registries.

Leave a Reply

Open Terminal