content/manuals/dhi/core-concepts/cis.md
The CIS Docker Benchmark is part of the globally recognized CIS Benchmarks, developed by the Center for Internet Security (CIS). It defines recommended secure configurations for all aspects of the Docker container ecosystem, including the container host, Docker daemon, container images, and the container runtime.
Following the CIS Docker Benchmark helps organizations:
Docker Hardened Images (DHIs) are designed with security in mind and are verified to be compliant with the relevant controls from the latest CIS Docker Benchmark (v1.8.0) for the scope that applies to container images and Dockerfile configuration.
CIS-compliant DHIs are compliant with all controls in Section 4, with the sole exception of the control requiring Docker Content Trust (DCT), which Docker officially retired. Instead, DHIs are signed using Cosign, providing an even higher level of authenticity and integrity. By starting from a CIS-compliant DHI, teams can adopt image-level best practices from the benchmark more quickly and confidently.
[!NOTE]
The CIS Docker Benchmark also includes controls for the host, daemon, and runtime. CIS-compliant DHIs address only the image and Dockerfile scope (Section 4). Overall compliance still depends on how you configure and operate the broader environment.
CIS-compliant images are labeled as CIS in the Docker Hardened Images catalog. To find them, explore images and look for the CIS designation on individual listings.
Download the latest CIS Docker Benchmark directly from CIS: https://www.cisecurity.org/benchmark/docker