content/manuals/dhi/how-to/cli.md
dhictl is a command-line interface (CLI) tool for managing Docker Hardened Images:
dhictl will be available by default on Docker Desktop soon.
In the meantime, you can install dhictl manually as a Docker CLI plugin or as a standalone binary.
dhictl binary for your platform from the releases page.docker-dhi on Linux and macOSdocker-dhi.exe on Windows$HOME/.docker/cli-plugins on Linux and macOS%USERPROFILE%\.docker\cli-plugins on Windowschmod +x $HOME/.docker/cli-plugins/docker-dhidocker dhi to verify the installation.dhictl binary for your platform from the
releases page.PATH:
mv dhictl /usr/local/bin/ on Linux and macOSdhictl.exe to a directory in your PATH on Windows[!NOTE]
The following examples use
dhictlto reference the CLI tool. Depending on your installation, you may need to replacedhictlwithdocker dhi.
Every command has built-in help accessible with the --help flag:
dhictl --help
dhictl catalog list --help
List all available DHI images:
dhictl catalog list
Filter by type, name, or compliance:
dhictl catalog list --type image
dhictl catalog list --filter golang
dhictl catalog list --fips
Get details of a specific image, including available tags and CVE counts:
dhictl catalog get <image-name>
Start mirroring one or more DHI images to your Docker Hub organization:
dhictl mirror start --org my-org \
-r dhi/golang,my-org/dhi-golang \
-r dhi/nginx,my-org/dhi-nginx \
-r dhi/prometheus-chart,my-org/dhi-prometheus-chart
List mirrored images in your organization:
dhictl mirror list --org my-org
Stop mirroring an image:
dhictl mirror stop --org my-org dhi-golang
The CLI can be used to create and manage DHI image customizations. For detailed instructions on creating customizations, including the YAML syntax and available options, see Customize a Docker Hardened Image.
Quick reference for CLI commands:
# Prepare a customization scaffold
dhictl customization prepare --org my-org golang 1.25 \
--destination my-org/dhi-golang \
--name "golang with git" \
--tag-suffix "_git" \
--output my-customization.yaml
# Create a customization
dhictl customization create --org my-org my-customization.yaml
# List customizations
dhictl customization list --org my-org
# Get a customization
dhictl customization get --org my-org my-org/dhi-golang "golang with git" --output my-customization.yaml
# Update a customization
dhictl customization edit --org my-org my-customization.yaml
# Delete a customization
dhictl customization delete --org my-org my-org/dhi-golang "golang with git"
Generate authentication credentials for accessing the enterprise hardened package repository. This is used when configuring your package manager to install compliance-specific packages in your own images. For detailed instructions, see Enterprise repository.
dhictl auth apk
List builds for a customization:
dhictl customization build list --org my-org my-org/dhi-golang "golang with git"
Get details of a specific build:
dhictl customization build get --org my-org my-org/dhi-golang "golang with git" <build-id>
View build logs:
dhictl customization build logs --org my-org my-org/dhi-golang "golang with git" <build-id>
Most list and get commands support a --json flag for machine-readable output:
dhictl catalog list --json
dhictl mirror list --org my-org --json
dhictl customization list --org my-org --json
dhictl can be configured with a YAML file located at:
$HOME/.config/dhictl/config.yaml on Linux and macOS%USERPROFILE%\.config\dhictl\config.yaml on WindowsIf $XDG_CONFIG_HOME is set, the configuration file is located at $XDG_CONFIG_HOME/dhictl/config.yaml (see the XDG Base Directory Specification).
Available configuration options:
| Option | Environment Variable | Description |
|---|---|---|
org | DHI_ORG | Default Docker Hub organization for mirror and customization commands. |
api_token | DHI_API_TOKEN | Docker token for authentication. You can generate a token in your Docker Hub account settings. |
Environment variables take precedence over configuration file values.