docker
diff --git a/‎content/manuals/dhi/_index.md‎
Lines changed: 15 additions & 10 deletions b/‎content/manuals/dhi/_index.md‎
Lines changed: 15 additions & 10 deletions
diff --git a/‎content/manuals/dhi/core-concepts/_index.md‎
Lines changed: 1 addition & 1 deletion b/‎content/manuals/dhi/core-concepts/_index.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/manuals/dhi/core-concepts/attestations.md‎
Lines changed: 38 additions & 10 deletions b/‎content/manuals/dhi/core-concepts/attestations.md‎
Lines changed: 38 additions & 10 deletions
diff --git a/‎content/manuals/dhi/core-concepts/cves.md‎
Lines changed: 15 additions & 20 deletions b/‎content/manuals/dhi/core-concepts/cves.md‎
Lines changed: 15 additions & 20 deletions
diff --git a/‎content/manuals/dhi/core-concepts/fips.md‎
Lines changed: 14 additions & 3 deletions b/‎content/manuals/dhi/core-concepts/fips.md‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎content/manuals/dhi/core-concepts/sbom.md‎
Lines changed: 4 additions & 4 deletions b/‎content/manuals/dhi/core-concepts/sbom.md‎
Lines changed: 4 additions & 4 deletions
@@ -1,22 +1,22 @@
 ---
 title: Docker Hardened Images
 description: Secure, minimal, and production-ready base images
-weight: 13
+weight: 8
 params:
   sidebar:
+    group: Products
     badge:
       color: green
       text: New
-    group: Products
   grid_sections:
     - title: Quickstart
-      description: Follow a step-by-step guide to explore, mirror, and run a Docker Hardened Image.
+      description: Follow a step-by-step guide to explore and run a Docker Hardened Image.
       icon: rocket_launch
       link: /dhi/get-started/
-    - title: About
+    - title: Explore
       description: Learn what Docker Hardened Images are, how they're built, and what sets them apart from typical base images.
       icon: info
-      link: /dhi/about/
+      link: /dhi/explore/
     - title: Features
       description: Discover the security, compliance, and enterprise-readiness features built into Docker Hardened Images.
       icon: lock
@@ -35,13 +35,18 @@ params:
       link: /dhi/troubleshoot/
 ---
 
-{{< summary-bar feature_name="Docker Hardened Images" >}}
-
-Docker Hardened Images (DHIs) are minimal, secure, and production-ready
-container base and application images maintained by Docker. Designed to reduce
-vulnerabilities and simplify compliance, DHIs integrate easily into your
+Docker Hardened Images (DHI) are minimal, secure, and production-ready container
+base and application images maintained by Docker. Designed to reduce
+vulnerabilities and simplify compliance, DHI integrates easily into your
 existing Docker-based workflows with little to no retooling required.
 
+DHI is available in two tiers: **DHI Free** provides core security features at
+no cost, while **DHI Enterprise** adds SLA-backed support, compliance variants,
+customization, and Extended Lifecycle Support for organizations with advanced
+requirements.
+
+![DHI Subscription](./images/dhi-subscription.png)
+
 Explore the sections below to get started with Docker Hardened Images, integrate
 them into your workflow, and learn what makes them secure and enterprise-ready.
 
 
@@ -27,7 +27,7 @@ params:
       icon: verified
       link: /dhi/core-concepts/fips/
     - title: STIG
-      description: Learn how Docker Hardened Images provide STIG-hardened container images with verifiable security scan attestations for government and enterprise compliance requirements.
+      description: Learn how Docker Hardened Images provide STIG-ready container images with verifiable security scan attestations for government and enterprise compliance requirements.
       icon: policy
       link: /dhi/core-concepts/stig/
     - title: CIS Benchmarks
 
@@ -4,7 +4,7 @@ description: Review the full set of signed attestations included with each Docke
 keywords: container image attestations, signed sbom, build provenance, slsa compliance, vex document
 ---
 
-Docker Hardened Images (DHIs) include comprehensive, signed security
+Docker Hardened Images (DHIs) and charts include comprehensive, signed security
 attestations that verify the image's build process, contents, and security
 posture. These attestations are a core part of secure software supply chain
 practices and help users validate that an image is trustworthy and
@@ -13,13 +13,13 @@ policy-compliant.
 ## What is an attestation?
 
 An attestation is a signed statement that provides verifiable information
-about an image, such as how it was built, what's inside it, and what security
+about an image or chart, such as how it was built, what's inside it, and what security
 checks it has passed. Attestations are typically signed using Sigstore tooling
 (such as Cosign), making them tamper-evident and cryptographically verifiable.
 
 Attestations follow standardized formats (like [in-toto](https://in-toto.io/),
 [CycloneDX](https://cyclonedx.org/), and [SLSA](https://slsa.dev/)) and are
-attached to the image as OCI-compliant metadata. They can be generated
+attached to the image or chart as OCI-compliant metadata. They can be generated
 automatically during image builds or added manually to document extra tests,
 scan results, or custom provenance.
 
@@ -38,25 +38,25 @@ They are essential for meeting industry standards such as SLSA,
 and help teams reduce the risk of supply chain attacks by making build and
 security data transparent and verifiable.
 
-## How Docker Hardened Images use attestations
+## How Docker Hardened Images and charts use attestations
 
-All DHIs are built using [SLSA Build Level
+All DHIs and charts are built using [SLSA Build Level
 3](https://slsa.dev/spec/latest/levels) practices, and each image variant is
 published with a full set of signed attestations. These attestations allow users
 to:
 
-- Verify that the image was built from trusted sources in a secure environment
+- Verify that the image or chart was built from trusted sources in a secure environment
 - View SBOMs in multiple formats to understand component-level details
 - Review scan results to check for vulnerabilities or embedded secrets
 - Confirm the build and deployment history of each image
 
-Attestations are automatically published and associated with each mirrored DHI
-in your Docker Hub organization. They can be inspected using tools like [Docker
+Attestations are automatically published and associated with each  DHI
+and chart. They can be inspected using tools like [Docker
 Scout](../how-to/verify.md) or
 [Cosign](https://docs.sigstore.dev/cosign/overview), and are consumable by CI/CD
 tooling or security platforms.
 
-## Available attestations
+## Image attestations
 
 While every DHI variant includes a set of attestations, the attestations may
 vary based on the image variant. For example, some images may include a STIG
@@ -82,10 +82,38 @@ details](../how-to/explore.md#view-image-variant-details) in Docker Hub.
 | SLSA verification summary  | A summary attestation indicating the image's compliance with SLSA requirements.                                                                                                          | `https://slsa.dev/verification_summary/v1`        |
 | SPDX SBOM                  | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems.                                                                                                   | `https://spdx.dev/Document`                       |
 | FIPS compliance            | An attestation that verifies the image uses FIPS 140-validated cryptographic modules.                              | `https://docker.com/dhi/fips/v0.1`                |
+| DHI Image Sources          | Links to a corresponding source image containing all materials used to build the image, including package source code, git repos, and local files, ensuring compliance with open source license requirements. | `https://docker.com/dhi/source/v0.1`              |
+
+## Helm chart attestations
+
+Docker Hardened Image (DHI) charts also include comprehensive signed attestations
+that provide transparency and verification for your Kubernetes deployments. Like
+DHI container images, these charts are built following SLSA Build Level 3
+practices and include extensive security metadata.
+
+DHI Helm charts include the following attestations:
+
+| Attestation type           | Description                                                                                                                                                                                                                     | Predicate type URI                                 |
+|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|
+| CycloneDX SBOM             | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart.                                                              | `https://cyclonedx.org/bom/v1.6`                  |
+| CVEs (In-Toto format)      | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart.                                                                                                                   | `https://in-toto.io/attestation/vulns/v0.1`       |
+| Scout health score         | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images.                                                                                        | `https://scout.docker.com/health/v0.1`            |
+| Scout provenance           | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters.                                                                                                  | `https://scout.docker.com/provenance/v0.1`        |
+| Scout SBOM                 | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata.                                                                                | `https://scout.docker.com/sbom/v0.1`              |
+| Secrets scan               | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package.                                                                                                       | `https://scout.docker.com/secrets/v0.1`           |
+| Tests                      | A record of automated tests run against the chart to validate functionality and compatibility with referenced images.                                                                                                          | `https://scout.docker.com/tests/v0.1`             |
+| Virus scan                 | Results of antivirus scans performed on the chart package.                                                                                                                                                                     | `https://scout.docker.com/virus/v0.1`             |
+| CVEs (Scout format)        | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images.                                                                                                      | `https://scout.docker.com/vulnerabilities/v0.1`   |
+| SLSA provenance            | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials.                                                 | `https://slsa.dev/provenance/v0.2`                |
+| SPDX SBOM                  | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references.                                                                                                              | `https://spdx.dev/Document`                       |
+
+For instructions on how to view and verify Helm chart attestations, see [Verify
+Helm chart
+attestations](../how-to/verify.md#verify-helm-chart-attestations-with-docker-scout).
 
 ## View and verify attestations
 
-To view and verify attestations for an image, see [Verify a Docker Hardened
+To view and verify attestations, see [Verify a Docker Hardened
 Image](../how-to/verify.md).
 
 ## Add your own attestations
 
@@ -70,7 +70,7 @@ To scan a Docker Hardened Image using Docker Scout, run the following
 command:
 
 ```console
-$ docker scout cves <your-namespace>/dhi-<image>:<tag>
+$ docker scout cves dhi.io/<image>:<tag> --platform <platform>
 ```
 
 Example output:
@@ -94,11 +94,13 @@ advisories.
 #### Scan a DHI using Grype
 
 After installing Grype, you can scan a Docker Hardened Image by pulling
-the image and running the scan command:
+the image and running the scan command. Grype requires you to export the VEX
+attestation to a file first:
 
 ```console
-$ docker pull <your-namespace>/dhi-<image>:<tag>
-$ grype <your-namespace>/dhi-<image>:<tag>
+$ docker pull dhi.io/<image>:<tag>
+$ docker scout vex get dhi.io/<image>:<tag> --output vex.json
+$ grype dhi.io/<image>:<tag> --vex vex.json
 ```
 
 Example output:
@@ -123,8 +125,8 @@ After installing Trivy, you can scan a Docker Hardened Image by pulling
 the image and running the scan command:
 
 ```console
-$ docker pull <your-namespace>/dhi-<image>:<tag>
-$ trivy image <your-namespace>/dhi-<image>:<tag>
+$ docker pull dhi.io/<image>:<tag>
+$ trivy image --scanners vuln --vex repo dhi.io/<image>:<tag>
 ```
 
 Example output:
@@ -135,7 +137,7 @@ Report Summary
 ┌──────────────────────────────────────────────────────────────────────────────┬────────────┬─────────────────┬─────────┐
 │                                    Target                                    │    Type    │ Vulnerabilities │ Secrets │
 ├──────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
-│ <namespace>/dhi-<image>:<tag> (debian 12.11)                                 │   debian   │       66        │    -    │
+│ dhi.io/<image>:<tag> (debian 12.11)                                          │   debian   │       66        │    -    │
 ├──────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
 │ opt/python-3.13.4/lib/python3.13/site-packages/pip-25.1.1.dist-info/METADATA │ python-pkg │        0        │    -    │
 └──────────────────────────────────────────────────────────────────────────────┴────────────┴─────────────────┴─────────┘
@@ -147,13 +149,13 @@ Docker Hardened Images include signed [VEX (Vulnerability Exploitability
 eXchange)](./vex.md) attestations that identify vulnerabilities not relevant to the image’s
 runtime behavior.
 
-When using Docker Scout, these VEX statements are automatically applied and no
-manual configuration needed.
+When using Docker Scout or Trivy, these VEX statements are automatically
+applied using the previous examples, and no manual configuration needed.
 
 To manually retrieve the VEX attestation for tools that support it:
 
 ```console
-$ docker scout vex get <your-namespace>/dhi-<image>:<tag> --output vex.json
+$ docker scout vex get dhi.io/<image>:<tag> --output vex.json
 ```
 
 > [!NOTE]
@@ -162,20 +164,13 @@ $ docker scout vex get <your-namespace>/dhi-<image>:<tag> --output vex.json
 > CLI](https://github.com/docker/scout-cli/) version 1.18.3 or later.
 >
 > If the image exists locally on your device, you must prefix the image name with `registry://`. For example, use
-> `registry://docs/dhi-python:3.13` instead of `docs/dhi-python:3.13`.
+> `registry://dhi.io/python:3.13` instead of `dhi.io/python:3.13`.
 
 For example:
 
 ```console
-$ docker scout vex get docs/dhi-python:3.13 --output vex.json
+$ docker scout vex get dhi.io/python:3.13 --output vex.json
 ```
 
 This creates a `vex.json` file containing the VEX statements for the specified
-image. You can then use this file with tools that support VEX to filter out known non-exploitable CVEs.
-
-For example, with Grype and Trivy, you can use the `--vex` flag to apply the VEX
-statements during the scan:
-
-```console
-$ grype <your-namespace>/dhi-<image>:<tag> --vex vex.json
-```
+image. You can then use this file with tools that support VEX to filter out known non-exploitable CVEs.
@@ -1,9 +1,12 @@
 ---
-title: FIPS
+title: 'FIPS <span class="not-prose bg-blue-500 dark:bg-blue-400 rounded-sm px-1 text-xs text-white whitespace-nowrap">DHI Enterprise</span>'
+linkTitle: FIPS
 description: Learn how Docker Hardened Images support FIPS 140 through validated cryptographic modules to help organizations meet compliance requirements.
 keywords: docker fips, fips 140 images, fips docker images, docker compliance, secure container images
 ---
 
+{{< summary-bar feature_name="Docker Hardened Images" >}}
+
 ## What is FIPS 140?
 
 [FIPS 140](https://csrc.nist.gov/publications/detail/fips/140/3/final) is a U.S.
@@ -35,6 +38,9 @@ Using software components that rely on validated cryptographic modules can help
 
 ## How Docker Hardened Images support FIPS compliance
 
+While Docker Hardened Images are available to all, the FIPS variant requires a
+Docker Hardened Images Enterprise subscription.
+
 Docker Hardened Images (DHIs) include variants that use cryptographic modules
 validated under FIPS 140. These images are intended to help organizations meet
 compliance requirements by incorporating components that meet the standard.
@@ -67,6 +73,11 @@ These indicators help you quickly locate repositories that support FIPS-based
 compliance needs. Image variants that include FIPS support will have a tag
 ending with `-fips`, such as `3.13-fips`.
 
+## Use a FIPS variant
+
+To use a FIPS variant, you must [mirror](../how-to/mirror.md) the repository
+and then pull the FIPS image from your mirrored repository.
+
 ## View the FIPS attestation
 
 The FIPS variants of Docker Hardened Images contain a FIPS attestation that
@@ -78,7 +89,7 @@ You can retrieve and inspect the FIPS attestation using the Docker Scout CLI:
 $ docker scout attest get \
   --predicate-type https://docker.com/dhi/fips/v0.1 \
   --predicate \
-  <your-namespace>/dhi-<image>:<tag>
+  dhi.io/<image>:<tag>
 ```
 
 For example:
@@ -87,7 +98,7 @@ For example:
 $ docker scout attest get \
   --predicate-type https://docker.com/dhi/fips/v0.1 \
   --predicate \
-  docs/dhi-python:3.13-fips
+  dhi.io/python:3.13-fips
 ```
 
 The attestation output is a JSON array describing the cryptographic modules
 
@@ -62,7 +62,7 @@ To view the SBOM of a Docker Hardened Image, you can use the `docker scout sbom`
 command. Replace `<image-name>:<tag>` with the image name and tag.
 
 ```console
-$ docker scout sbom <image-name>:<tag>
+$ docker scout sbom dhi.io/<image-name>:<tag>
 ```
 
 ## Verify the SBOM of a Docker Hardened Image
@@ -75,14 +75,14 @@ are trustworthy.
 To verify the SBOM of a Docker Hardened Image using Docker Scout, use the following command:
 
 ```console
-$ docker scout attest get <image-name>:<tag> \
+$ docker scout attest get dhi.io/<image-name>:<tag> \
    --predicate-type https://scout.docker.com/sbom/v0.1 --verify --platform <platform>
 ```
 
-For example, to verify the SBOM attestation for the `dhi/node:20.19-debian12-fips-20250701182639` image:
+For example, to verify the SBOM attestation for the `node:20.19-debian12` image:
 
 ```console
-$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \
+$ docker scout attest get dhi.io/node:20.19-debian12 \
    --predicate-type https://scout.docker.com/sbom/v0.1 --verify --platform linux/amd64
 ```