dhi: add packages and tiers

Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>

spacing fix

Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>

Update content/manuals/dhi/_index.md

Co-authored-by: Usha Mandya <47779042+usha-mandya@users.noreply.github.com>

Author: craig-osterhout

content/manuals/dhi/_index.md

@@ -39,17 +39,18 @@ params:
       link: /dhi/resources/
 ---
 
-Docker Hardened Images (DHI) are minimal, secure, and production-ready container
-base and application images maintained by Docker. Designed to reduce
-vulnerabilities and simplify compliance, DHI integrates easily into your
-existing Docker-based workflows with little to no retooling required.
+Docker Hardened Images (DHI) provide minimal, secure, and production-ready
+container images, Helm charts, and system packages maintained by Docker.
+Designed to reduce vulnerabilities and simplify compliance, DHI integrates
+easily into your existing Docker-based workflows with little to no retooling
+required.
 
-DHI is available in two tiers: **DHI Free** provides core security features at
-no cost, while **DHI Enterprise** adds SLA-backed support, compliance variants,
-customization, and Extended Lifecycle Support for organizations with advanced
-requirements.
+DHI is available in the following three subscriptions.
 
-![DHI Subscription](./images/dhi-subscription.png)
+![DHI Tiers](./images/dhi-tiers.png)
+
+For more details see the [Docker Hardened Images subscription
+comparison](https://www.docker.com/products/hardened-images/#compare).
 
 Explore the sections below to get started with Docker Hardened Images, integrate
 them into your workflow, and learn what makes them secure and enterprise-ready.

content/manuals/dhi/core-concepts/attestations.md

@@ -90,6 +90,21 @@ For more details, see [Verify image attestations](../how-to/verify.md#verify-ima
 | FIPS compliance            | An attestation that verifies the image uses FIPS 140-validated cryptographic modules.                              |
 | DHI Image Sources          | Links to a corresponding source image containing all materials used to build the image, including package source code, Git repositories, and local files, ensuring compliance with open source license requirements. |
 
+## Package attestations
+
+In addition to image-level attestations, Docker hardened packages also include
+their own attestations. These package-level attestations provide provenance and
+build information for individual packages within an image, allowing you to
+trace the supply chain at a granular level.
+
+Package attestations include similar information as image attestations, such as
+SLSA provenance, showing how each package was built and what materials were
+used. You can extract package information from an image's attestations and then
+retrieve the package's own attestations recursively.
+
+For detailed instructions on how to access and verify package attestations, see
+[Package attestations](../how-to/hardened-packages.md#package-attestations).
+
 ## Helm chart attestations
 
 Docker Hardened Image (DHI) charts also include comprehensive signed attestations

content/manuals/dhi/core-concepts/fips.md

@@ -1,5 +1,5 @@
 ---
-title: 'FIPS <span class="not-prose bg-blue-500 dark:bg-blue-400 rounded-sm px-1 text-xs text-white whitespace-nowrap">DHI Enterprise</span>'
+title: 'FIPS <span class="not-prose bg-blue-500 dark:bg-blue-400 rounded-sm px-1 text-xs text-white whitespace-nowrap">DHI Select & Enterprise</span>'
 linkTitle: FIPS
 description: Learn how Docker Hardened Images support FIPS 140 through validated cryptographic modules to help organizations meet compliance requirements.
 keywords: docker fips, fips 140 images, fips docker images, docker compliance, secure container images
@@ -39,7 +39,7 @@ Using software components that rely on validated cryptographic modules can help
 ## How Docker Hardened Images support FIPS compliance
 
 While Docker Hardened Images are available to all, the FIPS variant requires a
-Docker Hardened Images Enterprise subscription.
+paid Docker Hardened Images subscription.
 
 Docker Hardened Images (DHIs) include variants that use cryptographic modules
 validated under FIPS 140. These images are intended to help organizations meet

content/manuals/dhi/core-concepts/stig.md

@@ -1,5 +1,5 @@
 ---
-title: 'STIG <span class="not-prose bg-blue-500 dark:bg-blue-400 rounded-sm px-1 text-xs text-white whitespace-nowrap">DHI Enterprise</span>'
+title: 'STIG <span class="not-prose bg-blue-500 dark:bg-blue-400 rounded-sm px-1 text-xs text-white whitespace-nowrap">DHI Select & Enterprise</span>'
 linkTitle: STIG
 description: Learn how Docker Hardened Images provide STIG-ready container images with verifiable security scan attestations for government and enterprise compliance requirements.
 keywords: docker stig, stig-ready images, stig guidance, openscap docker, secure container images

content/manuals/dhi/explore/available.md

@@ -12,6 +12,9 @@ Docker Hardened Images (DHI) is a comprehensive catalog of
 security-hardened container images built to meet diverse
 development and production needs.
 
+You can explore the DHI catalog on [Docker Hub](https://hub.docker.com/search?q=&image_filter=store%2Cdhi) or use the [DHI CLI](../how-to/cli.md) to browse
+available images, tags, and metadata from the command line.
+
 ## Framework and application images
 
 DHI includes a selection of popular frameworks and application images, each
@@ -76,7 +79,7 @@ For example, you might find tags like the following in a DHI repository:
 - `3.9.23-debian12`: runtime image for Python 3.9.23
 - `3.9.23-debian12-dev`: development image for Python 3.9.23
 
-## FIPs and STIG variants {tier="DHI Enterprise"}
+## FIPs and STIG variants {tier="DHI Select & Enterprise"}
 
 {{< summary-bar feature_name="Docker Hardened Images" >}}
 

content/manuals/dhi/explore/build-process.md

@@ -10,13 +10,13 @@ aliases:
 
 Docker Hardened Images are built through an automated pipeline that monitors
 upstream sources, applies security updates, and publishes signed artifacts.
-This page explains the build process for both base DHI images and DHI Enterprise
-customized images.
+This page explains the build process for both base DHI images and customized
+images available with DHI Select and DHI Enterprise subscriptions.
 
-With a DHI Enterprise subscription, the automated security update pipeline for
+With DHI Select or DHI Enterprise subscriptions, the automated security update pipeline for
 both base and customized images is backed by SLA commitments, including a 7-day
-SLA for critical and high severity vulnerabilities. Only DHI Enterprise includes
-SLAs. DHI Free offers a secure baseline but no guaranteed remediation timelines.
+SLA for critical and high severity vulnerabilities. DHI Community offers a secure baseline
+but no guaranteed remediation timelines.
 
 ## Build transparency
 
@@ -72,14 +72,14 @@ dependencies. When a package update is detected (for example, a security patch
 for a library), Docker automatically identifies and rebuilds all images within
 the support window that use that package.
 
-### Customization changes {tier="DHI Enterprise"}
+### Customization changes {tier="DHI Select and Enterprise"}
 
 {{< summary-bar feature_name="Docker Hardened Images" >}}
 
 Updates to your OCI artifact customizations trigger rebuilds of your customized
 images.
 
-When you customize a DHI image with DHI Enterprise, your changes are packaged as
+When you customize a DHI image with DHI Select or DHI Enterprise, your changes are packaged as
 OCI artifacts that layer on top of the base image. Docker monitors your artifact
 repositories and automatically rebuilds your customized images whenever you push
 updates.
@@ -149,11 +149,11 @@ The following diagram shows the base image build flow:
 '-------------------'      '-------------------'      '-------------------'      '-------------------'
 ```
 
-### Customized image pipeline {tier="DHI Enterprise"}
+### Customized image pipeline {tier="DHI Select and Enterprise"}
 
 {{< summary-bar feature_name="Docker Hardened Images" >}}
 
-When you customize a DHI image with DHI Enterprise, the build process is simplified:
+When you customize a DHI image with DHI Select or DHI Enterprise, the build process is simplified:
 
 1. Monitoring: Docker monitors your OCI artifact repositories for changes.
 2. Rebuild trigger: When you push updates to your OCI artifacts, or when the base

content/manuals/dhi/explore/responsibility.md

@@ -38,8 +38,8 @@ securely.
 - Upstream: Maintains and updates the source code for each component,
   including fixing vulnerabilities in libraries and dependencies.
 - Docker: Rebuilds and re-releases images with upstream patches applied. Docker
-  monitors for vulnerabilities and publishes updates to affected images. Only
-  DHI Enterprise includes SLAs. DHI Free offers a secure baseline but no
+  monitors for vulnerabilities and publishes updates to affected images. DHI Select
+  and DHI Enterprise include SLA commitments. DHI Community offers a secure baseline but no
   guaranteed remediation timelines.
 - You: Apply DHI updates in your environments and patch any software or
   dependencies you install on top of the base image.
@@ -58,9 +58,9 @@ securely.
 
 - Docker: Publishes signed SBOMs, VEX documents, provenance data, and CVE
   scan results with each image to support compliance and supply chain security.
-  - For free DHI users: All security metadata and transparency features are
+  - For DHI Community users: All security metadata and transparency features are
     included at no cost.
-  - For DHI Enterprise users: Additional compliance variants (like FIPS and
+  - For DHI Select and Enterprise users: Additional compliance variants (like FIPS and
     STIG) and customization capabilities are available, with automatic rebuilds
     when base images are patched.
 - You: Integrate DHIs into your security and compliance workflows, including
@@ -69,9 +69,9 @@ securely.
 ## Support
 
 - Docker:
-  - For free DHI users: Community support and public documentation are available.
-  - For DHI Enterprise users: Access to Docker's enterprise support team for
-    mission-critical applications.
+  - For DHI Community users: Community support and public documentation are available.
+  - For DHI Select and DHI Enterprise users: Access to Docker's enterprise
+    support team for mission-critical applications.
 - You: Monitor Docker's release notes, security advisories, and documentation
   for updates and best practices.
 

content/manuals/dhi/features.md

@@ -19,28 +19,43 @@ existing Docker-based workflows with little to no retooling required.
 
 DHI provides security for everyone:
 
-- [DHI Free](#dhi-free-features) provides core security features available to
-  everyone with no licensing restrictions under Apache 2.0
-- [DHI Enterprise subscription
-  features](#dhi-enterprise-subscription-features) add
-  SLA-backed security updates, compliance variants (like FIPS and STIG), image
-  customization, and optional Extended Lifecycle Support (ELS) for post-EOL
-  coverage
+- [DHI Community](#dhi-community-features) provides core security features available to
+  everyone with no licensing restrictions under Apache 2.0.
+- [DHI Select and DHI Enterprise](#dhi-select-and-enterprise-features) add SLA-backed
+  security updates, FIPS/STIG compliance variants, and customization
+  capabilities, with DHI Enterprise offering unlimited customization, full
+  catalog access, and optional Extended Lifecycle Support (ELS) for post-EOL
+  coverage.
 
-## DHI Free features
+## DHI Community features
 
 DHI's core features are open and free to use, share, and build on with no
 licensing surprises, backed by an Apache 2.0 license.
 
 ### Security by default
 
 - Near-zero CVEs: Continuously scanned and patched to maintain minimal known
-  exploitable vulnerabilities, with no SLA-backed time commitments for non-DHI
-  Enterprise users
+  exploitable vulnerabilities, with no SLA-backed time commitments for DHI Community users
 - Minimal attack surface: Distroless variants reduce attack surface by up to 95% by removing unnecessary components
 - Non-root execution: Run as non-root by default, following the principle of least privilege
 - Transparent vulnerability reporting: Every CVE is visible and assessed using public data—no suppressed feeds or proprietary scoring
 
+### Hardened system packages
+
+Docker Hardened Images maintain supply chain integrity throughout the entire
+image stack with hardened system packages:
+
+- Source-built packages: For supported distributions, system packages are built
+  from source code by Docker
+- Cryptographic signatures: Every package is cryptographically signed and verified
+- Supply chain security: Eliminates risk from potentially compromised public packages
+
+Hardened system packages are included in supported distributions of DHI images.
+Community users can also configure their package manager to use Docker's public
+hardened package repository in their own images for the same packages included
+in the base images. See [Use hardened system packages](./how-to/hardened-packages.md)
+for details.
+
 ### Total transparency
 
 Every image includes complete, verifiable security metadata:
@@ -87,27 +102,41 @@ metadata to ensure transparency and trust:
 - Hardened configuration: Charts automatically reference Docker hardened images,
   ensuring security in deployments.
 
-## DHI Enterprise subscription features
+## DHI Select and Enterprise features
 
 For organizations with strict security requirements, regulatory demands, or
-operational needs, DHI Enterprise delivers additional capabilities.
+operational needs, DHI Select and Enterprise deliver additional capabilities.
 
-### Compliance variants {tier="DHI Enterprise"}
+DHI Select offers customizations, compliance variants, and SLA-backed updates
+for teams and organizations with production workloads. DHI Enterprise includes
+everything in Select with unlimited customizations, plus an optional Extended
+Lifecycle Support add-on and full catalog access for large enterprises with
+advanced security needs.
 
-- FIPS-enabled images: For regulated industries and government systems
-- STIG-ready images: Meet DoD Security Technical Implementation Guide requirements
+For a detailed comparison, see [Docker Hardened Images subscription
+comparison](https://www.docker.com/products/hardened-images/#compare).
 
-### SLA-backed security {tier="DHI Enterprise"}
+### SLA-backed security {tier="DHI Select & DHI Enterprise"}
 
-- CVE remediation SLA: 7-day SLA for critical and high severity vulnerabilities,
-  with SLA commitments for other severity levels
-- ELS CVE remediation SLA: Extended Lifecycle Support images have SLA commitments
-  for CVE remediation, even after upstream end-of-life
+- CVE remediation SLA: 7-day SLA for critical and high severity vulnerabilities
+- Continuous patching: Regular security updates backed by SLA commitments
 - Enterprise support: Access to Docker's support team for mission-critical applications
 
-### Customization and control {tier="DHI Enterprise"}
+### Compliance variants {tier="DHI Select & DHI Enterprise"}
+
+- FIPS-enabled images: For regulated industries and government systems
+- STIG-ready images: Meet DoD Security Technical Implementation Guide requirements
+
+### Customization and control {tier="DHI Select & DHI Enterprise"}
 
 - Build custom images: Add your own packages, tools, certificates, and configurations
+  - DHI Select: Up to 5 customizations
+  - DHI Enterprise: Unlimited customizations
+- Hardened packages: Access to additional compliance-specific packages (such as
+  FIPS variants) and Docker-patched packages not available in the public repository
+  - DHI Select: Add these packages through the customization UI when customizing hardened images
+  - DHI Enterprise: Add these packages through the customization UI, or configure
+    your package manager to use the enterprise package repository in your own images
 - Secure build infrastructure: Customizations built on Docker's trusted infrastructure
 - Full chain of trust: Customized images maintain provenance and cryptographic signing
 - Automatic updates: Custom images are automatically rebuilt when base images are patched

content/manuals/dhi/get-started.md

@@ -11,10 +11,11 @@ This guide shows you how to go from zero to running a Docker Hardened Image
 Docker image to better understand the differences. While the steps use a
 specific image as an example, they can be applied to any DHI.
 
+
 Docker Hardened Images are freely available to everyone with no subscription
 required, no usage restrictions, and no vendor lock-in. This quickstart covers
-free DHI images pulled from `dhi.io`. If you have a DHI Enterprise subscription
-or have started a trial and need compliance variants (FIPS), customization
+free DHI images pulled from `dhi.io`. If you have a paid DHI subscription or
+have started a trial and need compliance variants (FIPS), customization
 capabilities, or SLA-backed updates, you must [mirror DHI
 repositories](./how-to/mirror.md) to your organization's namespace on Docker
 Hub. You then pull mirrored images from `docker.io` (not `dhi.io`) using your
@@ -120,7 +121,7 @@ Example output:
 > This is example output. Your results may vary depending on newly discovered
 > CVEs and image updates.
 >
-> Docker maintains near-zero CVEs in Docker Hardened Images. For DHI Enterprise
+> Docker maintains near-zero CVEs in Docker Hardened Images. For paid DHI
 > subscriptions, when new CVEs are discovered, the CVEs are remediated within
 > the industry-leading SLA timeframe. Learn more about the [SLA-backed security
 > features](./features.md#sla-backed-security).
@@ -142,12 +143,12 @@ You've pulled and run your first Docker Hardened Image. Here are a few ways to k
   as the base.
 
 - [Start a trial](https://hub.docker.com/hardened-images/start-free-trial) to
-  explore the benefits of a DHI Enterprise subscription, such as access to FIPS
+  explore the benefits of a paid DHI subscription, such as access to FIPS
   and STIG variants, customized images, and SLA-backed updates.
 
-- [Mirror a repository](./how-to/mirror.md): After subscribing to DHI Enterprise
-  or starting a trial, learn how to mirror a DHI repository to enable
-  customization, access compliance variants, and get SLA-backed updates.
+- [Mirror a repository](./how-to/mirror.md): After subscribing to a paid DHI
+  subscription or starting a trial, learn how to mirror a DHI repository to
+  enable customization, access compliance variants, and get SLA-backed updates.
 
 - [Verify DHIs](./how-to/verify.md): Use tools like [Docker Scout](/scout/) or
   Cosign to inspect and verify signed attestations, like SBOMs and provenance.

content/manuals/dhi/how-to/_index.md

@@ -9,6 +9,10 @@ params:
       icon: travel_explore
       link: /dhi/how-to/explore/
   grid_adopt:
+    - title: Use the DHI CLI
+      description: Use the dhictl command-line tool to manage and interact with Docker Hardened Images.
+      icon: terminal
+      link: /dhi/how-to/cli/
     - title: Mirror a Docker Hardened Image repository
       description: Learn how to mirror an image into your organization's namespace and optionally push it to another private registry.
       icon: compare_arrows
@@ -17,6 +21,10 @@ params:
       description: Learn how to customize Docker Hardened Images and charts.
       icon: settings
       link: /dhi/how-to/customize/
+    - title: Use hardened system packages
+      description: Learn how to use Docker's hardened system packages in your images.
+      icon: inventory_2
+      link: /dhi/how-to/hardened-packages/
     - title: Use a Docker Hardened Image
       description: Learn how to pull, run, and reference Docker Hardened Images in Dockerfiles, CI pipelines, and standard development workflows.
       icon: play_arrow