You can pull `alpine:latest`, run `apk add` a few times, and ship a container that "looks fine." That container also has 47 known vulnerabilities. Hardening is the gap between those two facts — and most teams either don't know how big that gap is, or they know and pretend they're handling it.

I'll walk you through what Docker hardening involves in practice: package management with `--virtual` and multi-stage builds, dropping privileges and Linux capabilities, getting rootless containers to work on Alpine without musl/glibc accidents, the patching treadmill (CVE feeds, backports when there's no upstream fix, cache gotchas that hide stale layers, prioritization when Trivy hands you 47 CVEs at once), and the supply-chain pillar most teams haven't started on — SLSA provenance, Sigstore signatures, SBOMs.

You leave with a complete checklist you can put into your build pipeline tomorrow.

You also leave with an honest count of what running that checklist costs in engineering hours, week after week, forever. Sometimes the math says "we should keep doing this ourselves." Sometimes it says "We should buy expert-managed images." I do the math out loud, both ways, so you can make the call for your own team.

For DevOps and SRE practitioners running Alpine-based containers in production, `docker build` familiarity is the only prerequisite.