dhi: add enterprise get started (#24529)

craig-osterhout · web-flow · commit 3c87de0c42a3 · 2026-03-30T08:49:40.000-07:00
## Description Added a get-started with DHI Select & Enterprise topic to show a complete end-to-end workflow with a real example. Current location is in how-to in order to keep the primary community get-started upfront for now. Updated the community get-started. ## Related issues or tickets ENGDOCS-3217 ## Reviews   - [ ] Editorial review --------- Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
diff --git a/content/manuals/dhi/get-started.md b/content/manuals/dhi/get-started.md
@@ -11,24 +11,23 @@ This guide shows you how to go from zero to running a Docker Hardened Image
 Docker image to better understand the differences. While the steps use a
 specific image as an example, they can be applied to any DHI.
 
+This quickstart uses DHI Community images from `dhi.io`. You sign in with your
+Docker account, pull and run an image, and compare it with a Docker Official Image.
 
-Docker Hardened Images are freely available to everyone with no subscription
-required, no usage restrictions, and no vendor lock-in. This quickstart covers
-free DHI images pulled from `dhi.io`. If you have a paid DHI subscription or
-have started a trial and need compliance variants (FIPS), customization
-capabilities, or SLA-backed updates, you must [mirror DHI
-repositories](./how-to/mirror.md) to your organization's namespace on Docker
-Hub. You then pull mirrored images from `docker.io` (not `dhi.io`) using your
-organization's namespace path. For example, `docker pull
-docker.io/<yourorg>/dhi-python:3.13` instead of `docker pull
-dhi.io/python:3.13`.
+> [!NOTE]
+>
+> If you have a DHI Select or Enterprise subscription, see [Get started with DHI
+> Select and Enterprise](./how-to/select-enterprise.md) instead. Select and
+> Enterprise use mirrored repositories in your organization namespace on Docker
+> Hub to enable customization, SLA-backed security updates, and access to
+> compliance variants.
 
 ## Step 1: Find an image to use
 
 1. Go to the Hardened Images catalog in [Docker
    Hub](https://hub.docker.com/hardened-images/catalog).
-2. Use the search bar or filters to find an image (e.g., `python`, `node`,
-   `golang`). For this guide, use the Python image as an example.
+2. Use the search bar or filters to find an image (for example, `python`,
+   `node`, or `golang`). For this example, search for `python`.
 3. Select the Python repository to view its details.
 
 Continue to the next step to pull and run the image. To dive deeper into exploring
@@ -42,21 +41,21 @@ tools or libraries you expect in a typical image. You can view the typical
 differences in [Considerations when adopting
 DHIs](./how-to/use.md#considerations-when-adopting-dhis).
 
-> [!TIP]
->
-> On every repository page in the DHI catalog, you'll find instructions for
-> pulling and scanning the image by selecting **Use this image**.
-
 The following example demonstrates that you can run the Python image and execute
 a simple Python command just like you would with any other Docker image:
 
 1. Open a terminal and sign in to the Docker Hardened Images registry using your
-   Docker ID credentials.
+   Docker account credentials.
 
    ```console
    $ docker login dhi.io
    ```
 
+   > [!TIP]
+   >
+   > If you don't have a Docker account, [create a free
+   > account](https://hub.docker.com/signup) to get started.
+
 2. Pull the image:
 
    ```console
@@ -78,7 +77,7 @@ To dive deeper into using images, see:
 - [Use in Kubernetes](./how-to/k8s.md) for Kubernetes deployments
 - [Use a Helm chart](./how-to/helm.md) for deploying with Helm
 
-## Step 3: Compare with the other images
+## Step 3: Compare with other images
 
 You can quickly compare DHIs with other images to see the security
 improvements and differences. This comparison helps you understand the value of
@@ -120,11 +119,11 @@ Example output:
 >
 > This is example output. Your results may vary depending on newly discovered
 > CVEs and image updates.
->
-> Docker maintains near-zero CVEs in Docker Hardened Images. For paid DHI
-> subscriptions, when new CVEs are discovered, the CVEs are remediated within
-> the industry-leading SLA timeframe. Learn more about the [SLA-backed security
-> features](./features.md#sla-backed-security).
+
+Docker maintains near-zero CVEs in Docker Hardened Images. For DHI Select and
+Enterprise subscriptions, when new CVEs are discovered, the CVEs are remediated
+within the industry-leading SLA time frame. Learn more about the [SLA-backed
+security features](./features.md#sla-backed-security).
 
 This comparison shows that the Docker Hardened Image:
 
@@ -139,19 +138,18 @@ To dive deeper into comparing images see [Compare Docker Hardened Images](./how-
 You've pulled and run your first Docker Hardened Image. Here are a few ways to keep going:
 
 - [Migrate existing applications to DHIs](./migration/migrate-with-ai.md): Use
-  Gordon to update your Dockerfiles to use Docker Hardened Images
-  as the base.
+  Gordon to update your Dockerfiles to use Docker Hardened Images as the base.
 
 - [Start a trial](https://hub.docker.com/hardened-images/start-free-trial) to
-  explore the benefits of a paid DHI subscription, such as access to FIPS
-  and STIG variants, customized images, and SLA-backed updates.
+  explore the benefits of a DHI subscription, such as access to FIPS and STIG
+  variants, customized images, and SLA-backed updates.
 
-- [Mirror a repository](./how-to/mirror.md): After subscribing to a paid DHI
-  subscription or starting a trial, learn how to mirror a DHI repository to
-  enable customization, access compliance variants, and get SLA-backed updates.
+- [Get started with DHI Select and Enterprise](./how-to/select-enterprise.md):
+  After subscribing to a DHI subscription or starting a trial, learn how to
+  mirror repositories, customize images, and access compliance variants.
 
 - [Verify DHIs](./how-to/verify.md): Use tools like [Docker Scout](/scout/) or
   Cosign to inspect and verify signed attestations, like SBOMs and provenance.
 
-- [Scan DHIs](./how-to/scan.md): Analyze the image with Docker
-  Scout or other scanners to identify known CVEs.
+- [Scan DHIs](./how-to/scan.md): Analyze the image with Docker Scout or other
+  scanners to identify known CVEs.
diff --git a/content/manuals/dhi/how-to/_index.md b/content/manuals/dhi/how-to/_index.md
@@ -9,6 +9,10 @@ params:
       icon: travel_explore
       link: /dhi/how-to/explore/
   grid_adopt:
+    - title: Get started with DHI Select and Enterprise
+      description: Learn how to mirror repositories, customize images, and access compliance variants with DHI Select and Enterprise subscriptions.
+      icon: rocket_launch
+      link: /dhi/how-to/select-enterprise/
     - title: Use the DHI CLI
       description: Use the dhictl command-line tool to manage and interact with Docker Hardened Images.
       icon: terminal
diff --git a/content/manuals/dhi/how-to/select-enterprise.md b/content/manuals/dhi/how-to/select-enterprise.md
@@ -0,0 +1,263 @@
+---
+title: Get started with DHI Select and Enterprise
+linkTitle: Use DHI Select & Enterprise
+description: Mirror a repository and start using Docker Hardened Images for Select and Enterprise subscriptions.
+keywords: docker hardened images, enterprise, select, mirror, quickstart
+---
+
+{{< summary-bar feature_name="Docker Hardened Images" >}}
+
+This guide shows you how to get started with DHI Select and Enterprise
+subscriptions. Unlike DHI Community, this workflow lets you mirror repositories
+to your organization namespace on Docker Hub, access compliance variants (FIPS),
+customize images, and get SLA-backed updates.
+
+## Prerequisites
+
+To use this workflow, you need organization owner access in your Docker Hub
+namespace, and one of the following:
+
+- A DHI Select or Enterprise subscription. [Contact Docker
+  sales](https://www.docker.com/products/hardened-images/#compare) to purchase
+  or learn more about these subscriptions.
+- An active DHI trial. [Start a free DHI
+  trial](https://hub.docker.com/hardened-images/start-free-trial).
+- [Docker Desktop](../../desktop/release-notes.md) 4.65 or later to use the
+  `docker dhi` CLI.
+
+Each step, when applicable, shows Docker Hub and command line instructions. You
+can use either interface.
+
+## Step 1: Find an image to use
+
+{{< tabs group="interface" >}}
+{{< tab name="Docker Hub" >}}
+
+1. Go to [Docker Hub](https://hub.docker.com/) and sign in.
+2. Select your organization in the left sidebar.
+3. Navigate to **Hardened Images** > **Catalog**.
+4. Use the search bar or filters to find an image (for example, `python`,
+   `node`, or `golang`). For this example, search for `python`.
+
+   To search for an image with a compliance variant (FIPS or STIG), select
+   **Filter by** and select the relevant compliance option.
+
+5. Select the Python repository to view its details.
+
+6. Select **Images** to view available image variants.
+
+{{< /tab >}}
+{{< tab name="Command line" >}}
+
+1. List available image repositories:
+
+   ```console
+   $ docker dhi catalog list --type image
+   ```
+
+2. To filter by name and FIPS compliance, use the `--filter` and `--fips` flags:
+
+   ```console
+   $ docker dhi catalog list --filter python --fips
+   ```
+
+3. Get image details for the repository:
+
+   ```console
+   $ docker dhi catalog get python
+   ```
+
+{{< /tab >}}
+{{< /tabs >}}
+
+Continue to the next step to mirror the image. To dive deeper into exploring
+images see [Explore Docker Hardened Images](explore.md).
+
+## Step 2: Mirror the repository
+
+Mirroring copies a DHI repository into your organization namespace on Docker
+Hub. This lets you receive SLA-backed Docker security patches for your images
+and use customization as well as compliance variants. Only organization owners
+can mirror repositories.
+
+{{< tabs group="interface" >}}
+{{< tab name="Docker Hub" >}}
+
+1. In the image repository details page you found in the previous step, select
+   **Use this image** > **Mirror repository**. Note that you must be signed in
+   to Docker Hub to perform this action.
+2. Select **Mirror**.
+3. Wait for images to finish mirroring. This can take a few minutes.
+4. Verify the mirrored repository appears in your organization namespace with a
+   `dhi-` prefix (for example, `dhi-python`).
+
+{{< /tab >}}
+{{< tab name="Command line" >}}
+
+To use the following commands, you must authenticate or configure DHI CLI
+authentication using your Docker token. For details, see [Use the DHI
+CLI](cli.md#configuration).
+
+1. Start mirroring the repository to your organization namespace. Replace
+   `<your-org>` with your organization name.
+
+   ```console
+   $ docker dhi mirror start --org <your-org> \
+       -r dhi/python,<your-org>/dhi-python
+   ```
+
+2. Wait for images to finish mirroring. This can take a few minutes.
+
+3. Verify the mirrored repository. Replace `<your-org>` with your organization
+   name.
+
+   ```console
+   $ docker dhi mirror list --org <your-org>
+   ```
+
+{{< /tab >}}
+{{< /tabs >}}
+
+Continue to the next step to customize the image. To dive deeper into mirroring
+images see [Mirror a repository](mirror.md).
+
+## Step 3: Customize the image
+
+One of the key benefits of DHI Select and Enterprise is the ability to customize
+your mirrored images. You can add system packages, configure settings, or make other
+modifications to meet your organization's specific requirements.
+
+This example shows how to add the `curl` system package to your mirrored Python image.
+
+{{< tabs group="interface" >}}
+{{< tab name="Docker Hub" >}}
+
+1. Go to your organization namespace on Docker Hub.
+2. Navigate to your mirrored repository (for example, `dhi-python`).
+3. Select **Customizations**.
+4. Select **Create customization**.
+5. Search for `3-alpine3.23` and select any one of the images.
+6. In **Add packages**, select **curl**.
+7. Select **Next: Configure**.
+8. In **Customization name**, enter a name for your customization (for example, `curl`).
+9. Select **Next: Review customization**.
+10. Select **Create customization** to start the build.
+
+It can take a few minutes for the customization to build. Go to the
+**Customizations** tab of your mirrored repository and view the **Last build**
+column to monitor the build status.
+
+{{< /tab >}}
+{{< tab name="Command line" >}}
+
+To use the following commands, you must authenticate or configure DHI CLI
+authentication using your Docker token. For details, see [Use the DHI
+CLI](cli.md#configuration).
+
+1. Create a customization. Replace `<your-org>` with your organization name.
+   This creates a file called `my-customization.yaml` with the customization
+   details.
+
+   ```console
+   $ docker dhi customization prepare --org <your-org> python 3-alpine3.23 \
+       --destination <your-org>/dhi-python \
+       --name "python with curl" \
+       --output my-customization.yaml
+   ```
+
+2. Add the `curl` package to the customization. You can edit the file with any
+   text or code editor. The following commands use `echo` to add the necessary
+   lines to the YAML file:
+
+   ```console
+   $ echo "contents:" >> my-customization.yaml
+   $ echo "  packages:" >> my-customization.yaml
+   $ echo "    - curl" >> my-customization.yaml
+   ```
+
+3. Apply the customization:
+
+   ```console
+   $ docker dhi customization create --org <your-org> my-customization.yaml
+   ```
+
+4. Verify the customization was created:
+
+   ```console
+   $ docker dhi customization list --org <your-org>
+   ```
+
+It can take a few minutes for the customization to build. To check the build status:
+
+1. Go to your organization namespace on Docker Hub.
+2. Navigate to your mirrored repository (for example, `dhi-python`).
+3. Select **Customizations**.
+4. View the **Last build** column to monitor the build status.
+
+{{< /tab >}}
+{{< /tabs >}}
+
+To dive deeper into customization, see [Customize a Docker Hardened
+Image](customize.md).
+
+## Step 4: Pull and run your customized image
+
+After the customization build completes, you can pull and run the customized
+image from your organization namespace on Docker Hub.
+
+1. Sign in to Docker Hub:
+
+   ```console
+   $ docker login
+   ```
+
+2. Pull the customized image from your organization. Replace `<your-org>` with
+   your organization name. The customized tag includes the suffix based on your
+   customization name.
+
+   ```console
+   $ docker pull <your-org>/dhi-python:3-alpine3.23_python-with-curl
+   ```
+
+3. Run the image and test that `curl` is installed:
+
+   ```console
+   $ docker run --rm <your-org>/dhi-python:3-alpine3.23_python-with-curl curl --version
+   ```
+
+   This confirms that the `curl` package was successfully added to the image.
+
+To dive deeper into using images, see:
+
+- [Use a Docker Hardened Image](use.md) for general usage
+- [Use in Kubernetes](k8s.md) for Kubernetes deployments
+- [Use a Helm chart](helm.md) for deploying with Helm
+
+## Step 5: Remove customization and stop mirroring
+
+To remove the customization and stop mirroring the repository:
+
+1. Go to your organization namespace on Docker Hub.
+2. Navigate to your mirrored repository (for example, `dhi-python`).
+3. Select **Customizations**.
+4. Find the customization you want to delete (for example, `python with curl`).
+5. Select the trash can icon.
+6. Select **Delete customization** to confirm the deletion.
+7. To stop mirroring, go back to your organization's repositories list.
+8. Find the mirrored repository (for example, `dhi-python`).
+9. Select **Settings**.
+10. Select **Stop mirroring**.
+11. Select **Stop mirroring** to confirm.
+
+## What's next
+
+You've mirrored, customized, and run a Docker Hardened Image. Here are a few ways to keep going:
+
+- [Migrate existing applications to DHIs](../migration/migrate-with-ai.md): Use
+  Gordon to update your Dockerfiles to use Docker Hardened Images as the base.
+
+- [Verify DHIs](verify.md): Use tools like [Docker Scout](/scout/) or Cosign to
+  inspect and verify signed attestations, like SBOMs and provenance.
+
+- [Scan DHIs](scan.md): Analyze the image with Docker Scout or other scanners
+  to identify known CVEs.
