Docker has made its Hardened Images (DHI) available for free, encompassing Alpine, Debian, and over 1,000 additional images, including various databases and runtimes. This move significantly impacts how security teams manage container vulnerabilities. With DHIs, Docker takes responsibility for vulnerabilities below a defined security "waterline," while teams still handle issues above it. For example, a hardened Python image limits vulnerability management to application code and direct dependencies, pushing the waterline upward and reducing the team's workload. The DHI approach offers more than just CVE reduction; it also enhances supply chain security. Unlike community images, which carry inherent trust risks, DHI images come from a controlled source with rigorous review processes. This structure helps prevent supply chain attacks that exploit community image vulnerabilities. Consequently, teams can focus their efforts on issues that matter most, with DHI images serving as a solid baseline for security. Vulnerability management can now be more streamlined. Docker suggests practical steps, like consuming DHI VEX data for better vulnerability assessment and writing custom VEX statements for application-layer findings. By integrating these practices, teams can reduce the noise of vulnerabilities, making it easier to enforce their policies without overwhelming staff. DHI also supports compliance with frameworks like ISO 27001 and SOC 2 by providing a systematic way to document vulnerability management and monitoring efforts. To get started with DHI, teams should identify their most-used base images, replace one with a DHI equivalent, and configure their scanning tools to differentiate between DHI-covered vulnerabilities and application-layer issues. Documenting the waterline between Docker's responsibility and the team's will be crucial for future audits and policy enforcement.