Docker have recently made their hardened images available for everyone. Although they're free to use, images in the hardened image catalog require authentication to pull.
I'm trying to set up Dependabot to check for updated versions of these images. I've created a username and password (set up as a variable and a secret in GitHub) and, based on the guidance and documentation, added a registry to the configuration in .github/dependabot.yml (available in a public repository here):
---
version: 2
registries:
docker-hardened:
type: "docker-registry"
url: "dhi.io"
replaces-base: true
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
updates:
- package-ecosystem: "docker"
directory: "/"
registries:
- "docker-hardened"
schedule:
interval: "daily"
This fails to determine available image versions, however:
2025/12/25 14:20:33 INFO <job_1190920113> Checking all dependencies for version updates...
updater | 2025/12/25 14:20:33 INFO <job_1190920113> Checking if node 24-alpine3.22-sfw-dev needs updating
proxy | 2025/12/25 14:20:33 [013] GET https://dhi.io:443/v2/node/tags/list
2025/12/25 14:20:33 [013] * authenticating docker registry request (host: dhi.io)
proxy | 2025/12/25 14:20:33 [013] 404 https://dhi.io:443/v2/node/tags/list
proxy | 2025/12/25 14:20:33 [015] GET https://dhi.io:443/v2/node/tags/list
2025/12/25 14:20:33 [015] 404 https://dhi.io:443/v2/node/tags/list (cached)
2025/12/25 14:20:33 [015] * auth'd git request previously retried, won't retry again. (cached)
proxy | 2025/12/25 14:20:33 [017] GET https://dhi.io:443/v2/node/tags/list
2025/12/25 14:20:33 [017] 404 https://dhi.io:443/v2/node/tags/list (cached)
2025/12/25 14:20:33 [017] * auth'd git request previously retried, won't retry again. (cached)
proxy | 2025/12/25 14:20:33 [019] POST /update_jobs/1190920113/record_update_job_unknown_error
proxy | 2025/12/25 14:20:33 [019] 204 /update_jobs/1190920113/record_update_job_unknown_error
proxy | 2025/12/25 14:20:33 [021] POST /update_jobs/1190920113/record_update_job_error
proxy | 2025/12/25 14:20:33 [021] 204 /update_jobs/1190920113/record_update_job_error
proxy | 2025/12/25 14:20:33 [023] POST /update_jobs/1190920113/increment_metric
proxy | 2025/12/25 14:20:33 [023] 204 /update_jobs/1190920113/increment_metric
proxy | 2025/12/25 14:20:33 [025] POST /update_jobs/1190920113/record_update_job_unknown_error
proxy | 2025/12/25 14:20:33 [025] 204 /update_jobs/1190920113/record_update_job_unknown_error
updater | 2025/12/25 14:20:33 ERROR <job_1190920113> Error processing node (DockerRegistry2::NotFound)
2025/12/25 14:20:33 ERROR <job_1190920113> Image not found at dhi.io
It does seem to be authenticating correctly, as accessing that URL without auth would give a 401, not a 404:
$ curl https://dhi.io:443/v2/node/tags/list
Unauthorized
so at least some of this configuration is correct; particularly, the token is stored for Dependabot to use.
There are no related discussions or issues; there is one discussion on dependabot/dependabot-core, but with no response as yet.
Although the request appeared to be authenticated, it actually wasn't. It seems that Dependabot cannot access variables in its GitHub Actions jobs, only secrets. Switching from:
username: ${{ vars.DOCKER_USERNAME }}
to:
username: ${{ secrets.DOCKER_USERNAME }}
allowed the job to access the Docker Hardened images successfully:
2025/12/26 17:58:59 INFO <job_1191599669> Checking all dependencies for version updates...
updater | 2025/12/26 17:58:59 INFO <job_1191599669> Checking if node 24-alpine3.22-sfw-dev needs updating
proxy | 2025/12/26 17:58:59 [013] GET https://dhi.io:443/v2/node/tags/list
2025/12/26 17:58:59 [013] * authenticating docker registry request (host: dhi.io)
proxy | 2025/12/26 17:58:59 [013] 200 https://dhi.io:443/v2/node/tags/list
updater | 2025/12/26 17:58:59 INFO <job_1191599669> Original tag components: dev,sfw
updater | 2025/12/26 17:58:59 INFO <job_1191599669> Latest version is 25-alpine3.22-sfw-dev