Staff Supply Chain Security Engineer, Docker Hardened Images

Docker has been one of the most loved brands in developer tooling, trusted by more than 20 million monthly users and over 20 billion container image pulls. From solo founders to the world's largest companies, developers rely on Docker to build, share, and run their applications across our suite of products including Docker Desktop, Docker Hub, and Docker Scout.

We are a globally distributed, remote-first team building the tools that define how software gets built and delivered. As AI agents redefine software development, Docker is at the center of that shift, providing the sandboxed environments, verified images, and secure infrastructure that make autonomous workflows trustworthy by default.

Docker Hardened Images (DHI) is Docker's catalogue of security-hardened, enterprise-grade container images and Helm charts - built to be minimal, up-to-date, and safe to deploy in regulated and security-conscious environments. We're looking for a Staff-level engineer to help shape the technical direction of this catalogue and raise the bar across the team that builds it.

This is not a traditional software engineering role. You'll spend most of your time working with YAML definition files, upstream OSS projects, and the container and Kubernetes ecosystems - packaging and adapting software rather than building it from scratch. At the Staff level, you'll also own the harder, ambiguous problems: catalogue-wide architecture decisions, conventions that scale across dozens of images and charts, and the technical strategy that keeps DHI ahead of upstream change. If you've led packaging efforts at a Linux distribution, driven Helm chart standards across an org, or operated as a Staff platform/security engineer at the intersection of supply chain, containers, and Kubernetes, this will feel familiar.

This is a pure individual contributor role - no direct reports. Influence comes through technical leadership, design, and mentorship.

RESPONSIBILITIES

• Setting catalogue-wide technical direction - defining the conventions, patterns, and architectural decisions that govern how images and Helm charts are authored across DHI, and evolving them as the catalogue grows
• Owning the hardest packaging problems - images and charts with complex upstream dynamics (rapid release cadence, monorepo quirks, painful major-version breaks, intricate dependency chains, niche multi-arch issues) where the right answer isn't obvious
• Authoring and maintaining image definition files that track upstream OSS releases, define build steps, and keep the catalogue current - and shaping the templates and tooling others use to do the same
• Adapting upstream Helm charts (cert-manager, grafana, mongodb, kyverno, istio, and many more) to work with DHI images - handling security constraints, non-root contexts, and Kubernetes compatibility concerns, and codifying the patterns that make this repeatable
• Driving security hardening strategy - leading CVE triage approaches, hardening decisions, and supply chain posture (Sigstore, SBOM, SLSA) across the catalogue, not just individual images
• Designing and writing Go-based integration test infrastructure that validates images and charts behave correctly in real Kubernetes environments, and improving the harness others build on
• Raising the bar through review and mentorship - reviewing peers' definition and chart PRs, catching subtle issues before they reach customers, and helping other engineers grow into harder problems
• Partnering across teams with product, security, and customer-facing functions to translate customer needs and regulatory pressures into catalogue priorities and technical decisions
• Engaging upstream - representing DHI in upstream OSS communities (chart maintainers, project maintainers) on issues that affect security-hardened deployments
• Take part in the paid on-call rotation for the team; respond to incidents, debug production issues, and drive continuous improvement of system reliability

QUALIFICATIONS

• 8+ years of backend engineering experience with production-grade systems
• Bachelor’s degree in Computer Science, Engineering, or a related field, or equivalent practical experience
• Deep expertise in the container and Kubernetes ecosystem - you have strong opinions about cert-manager, kyverno, grafana, istio, and similar projects, you've debugged them in production-shaped environments, and you can navigate upstream Helm chart source and project internals fluently
• Mastery of YAML as a working medium - you've designed conventions and structures that other engineers work within, not just authored within someone else's conventions
• Strong container security background - non-root users, UID/GID, image layers, multi-arch builds, and supply chain concepts (provenance, attestation, SBOM, signing) are second nature, and you can reason about tradeoffs at the catalogue level
• Go ability sufficient to design test infrastructure - you can write and review integration test code and shape the harness, even if you're not building distributed systems
• A maintainer mindset, applied at scale - you take pride in consistency, catch drift from patterns, and think about how a change to one image or chart ripples across dozens of others and out to customers
• Strong technical judgment in ambiguous situations - comfort making and defending decisions where there's no perfect answer (e.g., how aggressively to deviate from upstream, when to absorb a breaking change vs. pin)
• Track record of technical influence without authority - you've raised the quality bar on a team through review, design docs, mentorship, and well-chosen conventions
• Deep familiarity with GitHub-heavy open source workflows - PRs, upstream tracking, monorepo conventions, and the social side of engaging with upstream maintainers

BONUS BUT NOT REQUIRED

• Experience as a package maintainer (any Linux distribution, Homebrew, etc.)
• Helm chart authorship or contribution experience
• Hands-on experience with supply chain tooling (Sigstore, SBOM, SLSA) - ideally having implemented or operationalized them
• Experience in a regulated or security-conscious environment (FedRAMP, FIPS, PCI, regulated industries)
• Prior Staff-level IC experience on a platform, security, or developer-tools team

Docker considers visa sponsorship on a case-by-case basis based on business needs.

We use Covey as part of our hiring and / or promotional process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound https://getcovey.com/product/covey-scout-inbound on April 13, 2024.

Please see the independent bias audit report covering our use of Covey here https://getcovey.com/nyc-local-law-144.

Perks

• Freedom & flexibility; fit your work around your life
• Designated quarterly Whaleness Days plus end of year Whaleness break
• Home office setup; we want you comfortable while you work
• 16 weeks of paid Parental leave (after 6 months of employment)
• Technology stipend equivalent to $100 USD net/month
• PTO plan that encourages you to take time to do the things you enjoy
• Training stipend for conferences, courses and classes
• Equity; we are a growing start-up and want all employees to have a share in the success of the company
• Docker Swag
• Medical benefits, retirement and holidays vary by country
• Remote-first culture, with offices in Seattle and Paris

Docker embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. The more inclusive we are, the better our company will be.

#LI-REMOTE