Senior Supply Chain Security Engineer

Docker has been one of the most loved brands in developer tooling, trusted by more than 20 million monthly users and over 20 billion container image pulls. From solo founders to the world's largest companies, developers rely on Docker to build, share, and run their applications across our suite of products including Docker Desktop, Docker Hub, and Docker Scout.

We are a globally distributed, remote-first team building the tools that define how software gets built and delivered. As AI agents redefine software development, Docker is at the center of that shift, providing the sandboxed environments, verified images, and secure infrastructure that make autonomous workflows trustworthy by default.

Docker Hardened Images (DHI) is Docker's catalogue of security-hardened, enterprise-grade container images and Helm charts - built to be minimal, up-to-date, and safe to deploy in regulated and security-conscious environments. We're looking for someone to join the team that makes this possible.

This is not a traditional software engineering role. You'll spend most of your time working with YAML definition files, upstream OSS projects, and the container and Kubernetes ecosystems - packaging and adapting software rather than building it from scratch. If you've ever maintained packages for a Linux distribution, contributed to a Helm chart upstream, or worked as a platform/infrastructure engineer with a strong security lean, this will feel familiar.

• →

  Authoring and maintaining image definition files that track upstream OSS project releases, define build steps, and keep our catalogue current across dozens of images

• →

  Adapting upstream Helm charts (cert-manager, grafana, mongodb, kyverno, and many more) to work with DHI images - handling security constraints, non-root contexts, and Kubernetes compatibility concerns

• →

  Tracking upstream version releases and semver patterns across monorepos and standard repos, handling major version breaks and dependency chains

• →

  Writing Go-based integration tests that validate images and charts behave correctly in real Kubernetes environments

• →

  Triaging CVEs and contributing to security hardening decisions across images

• →

  Reviewing peers' definitions and chart PRs against established conventions and catching subtle issues before they reach customers

• 6+ years of backend engineering experience with production-grade systems

• Bachelor’s degree in Computer Science, Engineering, or a related field, or equivalent practical experience

• Strong familiarity with the container and Kubernetes ecosystem - you know what cert-manager, kyverno, grafana, and istio are, you've deployed them, and you can read upstream Helm chart source without getting lost

• Comfort with YAML as a primary working medium - you think carefully about structure, conventions, and patterns

• Understanding of container security basics - non-root users, UID/GID, image layers, multi-arch builds, supply chain concepts

• Some Go ability - enough to read and write test code, not to build distributed systems

• A maintainer mindset - you take pride in consistency, catch drift from patterns, and think about how your change affects others downstream

• Familiarity with GitHub-heavy open source workflows - PRs, upstream tracking, monorepo conventions

• Experience as a package maintainer (any Linux distribution, Homebrew, etc.)

• Helm chart authorship or contribution experience

• Familiarity with supply chain tooling (Sigstore, SBOM, SLSA)

• Experience in a regulated or security-conscious environment

We use Covey as part of our hiring and / or promotional process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on April 13, 2024.

Please see the independent bias audit report covering our use of Covey here.