Embedding security into developer workflow
Scott Johnston, CEO of Docker, on growing from $11M to $135M ARR in 2 years
The real point is that Docker is trying to make security a default property of the development workflow, not a separate stream of alerts that developers have to triage. In practice that means catching issues while a developer is pulling a base image, building locally, inspecting image layers, or opening a pull request, then suggesting the specific fix, like updating the base image, instead of dumping a giant vulnerability report on them. That fits Docker’s business model because Docker already sits on the desktop, in the build step, and in the registry path.
-
The contrast is with tools like Snyk and other cloud security products that grew by scanning code, dependencies, containers, or cloud configs, then selling governance and remediation workflows to security teams. Those products are valuable, but they often create another dashboard that developers have to interpret and act on.
-
Docker’s advantage is workflow position. Docker Desktop shows image details, packages, base images, and vulnerabilities inside the tool developers already use. Docker Scout can evaluate policies and automatically open a pull request to update an outdated base image, which turns security from analysis into an in flow fix.
-
This logic extends into Docker Hardened Images. Instead of warning a team that a base image is risky, Docker can give them a cleaner starting image that drops many vulnerabilities before the developer writes code. That is closer to removing work than adding work, which is why it is a better fit for product led adoption.
The next step is a broader developer security bundle where Docker owns more of the safe default stack, from base images to policy checks to remediation inside pull requests. If that works, container security shifts from a separate security purchase into a feature of the everyday developer toolchain, which makes Docker harder to displace and expands its seat value over time.