What is Docker's strategy for prioritizing developer productivity & safety in its product roadmap for 2023?

Our industry has so often had to trade speed off for safety. There’s this thinking that if you're going to ship fast, you might break something or you might introduce a vulnerability—and conversely, if you're going to be absolutely safe, then it’s going to take you months to get a release out the door.

With Docker, devs won’t have to make those tradeoffs. They’ll be able to ship quickly, safely—and in the coming year, we’ll have additional capabilities in the product to facilitate that.

We've already talked about developer productivity and bringing that productivity to teams. We’ve talked about the hybrid mode of local and shared clusters in the cloud. In parallel, you’ve heard about the shift left—it's a little cliché, because so many vendors say shift left when what they’re really doing is raining data down on the heads of these poor devs, which scares them and drives them right into vendors’ business models. That's not what we're doing.

Because we're on the developer's desktop, we are there at the point of creation and when they're merging that pull request. We're there when they're pulling down that base image from a registry and they're using our build tech to create that image right then and there. We're as far left as it gets.

What that gives us is the ability to index everything that the dev is doing. Before they even touch CI, so much of security shows up once the dev kicks off Jenkins or GitLab or whatnot. 

We're able to—right there in the desktop—show them the impact of the changes they're making and suggest an alternative change if there might be a dangerous impact.

We’re able to tell them that if they merge this pull request, that's the upgraded version of this package that will actually remove this vulnerability that we just detected and what you just wrote in your text editor right there.

Giving them that feedback loop right then and there beats the hell out of where most security is today, which is that code gets pushed into CI and 20-30 minutes later, the dev gets a notification that there’s a vulnerability and they better go fix it. The dev goes, "What? That was 20 minutes ago. I've already moved on."

That's basically the leading edge solution today. Organizations have probes in prod that pick up security issues around 30-45 days after it's been deployed.

By instead keeping that feedback loop right then and there in the moment of creation—and we're pretty uniquely suited to do that—we get the opportunity to help them build safer code. And it’s not just around security—it can also help developers figure out whether they’re following their internal corporate standards, whether they’re using open source licenses that have been approved by their organization, and so on.

We can look at all of that right then and there on the desktop before they merge anything, which gives us a commercial opportunity and an opportunity to help them be more productive right then and there.