Docker has been one of the most loved brands in developer tooling, trusted by more than 20 million monthly users and over 20 billion container image pulls. From solo founders to the world's largest companies, developers rely on Docker to build, share, and run their applications across our suite of products including Docker Desktop, Docker Hub, and Docker Scout.We are a globally distributed, remote-first team building the tools that define how software gets built and delivered. As AI agents redefine software development, Docker is at the center of that shift, providing the sandboxed environments, verified images, and secure infrastructure that make autonomous workflows trustworthy by default.Docker Hardened Images (DHI) is Docker's catalogue of security-hardened, enterprise-grade container images and Helm charts - built to be minimal, up-to-date, and safe to deploy in regulated and security-conscious environments. We're looking for a Staff-level engineer to help shape the technical direction of this catalogue and raise the bar across the team that builds it.This is not a traditional software engineering role. You'll spend most of your time working with YAML definition files, upstream OSS projects, and the container and Kubernetes ecosystems - packaging and adapting software rather than building it from scratch. At the Staff level, you'll also own the harder, ambiguous problems: catalogue-wide architecture decisions, conventions that scale across dozens of images and charts, and the technical strategy that keeps DHI ahead of upstream change. If you've led packaging efforts at a Linux distribution, driven Helm chart standards across an org, or operated as a Staff platform/security engineer at the intersection of supply chain, containers, and Kubernetes, this will feel familiar.This is a pure individual contributor role - no direct reports. Influence comes through technical leadership, design, and mentorship.ResponsibilitiesSetting catalogue-wide technical direction - defining the conventions, patterns, and architectural decisions that govern how images and Helm charts are authored across DHI, and evolving them as the catalogue growsOwning the hardest packaging problems - images and charts with complex upstream dynamics (rapid release cadence, monorepo quirks, painful major-version breaks, intricate dependency chains, niche multi-arch issues) where the right answer isn't obviousAuthoring and maintaining image definition files that track upstream OSS releases, define build steps, and keep the catalogue current - and shaping the templates and tooling others use to do the sameAdapting upstream Helm charts (cert-manager, grafana, mongodb, kyverno, istio, and many more) to work with DHI images - handling security constraints, non-root contexts, and Kubernetes compatibility concerns, and codifying the patterns that make this repeatableDriving security hardening strategy - leading CVE triage approaches, hardening decisions, and supply chain posture (Sigstore, SBOM, SLSA) across the catalogue, not just individual imagesDesigning and writing Go-based integration test infrastructure that validates images and charts behave correctly in real Kubernetes environments, and improving the harness others build onRaising the bar through review and mentorship - reviewing peers' definition and chart PRs, catching subtle issues before they reach customers, and helping other engineers grow into harder problemsPartnering across teams with product, security, and customer-facing functions to translate customer needs and regulatory pressures into catalogue priorities and technical decisionsEngaging upstream - representing DHI in upstream OSS communities (chart maintainers, project maintainers) on issues that affect security-hardened deploymentsTake part in the paid on-call rotation for the team; respond to incidents, debug production issues, and drive continuous improvement of system reliabilityQualifications8+ years of backend engineering experience with production-grade systemsBachelor’s degree in Computer Science, Engineering, or a related field, or equivalent practical experienceDeep expertise in the container and Kubernetes ecosystem - you have strong opinions about cert-manager, kyverno, grafana, istio, and similar projects, you've debugged them in production-shaped environments, and you can navigate upstream Helm chart source and project internals fluentlyMastery of YAML as a working medium - you've designed conventions and structures that other engineers work within, not just authored within someone else's conventionsStrong container security background - non-root users, UID/GID, image layers, multi-arch builds, and supply chain concepts (provenance, attestation, SBOM, signing) are second nature, and you can reason about tradeoffs at the catalogue levelGo ability sufficient to design test infrastructure - you can write and review integration test code and shape the harness, even if you're not building distributed systemsA maintainer mindset, applied at scale - you take pride in consistency, catch drift from patterns, and think about how a change to one image or chart ripples across dozens of others and out to customersStrong technical judgment in ambiguous situations - comfort making and defending decisions where there's no perfect answer (e.g., how aggressively to deviate from upstream, when to absorb a breaking change vs. pin)Track record of technical influence without authority - you've raised the quality bar on a team through review, design docs, mentorship, and well-chosen conventionsDeep familiarity with GitHub-heavy open source workflows - PRs, upstream tracking, monorepo conventions, and the social side of engaging with upstream maintainersBonus but not requiredExperience as a package maintainer (any Linux distribution, Homebrew, etc.)Helm chart authorship or contribution experienceHands-on experience with supply chain tooling (Sigstore, SBOM, SLSA) - ideally having implemented or operationalized themExperience in a regulated or security-conscious environment (FedRAMP, FIPS, PCI, regulated industries)Prior Staff-level IC experience on a platform, security, or developer-tools teamDocker considers visa sponsorship on a case-by-case basis based on business needs.We use Covey as part of our hiring and / or promotional process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on April 13, 2024.Please see the independent bias audit report covering our use of Covey here.PerksFreedom & flexibility; fit your work around your lifeDesignated quarterly Whaleness Days plus end of year Whaleness breakHome office setup; we want you comfortable while you work16 weeks of paid Parental leave (after 6 months of employment)Technology stipend equivalent to $100 USD net/monthPTO plan that encourages you to take time to do the things you enjoyTraining stipend for conferences, courses and classesEquity; we are a growing start-up and want all employees to have a share in the success of the companyDocker SwagMedical benefits, retirement and holidays vary by countryRemote-first culture, with offices in Seattle and ParisDocker embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. The more inclusive we are, the better our company will be.#LI-REMOTE