How to Streamline Container Security with Docker Hardened Images and Mend.io

Introduction

Container security can quickly become a bottleneck when developers are buried under thousands of false-positive vulnerability alerts. The integration between Docker Hardened Images (DHI) and Mend.io offers a streamlined approach to cut through the noise. By automatically separating base-image vulnerabilities from application-layer risks and leveraging VEX statements, this solution lets your team focus on the few truly exploitable threats. This guide walks you through implementing the integration, from zero-configuration setup to automated patching, so you can reclaim developer hours without sacrificing security.

What You Need

• A Mend.io account (Business or Enterprise tier recommended for workflow automation)
• A Docker Hub account with access to Docker Hardened Images (DHI) – Enterprise plan required for automated mirroring
• Containers already built using standard Docker images (or legacy Dockerfiles ready for migration)
• Basic familiarity with vulnerability scanning and CI/CD pipelines
• Optional: Jira or email integration for alerting

Step-by-Step Guide

Step 1: Enable Zero-Configuration Detection

The hallmark of this integration is that it requires no manual tagging or configuration. Mend.io automatically identifies DHI base images the moment you scan a container.

• Push your container images to any registry accessible by Mend.io (e.g., Docker Hub, private registries).
• Initiate a scan from the Mend.io dashboard or via CLI/API – the system will detect if the base image is a Docker Hardened Image without any extra flags.
• Verify detection by checking the Mend UI: DHI-protected packages display a dedicated Docker icon along with informative tooltips, providing immediate transparency into which components are managed by Docker’s hardened foundation.

Step 2: Inspect Vulnerabilities by Layer

Transparency is key to trust. Mend.io lets you inspect findings by package, layer, and risk factor, ensuring a clear audit trail from the base OS to custom application binaries.

• Open a scan report in Mend.io and navigate to the "Packages" or "Vulnerabilities" tab.
• Use the layer filter to separate base-image components from custom application dependencies.
• Review the tooltip for each DHI package – it explains that the vulnerability is either already patched by Docker or is non-exploitable in context.

Step 3: Apply Dynamic Risk Triage Using VEX + Reachability

Standard scanners often flag thousands of vulnerabilities that exist in the filesystem but are never executed. This integration uses two layers of intelligence to filter the noise.

• Risk Factor Integration: Mend.io automatically incorporates Docker’s VEX (Vulnerability Exploitability eXchange) data as a primary source for identifying true risk. A CVE marked as not_affected by Docker is deprioritized.
• Reachability Analysis: Even if a CVE is marked affected, Mend’s own reachability engine checks whether the vulnerable code path is actually invoked in your application. If unreachable, the finding is also deprioritized.
• Both filters work together to produce a clean list of actionable vulnerabilities.

Step 4: Bulk Suppress Non-Exploitable Risks

Once Mend.io marks findings as non-exploitable (via VEX or unreachability), you can suppress them in bulk – potentially clearing thousands of false positives with a single click.

• From the vulnerability list, use the "Suppress" action with filters for "Not Affected" or "Unreachable."
• Confirm the suppression – these CVEs will be hidden from future scans unless their status changes.
• Focus your team’s attention on the remaining ~1% of high-severity, reachable, exploitable risks found in custom application layers.

Step 5: Operationalize Security with Workflows

Move beyond scanning into automated governance by configuring Mend.io workflows.

• SLA and Violation Management: Set remediation deadlines (SLAs) based on vulnerability severity. Mend.io automatically triggers violations if fixes are overdue.
• Custom Alerts: Configure notifications via email or Jira when a new DHI image is added to your environment, or when critical vulnerabilities are found in custom code.
• Pipeline Gating: Use Mend’s workflow engine to fail CI/CD builds only when high-risk, reachable vulnerabilities are introduced in custom code. This keeps your pipeline moving while preventing dangerous releases.

Step 6: Automate Continuous Patching

For Enterprise DHI users, patched base images are automatically mirrored to Docker Hub private repositories. Mend.io verifies the updates, confirming that base-level risks have been mitigated without requiring a manual pull request.

• Ensure your Docker Hub account is linked to Mend.io under the “Integrations” settings.
• Enable the automatic mirroring option for DHI images – new patches will sync silently.
• In Mend.io, check the “Mirrored” status for a DHI package; if a CVE was patched upstream, Mend will mark it as resolved.

Step 7: Migrate Legacy Applications with AI Assistance

Leverage Ask Gordon, Docker’s AI agent, to analyze existing Dockerfiles and recommend the most suitable DHI foundation for legacy applications – reducing the friction of migration.

• Run the Ask Gordon analysis on your legacy Dockerfile (available via Docker Desktop or CLI).
• Receive recommendations for a specific Docker Hardened Image tag that matches your application’s dependencies.
• Update your Dockerfile to use the recommended DHI, then re-scan with Mend.io to confirm that base-image vulnerabilities are resolved.

Tips for Success

• Start with a pilot project – Choose one container image to test the full flow from zero-config detection to bulk suppression before rolling out across your organization.
• Communicate with developers – Explain that suppressed vulnerabilities are not ignored; they are safely deprioritized based on Docker’s VEX and Mend’s reachability analysis. This builds trust in the process.
• Review SLA settings regularly – As your application evolves, some vulnerabilities may become reachable. Periodically re-run Mend’s reachability analysis and adjust SLAs accordingly.
• Combine with CI/CD policies – Use pipeline gating sparingly at first to avoid developer frustration. Gradually tighten rules as the team adapts.
• Monitor the “DHI protected” count – A growing number indicates you are successfully shifting security left into Docker’s hardened base images.
• Leverage Ask Gordon for older projects – Legacy Dockerfiles often contain outdated base images; AI-assisted migration can modernize them with minimal effort.