How to Streamline Container Security with Docker Hardened Images and Mend.io
Introduction
Container security can quickly become a bottleneck when developers are buried under thousands of false-positive vulnerability alerts. The integration between Docker Hardened Images (DHI) and Mend.io offers a streamlined approach to cut through the noise. By automatically separating base-image vulnerabilities from application-layer risks and leveraging VEX statements, this solution lets your team focus on the few truly exploitable threats. This guide walks you through implementing the integration, from zero-configuration setup to automated patching, so you can reclaim developer hours without sacrificing security.
What You Need
- A Mend.io account (Business or Enterprise tier recommended for workflow automation)
- A Docker Hub account with access to Docker Hardened Images (DHI) – Enterprise plan required for automated mirroring
- Containers already built using standard Docker images (or legacy Dockerfiles ready for migration)
- Basic familiarity with vulnerability scanning and CI/CD pipelines
- Optional: Jira or email integration for alerting
Step-by-Step Guide
Step 1: Enable Zero-Configuration Detection
The hallmark of this integration is that it requires no manual tagging or configuration. Mend.io automatically identifies DHI base images the moment you scan a container.
- Push your container images to any registry accessible by Mend.io (e.g., Docker Hub, private registries).
- Initiate a scan from the Mend.io dashboard or via CLI/API – the system will detect if the base image is a Docker Hardened Image without any extra flags.
- Verify detection by checking the Mend UI: DHI-protected packages display a dedicated Docker icon along with informative tooltips, providing immediate transparency into which components are managed by Docker’s hardened foundation.
Step 2: Inspect Vulnerabilities by Layer
Transparency is key to trust. Mend.io lets you inspect findings by package, layer, and risk factor, ensuring a clear audit trail from the base OS to custom application binaries.
- Open a scan report in Mend.io and navigate to the "Packages" or "Vulnerabilities" tab.
- Use the layer filter to separate base-image components from custom application dependencies.
- Review the tooltip for each DHI package – it explains that the vulnerability is either already patched by Docker or is non-exploitable in context.
Step 3: Apply Dynamic Risk Triage Using VEX + Reachability
Standard scanners often flag thousands of vulnerabilities that exist in the filesystem but are never executed. This integration uses two layers of intelligence to filter the noise.
- Risk Factor Integration: Mend.io automatically incorporates Docker’s VEX (Vulnerability Exploitability eXchange) data as a primary source for identifying true risk. A CVE marked as
not_affectedby Docker is deprioritized. - Reachability Analysis: Even if a CVE is marked affected, Mend’s own reachability engine checks whether the vulnerable code path is actually invoked in your application. If unreachable, the finding is also deprioritized.
- Both filters work together to produce a clean list of actionable vulnerabilities.
Step 4: Bulk Suppress Non-Exploitable Risks
Once Mend.io marks findings as non-exploitable (via VEX or unreachability), you can suppress them in bulk – potentially clearing thousands of false positives with a single click.
- From the vulnerability list, use the "Suppress" action with filters for "Not Affected" or "Unreachable."
- Confirm the suppression – these CVEs will be hidden from future scans unless their status changes.
- Focus your team’s attention on the remaining ~1% of high-severity, reachable, exploitable risks found in custom application layers.
Step 5: Operationalize Security with Workflows
Move beyond scanning into automated governance by configuring Mend.io workflows.
- SLA and Violation Management: Set remediation deadlines (SLAs) based on vulnerability severity. Mend.io automatically triggers violations if fixes are overdue.
- Custom Alerts: Configure notifications via email or Jira when a new DHI image is added to your environment, or when critical vulnerabilities are found in custom code.
- Pipeline Gating: Use Mend’s workflow engine to fail CI/CD builds only when high-risk, reachable vulnerabilities are introduced in custom code. This keeps your pipeline moving while preventing dangerous releases.
Step 6: Automate Continuous Patching
For Enterprise DHI users, patched base images are automatically mirrored to Docker Hub private repositories. Mend.io verifies the updates, confirming that base-level risks have been mitigated without requiring a manual pull request.
- Ensure your Docker Hub account is linked to Mend.io under the “Integrations” settings.
- Enable the automatic mirroring option for DHI images – new patches will sync silently.
- In Mend.io, check the “Mirrored” status for a DHI package; if a CVE was patched upstream, Mend will mark it as resolved.
Step 7: Migrate Legacy Applications with AI Assistance
Leverage Ask Gordon, Docker’s AI agent, to analyze existing Dockerfiles and recommend the most suitable DHI foundation for legacy applications – reducing the friction of migration.
- Run the Ask Gordon analysis on your legacy Dockerfile (available via Docker Desktop or CLI).
- Receive recommendations for a specific Docker Hardened Image tag that matches your application’s dependencies.
- Update your Dockerfile to use the recommended DHI, then re-scan with Mend.io to confirm that base-image vulnerabilities are resolved.
Tips for Success
- Start with a pilot project – Choose one container image to test the full flow from zero-config detection to bulk suppression before rolling out across your organization.
- Communicate with developers – Explain that suppressed vulnerabilities are not ignored; they are safely deprioritized based on Docker’s VEX and Mend’s reachability analysis. This builds trust in the process.
- Review SLA settings regularly – As your application evolves, some vulnerabilities may become reachable. Periodically re-run Mend’s reachability analysis and adjust SLAs accordingly.
- Combine with CI/CD policies – Use pipeline gating sparingly at first to avoid developer frustration. Gradually tighten rules as the team adapts.
- Monitor the “DHI protected” count – A growing number indicates you are successfully shifting security left into Docker’s hardened base images.
- Leverage Ask Gordon for older projects – Legacy Dockerfiles often contain outdated base images; AI-assisted migration can modernize them with minimal effort.