Container security often drowns teams in thousands of false-positive vulnerabilities. The new integration between Mend.io and Docker Hardened Images (DHI) changes that by automatically separating base image risks from application-layer issues. Using Docker’s VEX statements and Mend’s reachability analysis, it highlights only the exploitable vulnerabilities that matter. Below, we answer the most common questions about this zero-configuration, risk-focused approach.
- What is the Mend.io and Docker Hardened Images integration?
- How does the zero-configuration setup work?
- How does the integration prioritize vulnerabilities using VEX and reachability?
- What visual indicators and transparency do developers get?
- How can security be operationalized with workflows?
- How does bulk suppression of non-exploitable vulnerabilities work?
- What about continuous patching and AI-assisted migration?
What is the Mend.io and Docker Hardened Images integration?
The integration combines Mend.io’s application security platform with Docker Hardened Images (DHI) to create a streamlined container security workflow. Instead of manually tagging or configuring base images, Mend.io automatically detects DHI base images during scanning. It then uses Docker’s Vulnerability Exploitability eXchange (VEX) data to classify vulnerabilities as “not affected” or exploitable. This allows teams to focus on real threats in their custom application layers rather than wasting time on false positives from the base OS. The result is a unified view of risk where every vulnerability is contextualized: is it in a hardened Docker-managed layer? Is it reachable at runtime? The integration works out of the box, requiring no extra setup, and it keeps the CI/CD pipeline moving by filtering out the noise.
How does the zero-configuration setup work?
The hallmark of this integration is its zero-configuration nature. When Mend.io scans a container image, it automatically identifies which packages come from Docker Hardened Images — no manual tagging or configuration is required. Developers simply run their scans as usual, and Mend.io recognizes the DHI base image by comparing its layers against Docker’s published hardened builds. This means you instantly get vulnerability classification without adding a single line of YAML or creating custom rules. The setup is so seamless that teams can start prioritizing real risks from the first scan. For enterprises using private Docker Hub repositories, the integration also mirrors updated DHI patches automatically, so the base image security is always up to date without manual intervention.
How does the integration prioritize vulnerabilities using VEX and reachability?
Standard scanners often flag thousands of vulnerabilities that exist in the file system but are never executed. This integration uses two layers of intelligence to filter that noise. First, Mend.io incorporates Docker’s VEX data as a primary source of “Risk Factor” identification. If Docker states that a CVE is not_affected in the hardened base image, Mend marks it as deprioritized. Second, Mend’s own reachability analysis checks whether vulnerable code is actually executed at runtime. If a function containing the vulnerability is never called, it is also deprioritized. By combining VEX with reachability, developers see only the 1% of vulnerabilities that are both present and exploitable in custom layers, dramatically reducing the backlog and allowing teams to focus on genuine security fixes.
What visual indicators and transparency do developers get?
Within the Mend.io user interface, packages that come from Docker Hardened Images are clearly marked with a dedicated Docker icon and informative tooltips. This gives immediate transparency into which components are managed by Docker’s hardened foundation versus custom application code. Developers can drill down and inspect findings by package, layer, and risk factor, ensuring a clear audit trail from the base OS to their custom binaries. For example, a vulnerability in the base OS layer will show the Docker icon and a VEX status, while a vulnerability in the application layer will be displayed without the icon, indicating it’s a custom risk. This visual clarity helps teams quickly decide whether to suppress known false positives or escalate real threats, all without leaving the Mend platform.
How can security be operationalized with workflows?
Mend.io enables organizations to move beyond simple scanning into automated governance through customizable workflows. You can set up Service Level Agreements (SLAs) and violation triggers based on vulnerability severity. For instance, if a critical reachable vulnerability appears in a custom layer, the workflow can automatically fail a build or send an alert. Conversely, if the vulnerability is in a DHI layer and marked as not_affected, the workflow can ignore it. You can also configure custom alerts via email or Jira whenever a new DHI image is added to the environment. Pipeline gating becomes smarter: builds only fail when high-risk, reachable vulnerabilities are introduced in custom code, so the CI/CD pipeline keeps moving even when base image issues are detected. This operational intelligence turns security data into actionable governance rules.
How does bulk suppression of non-exploitable vulnerabilities work?
One of the most powerful features is the ability to suppress non-functional risks in bulk. With a single click, developers can clear thousands of non-exploitable vulnerabilities — those marked as “not_affected” by Docker’s VEX data or “Unreachable” by Mend’s analysis. This bulk suppression operates on entire categories: for example, all CVEs in the DHI base layer that Docker has declared not exploitable. Instead of manually reviewing and dismissing each false positive, teams can trust the automated classification and move on. The result is that only the 1% of reachable, exploitable risks in custom layers remain active. This dramatically reduces vulnerability backlogs and frees developer hours for actual security fixes, while still maintaining an accurate audit trail of what was suppressed and why.
What about continuous patching and AI-assisted migration?
For Enterprise DHI users, patched base images are automatically mirrored to Docker Hub private repositories. Mend.io then verifies these updates, confirming that base-level risks have been mitigated without requiring a manual pull request. This automated synchronization ensures that you always run the latest hardened base. For migration, Docker’s AI agent “Ask Gordon” analyzes existing Dockerfiles and recommends the most suitable DHI foundation. Gordon can suggest, for example, replacing a generic Ubuntu image with a hardened equivalent, reducing the friction of moving legacy applications to a more secure base. Combined with Mend’s automated vulnerability checks, teams can confidently adopt DHI and continuously receive security patches without disrupting development velocity.