How to Streamline Container Security with Docker Hardened Images and Mend.io
By
<h2>Introduction</h2>
<p>Container security can quickly become a bottleneck when developers are buried under thousands of false-positive vulnerability alerts. The integration between <strong>Docker Hardened Images (DHI)</strong> and <strong>Mend.io</strong> offers a streamlined approach to cut through the noise. By automatically separating base-image vulnerabilities from application-layer risks and leveraging VEX statements, this solution lets your team focus on the few truly exploitable threats. This guide walks you through implementing the integration, from zero-configuration setup to automated patching, so you can reclaim developer hours without sacrificing security.</p><figure style="margin:20px 0"><img src="https://www.docker.com/app/uploads/2025/03/image.png" alt="How to Streamline Container Security with Docker Hardened Images and Mend.io" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.docker.com</figcaption></figure>
<h2>What You Need</h2>
<ul>
<li>A Mend.io account (Business or Enterprise tier recommended for workflow automation)</li>
<li>A Docker Hub account with access to Docker Hardened Images (DHI) – Enterprise plan required for automated mirroring</li>
<li>Containers already built using standard Docker images (or legacy Dockerfiles ready for migration)</li>
<li>Basic familiarity with vulnerability scanning and CI/CD pipelines</li>
<li>Optional: Jira or email integration for alerting</li>
</ul>
<h2>Step-by-Step Guide</h2>
<h3 id="step1">Step 1: Enable Zero-Configuration Detection</h3>
<p>The hallmark of this integration is that it requires no manual tagging or configuration. Mend.io automatically identifies DHI base images the moment you scan a container.</p>
<ul>
<li>Push your container images to any registry accessible by Mend.io (e.g., Docker Hub, private registries).</li>
<li>Initiate a scan from the Mend.io dashboard or via CLI/API – the system will detect if the base image is a Docker Hardened Image without any extra flags.</li>
<li>Verify detection by checking the Mend UI: DHI-protected packages display a dedicated <strong>Docker icon</strong> along with informative tooltips, providing immediate transparency into which components are managed by Docker’s hardened foundation.</li>
</ul>
<h3 id="step2">Step 2: Inspect Vulnerabilities by Layer</h3>
<p>Transparency is key to trust. Mend.io lets you <strong>inspect findings by package, layer, and risk factor</strong>, ensuring a clear audit trail from the base OS to custom application binaries.</p>
<ul>
<li>Open a scan report in Mend.io and navigate to the "Packages" or "Vulnerabilities" tab.</li>
<li>Use the layer filter to separate base-image components from custom application dependencies.</li>
<li>Review the tooltip for each DHI package – it explains that the vulnerability is either already patched by Docker or is non-exploitable in context.</li>
</ul>
<h3 id="step3">Step 3: Apply Dynamic Risk Triage Using VEX + Reachability</h3>
<p>Standard scanners often flag thousands of vulnerabilities that exist in the filesystem but are never executed. This integration uses <strong>two layers of intelligence</strong> to filter the noise.</p>
<ul>
<li><strong>Risk Factor Integration</strong>: Mend.io automatically incorporates Docker’s VEX (Vulnerability Exploitability eXchange) data as a primary source for identifying true risk. A CVE marked as <code>not_affected</code> by Docker is deprioritized.</li>
<li><strong>Reachability Analysis</strong>: Even if a CVE is marked affected, Mend’s own reachability engine checks whether the vulnerable code path is actually invoked in your application. If unreachable, the finding is also deprioritized.</li>
<li>Both filters work together to produce a clean list of <em>actionable</em> vulnerabilities.</li>
</ul>
<h3 id="step4">Step 4: Bulk Suppress Non-Exploitable Risks</h3>
<p>Once Mend.io marks findings as non-exploitable (via VEX or unreachability), you can <strong>suppress them in bulk</strong> – potentially clearing thousands of false positives with a single click.</p>
<ul>
<li>From the vulnerability list, use the "Suppress" action with filters for "Not Affected" or "Unreachable."</li>
<li>Confirm the suppression – these CVEs will be hidden from future scans unless their status changes.</li>
<li>Focus your team’s attention on the remaining ~1% of high-severity, reachable, exploitable risks found in custom application layers.</li>
</ul>
<h3 id="step5">Step 5: Operationalize Security with Workflows</h3>
<p>Move beyond scanning into <strong>automated governance</strong> by configuring Mend.io workflows.</p>
<ul>
<li><strong>SLA and Violation Management</strong>: Set remediation deadlines (SLAs) based on vulnerability severity. Mend.io automatically triggers violations if fixes are overdue.</li>
<li><strong>Custom Alerts</strong>: Configure notifications via email or Jira when a new DHI image is added to your environment, or when critical vulnerabilities are found in custom code.</li>
<li><strong>Pipeline Gating</strong>: Use Mend’s workflow engine to fail CI/CD builds <em>only</em> when high-risk, reachable vulnerabilities are introduced in custom code. This keeps your pipeline moving while preventing dangerous releases.</li>
</ul>
<h3 id="step6">Step 6: Automate Continuous Patching</h3>
<p>For Enterprise DHI users, patched base images are <strong>automatically mirrored</strong> to Docker Hub private repositories. Mend.io verifies the updates, confirming that base-level risks have been mitigated without requiring a manual pull request.</p><figure style="margin:20px 0"><img src="https://www.docker.com/app/uploads/2025/03/image-1024x1024.png" alt="How to Streamline Container Security with Docker Hardened Images and Mend.io" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.docker.com</figcaption></figure>
<ul>
<li>Ensure your Docker Hub account is linked to Mend.io under the “Integrations” settings.</li>
<li>Enable the automatic mirroring option for DHI images – new patches will sync silently.</li>
<li>In Mend.io, check the “Mirrored” status for a DHI package; if a CVE was patched upstream, Mend will mark it as resolved.</li>
</ul>
<h3 id="step7">Step 7: Migrate Legacy Applications with AI Assistance</h3>
<p>Leverage <strong>Ask Gordon</strong>, Docker’s AI agent, to analyze existing Dockerfiles and recommend the most suitable DHI foundation for legacy applications – reducing the friction of migration.</p>
<ul>
<li>Run the Ask Gordon analysis on your legacy Dockerfile (available via Docker Desktop or CLI).</li>
<li>Receive recommendations for a specific Docker Hardened Image tag that matches your application’s dependencies.</li>
<li>Update your Dockerfile to use the recommended DHI, then re-scan with Mend.io to confirm that base-image vulnerabilities are resolved.</li>
</ul>
<h2>Tips for Success</h2>
<ul>
<li><strong>Start with a pilot project</strong> – Choose one container image to test the full flow from zero-config detection to bulk suppression before rolling out across your organization.</li>
<li><strong>Communicate with developers</strong> – Explain that suppressed vulnerabilities are not ignored; they are safely deprioritized based on Docker’s VEX and Mend’s reachability analysis. This builds trust in the process.</li>
<li><strong>Review SLA settings regularly</strong> – As your application evolves, some vulnerabilities may become reachable. Periodically re-run Mend’s reachability analysis and adjust SLAs accordingly.</li>
<li><strong>Combine with CI/CD policies</strong> – Use pipeline gating sparingly at first to avoid developer frustration. Gradually tighten rules as the team adapts.</li>
<li><strong>Monitor the “DHI protected” count</strong> – A growing number indicates you are successfully shifting security left into Docker’s hardened base images.</li>
<li><strong>Leverage Ask Gordon for older projects</strong> – Legacy Dockerfiles often contain outdated base images; AI-assisted migration can modernize them with minimal effort.</li>
</ul>
Tags: