How to Streamline Container Security and Save Developer Time with Docker and Mend.io Integration

Introduction

Every day, developers face a flood of vulnerability alerts—thousands of CVEs that clutter dashboards and trigger false alarms. The real challenge isn’t scanning; it’s knowing which risks actually matter. The integration between Docker Hardened Images (DHI) and Mend.io changes that. By automatically separating base image vulnerabilities from application-layer threats and using VEX (Vulnerability Exploitability eXchange) data, it cuts through the noise. This guide walks you through a step-by-step process to set up and operate this integration, reclaiming developer hours while keeping your container environment secure.

What You Need

• An active Mend.io account (any tier).
• A subscription to Docker Hardened Images (DHI) (Enterprise or Team plan).
• Access to a container registry where DHI images are stored (e.g., Docker Hub private repos).
• Basic familiarity with Dockerfiles and CI/CD pipelines.
• Optional: Jira or email integration for alerts.

Step-by-Step Guide

Step 1: Enable Zero-Configuration Integration

No manual tagging or extra configuration is needed. Once your Mend.io scanner is pointed at repositories that use Docker Hardened Images, it automatically detects the DHI base images. Simply run your normal container scan (via CLI, CI/CD plugin, or webhook) and the integration kicks in. The first scan will identify all DHI packages and mark them for special handling.

Step 2: Identify Protected Packages in the Mend UI

Open the Mend.io dashboard and navigate to your project’s vulnerability list. Look for a dedicated Docker icon next to packages that originate from your DHI base image. Hover over the icon to see a tooltip explaining that this component is managed by Docker’s hardened foundation. This visual indicator gives you immediate transparency: you know which vulnerabilities are Docker’s responsibility and which belong to your custom code.

Step 3: Inspect Findings by Package, Layer, and Risk

Click on any DHI-protected package to drill down. You’ll see a clear breakdown:

• Package name (e.g., libssl1.1).
• Layer where it resides (base OS layer vs. application layer).
• Risk factor (exploitable or not, based on VEX and reachability analysis).

This layered view provides a complete audit trail—from the underlying operating system to your custom binaries. Use it to quickly understand which vulnerabilities are truly actionable.

Step 4: Apply Dynamic Risk Triage Using VEX and Reachability

Standard scanners flag every CVE in the file system, even if the vulnerable code is never executed. Mend.io adds two intelligence layers to filter the noise:

• Risk Factor Integration: Mend.io ingests Docker’s VEX data as a primary source of risk classification. If Docker marks a CVE as not_affected (e.g., the vulnerable function isn’t compiled into the binary), Mend respects that.
• Unreachability Analysis: Even if VEX says “affected,” Mend checks whether the vulnerable code path is actually reachable at runtime. If not, the CVE is deprioritized.

These two filters combine to produce a refined list—showing only the vulnerabilities that are both present and exploitable.

Step 5: Bulk Suppress Non-Exploitable Risks

With the filtered list, you can suppress thousands of non-exploitable CVEs with a single click. In the Mend UI, select the “Not Affected” or “Unreachable” filter, then choose Bulk Suppression. A confirmation dialog appears—confirm it, and all those false positives disappear from your active queue. Your team can now focus on the 1% of reachable, exploitable risks that exist in your custom application layers. This one action can save hours every sprint.

Step 6: Set Up Automated Workflows for Governance

Move beyond manual triage by operationalizing security rules:

• SLA & Violation Management: Configure Mend to automatically trigger a violation when a critical vulnerability is found in a custom layer. Set remediation deadlines (e.g., 7 days for high severity). If the deadline passes, an escalation alert fires.
• Custom Alerts: Create a workflow that sends an email or creates a Jira issue whenever a new DHI image is added to your environment. This keeps your security team informed of changes.
• Pipeline Gating: Modify your CI/CD pipeline to use Mend’s workflow engine. Fail the build only when a high-risk, reachable vulnerability enters custom code. All other findings (like non-exploitable DHI CVEs) are ignored, keeping the pipeline moving fast.

To implement, go to Mend’s Workflows tab, choose a template (e.g., “Block on critical reachable”), and connect it to your SCM or CI tool via webhook.

Step 7: Leverage Continuous Patching and AI-Assisted Migration

For Enterprise DHI users, patching becomes automatic:

• Automated Synchronization: Docker automatically mirrors patched DHI base images to your private Docker Hub repository. Mend.io scans the updated image and verifies that base-level risks are mitigated—no manual pull request required.
• Ask Gordon (AI Agent): If you’re migrating a legacy application to a hardened base, use Docker’s AI agent “Ask Gordon.” Paste your existing Dockerfile, and it recommends the most suitable DHI foundation (e.g., “Use a Python 3.11 DHI with minimal packages”). This reduces migration friction and ensures you start on a secure base.

Tips for Maximizing Developer Time Savings

• Start with a pilot project: Before rolling out to all teams, test the integration on one containerized service. You’ll learn the new workflow without overwhelming the team.
• Educate your developers on VEX vs. CVSS: Explain that VEX is authoritative for DHI images—if Docker says “not affected,” trust it. This avoids unnecessary debates.
• Review bulk suppressions periodically: Even though non-exploitable CVEs are safe now, new exploit paths can emerge. Schedule a quarterly audit of suppressed findings.
• Tune pipeline gating thresholds: Start by gating only on critical reachable vulnerabilities. As confidence grows, you can add high-severity gates for application-layer code.
• Use the layer view during incident response: When a new CVE drops, quickly check if it’s in the base layer (managed by Docker) or your app layer. This can save hours of investigation.