The new Docker Hardened Images integration in Mend.io adds DHI context directly to the AppSec workflow. This helps teams evaluate container risk more precisely and spend less time on findings that do not matter.
Container security programs often struggle with excessive noise.
A routine scan of a production container image can generate thousands of CVEs. Security teams then review the findings, rank them, and assign follow-up work. After that effort, it often becomes clear that most of the reported issues come from the base image. Many of them are linked to packages the application does not actually use and cannot directly remediate.
The result is familiar: substantial effort with little change in actual risk.
The Docker Hardened Images (DHI) integration in Mend.io was built to address this problem. It brings Docker’s VEX data into the Mend platform and combines that data with Mend.io’s reachability analysis. This gives teams a more reliable basis for deciding which vulnerabilities deserve attention.
The Value of Docker Hardened Images
Docker Hardened Images are minimal base images that are patched continuously. They are designed with software supply chain security as a built-in requirement, not an afterthought. Each image includes VEX statements (Vulnerability Exploitability eXchange data). These statements provide machine-readable information about which CVEs are present in the image but are not exploitable in the way the software is actually being used.
Without VEX, scanners cannot reliably separate irrelevant CVEs from issues that introduce meaningful exposure. Security teams face the same visibility gap.
No Manual Setup. Immediate Clarity.
When Mend.io scans a container that uses a Docker Hardened Image, the DHI base image is identified automatically. No manual tagging is needed. No additional configuration is required. Inside the Mend interface, packages protected by DHI are labeled with a dedicated Docker icon. This makes it easy to distinguish Docker’s hardened base components from packages that belong to the application layer.
Two Context Sources for a Sharper View of Risk
Mend.io uses DHI VEX data as a primary Risk Factor input. If a CVE is marked as not_affected, its priority is immediately lowered. Mend’s reachability engine then adds another layer of analysis by checking whether vulnerable code paths in application dependencies are ever actually invoked at runtime.
This combination changes the outcome significantly. Teams are left with vulnerabilities that are not only present, but also reachable and exploitable. Findings outside that scope can be suppressed in bulk. In practice, that can remove thousands of non-exploitable CVEs in a single step and narrow attention to the small portion of issues that create genuine risk in custom application code.
Build Gates Aligned With Actual Exposure
Mend.io’s workflow engine allows build gates to be configured around real application risk. A build can be stopped when high-risk and reachable vulnerabilities are introduced into custom code. It does not have to fail because of a base image CVE that Docker has already classified as non-exploitable. This keeps delivery pipelines moving while ensuring that developers receive failure signals tied to issues they can meaningfully address.
Compliance Becomes Part of the Workflow
Organizations operating under frameworks such as SSDF, FedRAMP, and similar requirements can export a complete SBOM from Mend.io with a single click. That output is supported by an auditable record of VEX statements and reachability logs. As a result, compliance evidence is generated as part of normal development activity. It does not need to be assembled manually before each audit cycle.
Focusing on the Small Percentage That Matters
Container security should not consume developer time on the large majority of findings that do not represent real exposure. Automatic DHI detection, VEX-based filtering, reachability analysis, automated base image patching, and one-click SBOM export allow Mend.io and Docker Hardened Images to reduce noise and highlight the vulnerabilities that actually matter.
If you would like to test Mend.io free of charge, please leave your contact details in the form below.
