Smarter Container Vulnerability Management: A Step-by-Step Guide to Using Docker Hardened Images with Mend.io

Introduction

Modern containerized applications face an avalanche of vulnerability alerts—many of which are never exploitable in runtime. The integration between Docker Hardened Images (DHI) and Mend.io offers a powerful framework to cut through the noise. By automatically separating base image vulnerabilities from application-layer risks and leveraging VEX (Vulnerability Exploitability eXchange) data, this approach lets your team focus on the critical 1% of threats that truly matter. Follow this step-by-step guide to reclaim developer hours and streamline your security posture.

What You Need

• Docker Hardened Images (DHI) subscription – Enterprise or team plan with access to hardened base images.
• Mend.io account – Full platform access with scanning and workflow capabilities.
• Existing Dockerfiles – At least one containerized application to demonstrate the integration.
• CI/CD pipeline – (Optional) For automated gating and policy enforcement.
• Basic familiarity with Docker, container security, and vulnerability management concepts.

Step 1: Enable Zero-Configuration Integration

The hallmark of this solution is its zero-configuration setup. You don’t need to manually tag or configure anything.

1. Connect your DHI subscription to Mend.io – In your Mend.io account, navigate to the integrations section and authorize Docker Hardened Images. Mend.io will automatically detect any DHI base images it scans.
2. Verify automatic detection – Run your first container scan. Mend.io identifies DHI base images without any manual tags or additional steps. This detection happens at scan time, saving your developers from extra work.
3. Check visual indicators – In the Mend UI, look for the dedicated Docker icon next to packages protected by DHI. Hover over the icon to see informative tooltips that clarify which components are managed by Docker’s hardened foundation.

Step 2: Identify Base Image vs. Application-Layer Vulnerabilities

Understanding where vulnerabilities originate is crucial for prioritization. Mend.io provides transparent layer inspection.

1. Inspect findings by layer – In the Mend UI, open a scan report and use the layer filter. You can see vulnerabilities grouped by base OS layer, intermediate layers, and custom application binaries.
2. Use risk factor filtering – Mend.io incorporates Docker’s VEX data as a primary risk factor. A vulnerability marked as “not_affected” by Docker’s VEX is automatically deprioritized.
3. Review package-level details – For each vulnerability, click to see the package name, version, and layer. This creates a clear audit trail from the base OS to your custom code.

Step 3: Apply Dynamic Risk Triage with VEX + Reachability

Standard scanners flag thousands of CVEs present in the file system but never executed. This integration uses two layers of intelligence to filter the noise.

1. Understand the ‘Not Affected’ filter – If a CVE is marked as not_affected by Docker’s VEX or determined to be unreachable by Mend’s analysis (based on code execution paths), it is automatically deprioritized. This is visible in the risk score.
2. Check risk factor integration – In the Mend UI, look for the “Risk Factors” column. Docker’s VEX data appears here as a primary source. This helps your team quickly see which vulnerabilities are truly exploitable.
3. Fine-tune your view – Use filters to show only reachable vulnerabilities in your application layer. This narrows your focus to the critical 1% that can actually be exploited in runtime.

Step 4: Suppress Non-Exploitable Vulnerabilities in Bulk

Once you’ve identified the non-exploitable risks, you can clear them with a single action.

1. Select bulk suppression – In the Mend UI, choose the filter “Not Affected” or “Unreachable” for vulnerabilities. A “Suppress All” button appears.
2. Click to suppress – Mend.io will mark thousands of non-exploitable vulnerabilities as suppressed in one click. This clears the backlog and lets your team focus on the real threats.
3. Confirm suppression – Verify that suppressed items are hidden from your main vulnerability dashboard. They remain in the audit trail but no longer trigger alerts or SLAs.

Step 5: Operationalize Security with Automated Workflows

Move beyond manual scanning into automated governance. Mend.io allows you to set up policies that enforce security without slowing development.

1. Set SLAs and violation rules – In Mend.io’s workflow engine, define remediation deadlines (SLAs) based on vulnerability severity. For example, critical reachable vulnerabilities must be fixed within 48 hours.
2. Configure custom alerts – Create workflows that send instant notifications via email or Jira whenever a new DHI image is added to your environment. This keeps security informed without manual polling.
3. Implement pipeline gating – Use Mend’s workflow to fail builds only when high-risk, reachable vulnerabilities are introduced in custom code. Vulnerabilities that are not exploitable (e.g., from the base image and marked VEX) are ignored, keeping your CI/CD pipeline moving.

Step 6: Leverage Continuous Patching and AI-Assisted Migration

Stay up-to-date with minimal manual effort. The integration automates patching and even helps migrate legacy applications to DHI.

1. Automatic synchronization – For Enterprise DHI users, patched base images are automatically mirrored to Docker Hub private repositories. Mend.io verifies these updates, confirming that base-level risks have been mitigated without requiring a manual pull request.
2. Use ‘Ask Gordon’ – Leverage Docker’s AI agent to analyze your existing Dockerfiles. ‘Ask Gordon’ recommends the most suitable DHI foundation by comparing your application’s dependencies with hardened image compatibility. This reduces friction for legacy migrations.
3. Apply recommendations – Once ‘Ask Gordon’ suggests a new base image, update your Dockerfile and rescan. Mend.io will then apply the same VEX and reachability filtering, ensuring a clean security baseline.

Tips & Best Practices

• Start small – Pilot the integration with one or two containerized applications before rolling out across the organization.
• Educate your team – Ensure developers understand the VEX statuses and reachability filters so they can self-serve vulnerability triage.
• Monitor workflow effectiveness – Review pipeline gating logs to ensure that only truly critical issues are blocking builds. Adjust SLAs if needed.
• Keep DHI updated – Enable automatic mirroring for always-patched base images. This reduces the number of vulnerabilities introduced by outdated layers.
• Combine with static analysis – For custom application code, pair container scanning with SAST tools to catch logic flaws that VEX won’t cover.

By following these steps, your team can reclaim developer hours that were previously lost to meaningless triage. The Docker + Mend.io integration turns vulnerability management from a bottleneck into a smooth, automated process—so you can ship secure software faster.