Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io

We recently announced the integration between Mend.io and Docker Hardened Images (DHI) provides a seamless framework for managing container security. By automatically distinguishing between base image vulnerabilities and application-layer risks, it uses VEX statements to differentiate between exploitable vulnerabilities and non-exploitable vulnerabilities, allowing your team to prioritize what really matters.

TL;DR: The Developer Value Proposition

The hallmark of this integration is its zero-configuration setup.

  • Automatic Detection: Mend.io identifies DHI base images automatically upon scanning. No manual tagging or configuration is required by the developer.
  • Visual Indicators: Within the Mend UI, DHI-protected packages are marked with a dedicated Docker icon and informative tooltips, providing immediate transparency into which components are managed by Docker’s hardened foundation.

Transparent Layers: Users can inspect findings by package, layer, and risk factor, ensuring a clear audit trail from the base OS to the custom application binaries.

Dynamic Risk Triage: VEX + Reachability

Standard scanners flag thousands of vulnerabilities that are present in the file system but never executed. This integration uses two layers of intelligence to filter the noise:

  • Risk Factor Integration: Mend.io incorporates Docker’s VEX (Vulnerability Exploitability eXchange) data as a primary source of “Risk Factor” identification.
  • The “Not Affected” Filter: If a CVE is marked as not_affected by Docker’s VEX data or determined to be Unreachable by Mend’s analysis, it is deprioritized.

Bulk Suppression: Developers can suppress non-functional risks in bulk—potentially clearing thousands of non-exploitable vulnerabilities with a single click—allowing teams to focus on the 1% of reachable, exploitable risks in their custom layers.

Operationalizing Security with Workflows

Mend.io allows organizations to move beyond simple scanning into automated governance:

  • SLA & Violation Management: Automatically trigger violations and set remediation deadlines (SLAs) based on vulnerability severity.
  • Custom Alerts: Configure workflows to receive instant notifications (via email or Jira) whenever a new DHI is added to the environment.

Pipeline Gating: Use Mend’s workflow engine to fail builds only when high-risk, reachable vulnerabilities are introduced in custom code, keeping the CI/CD pipeline moving.

Continuous Patching & AI-Assisted Migration

  • Automated Synchronization: For Enterprise DHI users, patched base images are automatically mirrored to Docker Hub private repositories. Mend.io verifies these updates, confirming that base-level risks have been mitigated without requiring a manual Pull Request.
  • Ask Gordon: Leverage Docker’s AI agent to analyze existing Dockerfiles and recommend the most suitable DHI foundation, reducing the friction of migrating legacy applications to a secure environment.

The Mend.io and Docker integration operationalizes this by providing an auditable trail of security declarations, ensuring compliance is a byproduct of the standard development workflow rather than a separate, manual task.

Learn more

Learn more about the integration and Docker’s VEX statements in the following links:

Read Mend’s point of view on the benefits of VEX: https://www.mend.io/blog/benefits-of-vex-for-sboms/

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.