How to Prioritize Container Vulnerabilities Efficiently with Docker and Mend.io Integration

Introduction

Container security scanning often bombards developers with thousands of vulnerability alerts, many of which are non-exploitable or irrelevant. The integration between Docker Hardened Images (DHI) and Mend.io simplifies this by automatically distinguishing base image vulnerabilities from application-layer risks using VEX (Vulnerability Exploitability eXchange) statements. This step-by-step guide shows you how to reclaim developer hours by focusing only on reachable, exploitable threats.

How to Prioritize Container Vulnerabilities Efficiently with Docker and Mend.io Integration — Source: www.docker.com

What You Need

A Docker Hub account with access to Docker Hardened Images (DHI) – Enterprise subscription required.
A Mend.io account (formerly WhiteSource) with scanning capabilities enabled.
A containerized application with a Dockerfile that uses a DHI base image.
Basic familiarity with Mend.io’s web UI and workflow configuration.
Access to your CI/CD pipeline (for automated gating) – optional.

Step-by-Step Guide

Step 1: Enable Automatic Detection of DHI Base Images

Mend.io automatically identifies DHI base images during container scans. No manual tagging or configuration is required. Simply push your container image (built from a DHI base) to your registry and let Mend.io scan it. The integration detects the hardened base image by its metadata and layers, setting the stage for smart risk analysis.

Step 2: Identify Visual Indicators in the Mend UI

Once scanned, open the Mend.io dashboard and navigate to the vulnerability report for your container. Packages protected by Docker Hardened Images are marked with a dedicated Docker icon. Hover over any such package to see a tooltip explaining that it is managed by Docker's hardened foundation. This visual cue immediately tells you which components are already risk-mitigated.

Step 3: Inspect Vulnerabilities by Layer, Package, and Risk

Drill down into the findings using Mend.io’s layered view. You can inspect vulnerabilities by package, layer (e.g., OS base layer vs. application layer), and risk factor. This transparency provides a clear audit trail from the base OS up to your custom application binaries. Use this to understand where each vulnerability originates and whether it lies in the hardened base or your added code.

Step 4: Apply Dynamic Risk Triage with VEX and Reachability

Standard scanners flag thousands of vulnerabilities that are present in the file system but never executed. Mend.io combines two intelligence layers to filter noise:

Risk Factor Integration: Mend.io ingests Docker’s VEX data as a primary risk factor. If Docker marks a CVE as not_affected in its VEX statement, it is deprioritized.
Reachability Analysis: Mend.io’s own analysis determines whether a vulnerability is reachable in your custom code. Unreachable issues are also deprioritized.

To apply this triage, go to the Mend UI’s “Risk Factors” filter. Enable the “Not Affected” filter to hide VEX-deprecated CVEs. Combine it with reachability filters to see only threats that are both exploitable and reachable in your application code.

Step 5: Deprioritize Non-Exploitable Vulnerabilities Using Bulk Suppression

After filtering, you can suppress all non-functional risks in bulk. In the Mend UI, select the filtered list of non-exploitable vulnerabilities (e.g., those marked “Not Affected” or “Unreachable”) and click “Suppress”. With a single action, you can clear thousands of false positives, freeing your team to focus on the ~1% of reachable, exploitable risks in your custom layers.

Step 6: Automate Security Workflows

Mend.io lets you operationalize security beyond scanning. Set up automated governance:

SLA & Violation Management: Define rules that automatically trigger violations and set remediation deadlines based on vulnerability severity. For example, a critical reachable CVE might have a 48-hour SLA.
Custom Alerts: Configure workflows to send instant notifications via email or Jira whenever a new DHI-based image is added to your environment.
Pipeline Gating: Use Mend’s workflow engine to fail builds only when high-risk, reachable vulnerabilities are introduced in custom code. This keeps your CI/CD pipeline moving while blocking real threats.

To implement, go to Mend’s “Workflows” section, create a new policy, and select the appropriate triggers (e.g., scan completed, threshold exceeded). Then connect actions (alert, fail build, create ticket).

Step 7: Leverage Continuous Patching and AI-Assisted Migration

For Enterprise DHI users, patched base images are automatically mirrored to Docker Hub private repositories. Mend.io verifies these updates, confirming that base-level risks are mitigated without requiring a manual pull request. To enable this, ensure your Mend.io integration is linked to your Docker Hub account and that automatic mirroring is turned on in your DHI settings.

Additionally, use Ask Gordon – Docker’s AI agent – to analyze existing Dockerfiles and recommend the most suitable DHI foundation. This reduces the friction of migrating legacy applications. Access Ask Gordon from the Docker Hub interface, paste your Dockerfile, and follow its suggestions.

Tips for Success

Start with a pilot project: Test the integration on a non-critical container first to understand the filtering behavior.
Combine with existing policies: If you already have Mend.io policies, adjust them to recognize DHI markings and avoid duplicate suppressions.
Educate your team: Ensure developers understand the Docker icon and tooltips so they can self-serve vulnerability triage.
Monitor VEX updates: Docker’s VEX data is periodically refreshed. Re-scan containers after new VEX releases to keep your risk picture accurate.
Use reachability analysis proactively: For custom code, write tests that exercise vulnerable functions to confirm reachability analysis results.
Automate onboarding: Integrate Mend.io scanning into your CI/CD pipeline from the start to prevent vulnerability creep.