Mend.io’s new Docker Hardened Images integration brings DHI intelligence directly into the AppSec workflow, giving a smarter, faster path to container security.

Container scanning has a noise problem.

Run a standard scan against any production image, and you’ll surface thousands of CVEs. Your team triages them, prioritizes them, assigns them—and then discovers that the vast majority are base image vulnerabilities tied to packages your application never touches and can’t directly fix. 

Hours spent. Risk posture unchanged.

Mend.io’s new Docker Hardened Images (DHI) integration is built to solve exactly this. Pulling Docker’s VEX intelligence directly into the Mend platform and combining it with Mend.io’s reachability analysis gives teams the clarity to focus on vulnerabilities that actually matter.

What Docker Hardened Images bring to the table

Docker Hardened Images are minimal, continuously patched base images built with software supply chain security as a foundational requirement. Each base image ships with VEX (Vulnerability Exploitability eXchange) statements, machine-readable declarations identifying which CVEs present in the image are not exploitable given how the software is actually used.

Without VEX, your scanner can’t distinguish between a CVE in a package that your application never touches and one that poses a true risk. Neither can your team.

When Mend.io scans a container built on a Docker Hardened Image, it automatically detects the DHI base no manual tagging, no configuration changes required. Within the Mend UI, DHI protected packages are marked with a dedicated Docker icon so anyone on the team immediately sees which components belong to Docker’s hardened foundation versus your application layer.

Two intelligence layers, one focused risk view

Mend.io ingests DHI’s VEX data as a primary Risk Factor source. Any CVE marked as not_affected is immediately deprioritized. On top of that, Mend’s reachability engine evaluates whether vulnerable code paths in your application dependencies are ever actually called at runtime.

The result: your team sees only vulnerabilities that are present, reachable, and exploitable. Everything else can be suppressed in bulk, potentially clearing thousands of non-exploitable CVEs in a single action—so you focus on the fraction of findings that represent genuine risk in your custom code.

Pipeline gating that reflects actual risk

Mend.io’s workflow engine lets you configure build gates to trigger only when high-risk, reachable vulnerabilities are introduced in your custom application code—not because of a base image CVE Docker has already declared non-exploitable. Your pipeline keeps moving. Your developers get failure signals they can actually act on.

Compliance as a byproduct

For organizations under SSDF, FedRAMP, or similar frameworks, Mend.io lets you export a full SBOM with a single click, backed by an auditable trail of VEX statements and reachability logs. Compliance evidence becomes a natural output of your standard development workflow—not a manual effort assembled before every audit.

The 1% that matters

Stop spending developer hours on the 99% of container vulnerabilities that don’t represent real risk. With zero-configuration detection, combined VEX and reachability filtering, automated base image patching, and one-click SBOM export, Mend.io and Docker Hardened Images give your team the signal-to-noise ratio container security has always needed.

*** This is a Security Bloggers Network syndicated blog from Mend authored by Shannon Davis. Read the original post at: https://www.mend.io/blog/docker-hardened-images-container-security/