How to Achieve Precision Container Security with Docker Hardened Images and Black Duck

Introduction

Modern containerized applications generate a flood of vulnerability alerts, but many of these are mere “noise”—weaknesses present in the base image that pose zero real risk to your running application. The integration between Docker Hardened Images (DHI) and Black Duck offers a definitive answer. By combining Docker’s secure-by-default foundations, VEX (Vulnerability Exploitability eXchange) statements, and Black Duck’s industry-leading analysis engines, your team can automatically separate base-layer noise from application-layer risk. This guide walks you through setting up and using this powerful integration step by step.

What You Need

• A valid Docker subscription with access to Docker Hardened Images (DHI)
• Black Duck Hub (version 2026 or later) with Binary Analysis (BDBA) enabled (released April 14, 2026) and/or Black Duck Software Composition Analysis (SCA) with upcoming DHI support
• Container registry access (e.g., Docker Registry, Harbor) for storing DHI base images
• Administrative privileges to configure Black Duck projects and policies
• Understanding of VEX statements and how they express exploitability status (“not affected,” “affected,” “fixed”)

Step-by-Step Guide

1. Step 1: Set Up Your Docker Hardened Images Environment

   Start by pulling a Docker Hardened Image from your Docker subscription. DHI base images are built with security defaults and include embedded VEX metadata. Use the standard docker pull command to fetch the image, for example: docker pull your-registry/dhi/ubuntu:22.04. Verify the image is tagged correctly and note its digest for later reference. Ensure your container runtime can access the registry without authentication issues.

2. Step 2: Configure Black Duck for Container Scanning

   Log into your Black Duck instance and create a new project for container scanning. Under project settings, enable “Binary Analysis” if you plan to use BDBA (required for DHI support). For SCA users, ensure you have the latest SCA release that supports DHI identification (expected later in 2026). Add your container registry as a scan source if scanning natively; otherwise, use the Black Duck CLI or REST API to trigger scans manually. Assign appropriate user roles so your team can view results.

3. Step 3: Scan Your Docker Hardened Image

   Trigger a scan of your DHI-based container image. Black Duck will automatically recognize the DHI base image without any manual tagging—this is zero-config recognition. The scanner performs signature-based binary analysis (via BDBA) to match components by their “fingerprint,” even if package metadata is stripped. The analysis runs against the “as-shipped” state of the container, ensuring accuracy. After scanning completes, review the project’s vulnerability report.

4. Step 4: Leverage VEX Data for Precision Triage

   Black Duck ingests the VEX statements embedded in Docker Hardened Images. In the vulnerability report, look for vulnerabilities tagged with a VEX status. Docker provides VEX data that indicates which base-image vulnerabilities are “not affected” at the container level. Black Duck Security Advisories (BDSAs) further enrich this data. Use the filter or triage options to automatically ignore all “not affected” vulnerabilities, reducing noise significantly. This is precision triage—you focus only on application-layer risks that actually matter.

5. Step 5: Apply Compliance Policies and Generate SBOMs

   Once you have a clean view of actual risks, apply Black Duck policies to enforce compliance. For example, require that no “critical” or “high” severity unaddressed vulnerabilities exist before deploying. Black Duck can export a high-fidelity Software Bill of Materials (SBOM) enriched with VEX exploitability status. This SBOM supports regulatory obligations like the European Cyber Resilience Act (CRA), FDA requirements for medical devices, and government agency standards. Export the SBOM in CycloneDX or SPDX format and attach it to your release artifacts.

   

6. Step 6: Integrate into CI/CD Pipeline

   For continuous security, add Black Duck scanning to your CI/CD pipeline. Use Black Duck’s REST API or command-line tools to scan each build that uses a DHI base image. Fail the build if policy violations are detected that aren’t covered by VEX “not affected” status. This automates the separation of noise from risk, giving developers immediate feedback. Over time, refine your policies based on real-world exploitability data from BDSAs and Docker’s intelligence.

7. Step 7: (Optional) Unify with SCA for Full SDLC Visibility

   If you are using Black Duck SCA, the upcoming integration will bring DHI insights directly into your source-side dependency management. This allows you to apply the same governance policies to container base images as you do to application code—all within a single pane of glass. When this feature becomes available, enable the DHI identification support in your SCA project settings. Then, review comprehensive SBOMs that cover both base-image components and application dependencies.

Tips for Success

• Always start with the latest DHI version – Docker Hardened Images are regularly updated with security fixes and refined VEX data. Stale images may contain outdated exploitability assessments.
• Train your team on VEX interpretation – Not all “not affected” statuses are equal. Read the Docker VEX documentation to understand how they determine exploitability, and combine that with Black Duck’s BDSAs for maximum accuracy.
• Use layer-specific analysis – Black Duck’s binary match identifies components layer by layer. When scanning multi-stage builds, verify that only the final runtime layer is included in the SBOM to avoid irrelevant dependencies.
• Periodically audit your SBOM exports – Ensure your SBOMs include the VEX status field. Some regulatory bodies may require proof of exploitability consideration, not just a list of CVEs.
• Monitor the Black Duck roadmap – The DHI integration for SCA is upcoming. After it releases, migrate existing DHI scanning projects to SCA to gain unified policy management and reduce tool sprawl.
• Automate exception handling – Instead of manually triaging “not affected” vulnerabilities each scan, configure Black Duck to automatically suppress those with a VEX status of “not affected” from critical dashboards. This eliminates noise without sacrificing visibility.

By following these steps, your organization can achieve precision container security—focusing effort on genuine application risks while leveraging Docker’s secure base images and Black Duck’s advanced analysis. This “Better Together” approach reduces triage costs, eliminates false positives, and keeps your team compliant with evolving global regulations.