{"id":4302,"date":"2026-06-11T12:13:50","date_gmt":"2026-06-11T12:13:50","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/11\/docker-hardened-images-enhanced-vulnerability-scanning-with-docker-and-aikido\/"},"modified":"2026-06-11T12:13:50","modified_gmt":"2026-06-11T12:13:50","slug":"docker-hardened-images-enhanced-vulnerability-scanning-with-docker-and-aikido","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/11\/docker-hardened-images-enhanced-vulnerability-scanning-with-docker-and-aikido\/","title":{"rendered":"Docker Hardened Images enhanced vulnerability scanning with Docker and Aikido"},"content":{"rendered":"<p>Aikido now scans Docker Hardened Images (DHI) with built-in VEX support. Vulnerabilities that Docker has verified as non-exploitable drop out of the queue automatically, so developers spend their time on findings that actually matter. This post walks through what changed, why it matters, and how users can benefit from the new integration.<\/p>\n<div class=\"wp-block-ponyo-video fade-in\">\n<div data-player=\"YouTube\" data-id=\"QATX624E9L4\"><\/div>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong><\/strong><strong>Why teams are drowning in CVEs<\/strong><\/h2>\n<p>Modern application teams drown in CVEs. And the volume is climbing fast. AI coding agents now generate and assemble software far faster than any team can review it, pulling in dependencies by the hundreds and spinning up new services on demand. Every base image they reach for is another stack of CVEs landing in someone\u2019s queue. The faster code ships, the more it matters that it starts from a foundation that\u2019s already minimal, already patched, and already vetted \u2014 which is exactly why hardened images matter more now than they ever have.<\/p>\n<p>Docker Hardened Images addresses this problem at the source. DHI images are purpose-built, often distroless, and ship with only the software the workload needs. The attack surface is smaller by construction. Patches land faster than upstream in many cases.<\/p>\n<p>A smaller attack surface only helps if your scanner can see it. Distroless images break tools that expect a package manager or a shell. Naive scanning produces false positives against components that are not actually present, or flags CVEs in code paths that cannot be reached. Teams end up triaging noise that the image author already knew was not a problem.<\/p>\n<p>The new integration closes this gap. DHI publishes signed VEX attestations alongside each image. Aikido reads those attestations and applies them during triage. The CVEs Docker has already cleared get filtered out, with a clear reason attached.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Before you begin<\/strong><\/h2>\n<p>You need three things to scan DHI with Aikido:<\/p>\n<ul class=\"wp-block-list\">\n<li>An active <a href=\"https:\/\/www.aikido.dev\/\" rel=\"nofollow noopener\" target=\"_blank\">Aikido<\/a> account.<\/li>\n<li>Access to <a href=\"https:\/\/docs.docker.com\/dhi\/get-started\/\" rel=\"nofollow noopener\" target=\"_blank\">Docker Hardened Images<\/a>.<\/li>\n<li>A <a href=\"https:\/\/docs.docker.com\/security\/access-tokens\/\" rel=\"nofollow noopener\" target=\"_blank\">Docker Hub Personal Access Token<\/a> with read-only scope.<\/li>\n<li>If your Docker Hub registry is already connected to Aikido, skip the next section.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>Connect Docker Hub to Aikido<\/strong><\/h2>\n<p>In Aikido, go to <strong>Settings &gt; Containers<\/strong> and click <strong>Connect Registry<\/strong>.<br \/>Select <strong>Docker Hub<\/strong>.<br \/>Enter your organization namespace, username, and Personal Access Token.<br \/>Aikido discovers your repositories and lists them for scanning.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Scan a Docker Hardened Image<\/strong><\/h2>\n<p>Once the registry is connected, open the registry action menu and click <strong>Scan repos in registry<\/strong>. There is no extra configuration for DHI. Aikido detects hardened images automatically and applies the right data sources in the background.<\/p>\n<p>Under the hood, the workflow follows the DHI technical spec:<\/p>\n<ol class=\"wp-block-list\">\n<li><strong>Detection.<\/strong> Aikido identifies the DHI base image from the image reference and registry metadata.<\/li>\n<li><strong>Cataloging.<\/strong> The scanner pulls the signed SPDX 2.3 SBOM published with the image. SBOMs are retrieved through OCI 1.1 referrer lookup against the registry, or from \/opt\/docker\/sbom\/ when present. Reading the vetted SBOM produces complete, accurate component data, where indexing a distroless filesystem would not.<\/li>\n<li><strong>Matching.<\/strong> Components are matched by PURL against the Docker OSV feed and upstream advisory feeds.<\/li>\n<li><strong>Applying VEX.<\/strong> Aikido overlays the OpenVEX statements Docker publishes for the image, and suppresses any finding marked as resolved by the attestation.<\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\"><strong>How VEX status shows up<\/strong><\/h2>\n<div class=\"wp-block-ponyo-table\" data-highlighted-columns=\"null\" data-highlighted-rows=\"null\">\n<table class=\"responsive-table\">\n<tbody class=\"wp-block-ponyo-table-body\" data-highlighted-columns=\"[]\" data-highlighted-rows=\"[]\">\n<tr class=\"wp-block-ponyo-table-header\">\n<th class=\"wp-block-ponyo-cell\" data-responsive-table-heading=\"VEX status\">\n<p><span>VEX status<\/span><\/p>\n<\/th>\n<th class=\"wp-block-ponyo-cell\" data-responsive-table-heading=\"What it means\">\n<p><span>What it means<\/span><\/p>\n<\/th>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Fixed<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>The vulnerability is patched in this image.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Not Affected<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Docker has verified the CVE is a false positive or non-exploitable in context. Aikido suppresses these by default.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Under Investigation<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Impact is still being assessed by Docker.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Affected<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>The vulnerability applies, and a fix is not yet available.<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>What you see in Aikido<\/strong><\/h2>\n<p>Aikido keeps the UI focused on a single question: is this image vulnerable or not. When Docker\u2019s VEX attestation indicates a CVE doesn\u2019t require triage (for example, it\u2019s been fixed or marked not affected), Aikido filters it out of the active queue automatically. You don\u2019t have to triage it, tag it, or click through anything. Findings that remain in the queue are the ones that genuinely apply to the image, so your team spends time only on what matters.<\/p>\n<p>Behind the scenes, Aikido still consumes the full OpenVEX statement (status, justification, image digest) for audit and compliance purposes. It just isn\u2019t surfaced as a status drill-down in the UI, because in practice nobody triaging vulnerabilities wants to dig through VEX metadata.<\/p>\n<h2 class=\"wp-block-heading\"><strong>What the result looks like<\/strong><\/h2>\n<p>On a typical DHI workload, the active queue shrinks dramatically once VEX is applied. A scan that returns several hundred CVEs against a generic base image collapses to the handful of findings the image actually carries.<\/p>\n<p>A concrete example: a CVE in a parser library shows up across most base images. Docker marks it not_affected in the DHI build because the vulnerable code path cannot be reached by an adversary. Aikido reads that statement, files the CVE under \u201cVEX indicates not affected,\u201d and your team never sees it in triage. The justification stays attached if an auditor asks.<\/p>\n<p>For teams pursuing FedRAMP, SOC 2, or other compliance regimes, this matters twice. The findings list is honest. The exceptions are signed, attributable to the image publisher, and traceable back to a public attestation. You are not handing auditors a wall of red.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Recap<\/strong><\/h2>\n<p>The integration is based on the following information provided by Docker Hardened Images:<\/p>\n<ul class=\"wp-block-list\">\n<li>Signed SBOMs give Aikido complete component data without trying to index a distroless filesystem.<\/li>\n<li>OpenVEX attestations carry Docker\u2019s exploitability verdict, with justification, directly into the scanner.<\/li>\n<\/ul>\n<p>The outcome is a triage queue that reflects real exploitability in your image, not a flat dump of every CVE that ever touched an upstream package.If you have not started with hardened images yet, the <a href=\"https:\/\/www.docker.com\/products\/hardened-images\/\">Docker Hardened Images <\/a>documentation is the place to begin.<\/p>\n<h2 class=\"wp-block-heading\">Learn more about the integration:<\/h2>\n<p>On June 26th, Aikido is hosting a webinar for those interested in learning more about the integration.\u00a0<\/p>\n<p><a href=\"https:\/\/luma.com\/aikido-docker\" rel=\"nofollow noopener\" target=\"_blank\"><strong>Register for Aikido x Docker: Less Noise, More Signal in Container Security<\/strong><\/a><\/p>\n<h2 class=\"wp-block-heading\">Resources<\/h2>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.docker.com\/products\/hardened-images\/\">Review our Docker Hardened Images documentation<\/a>.<\/li>\n<li><a href=\"https:\/\/help.aikido.dev\/container-image-scanning\/standalone-registries\" rel=\"nofollow noopener\" target=\"_blank\">Set up Docker Hub registry on Aikido<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Aikido now scans Docker Hardened Images (DHI) with built-in VEX support. Vulnerabilities that Docker has verified as non-exploitable drop out [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":94,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-4302","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4302"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4302\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/94"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}