Mastering Container Security: A Step-by-Step Guide to Docker Hardened Images with Black Duck

Introduction

Modern containerized applications face a critical challenge: separating genuine application-layer vulnerabilities from base-layer noise that poses no real risk. Docker Hardened Images (DHI), combined with Black Duck's advanced analysis, offer a powerful solution. This guide walks you through implementing this integration to automate vulnerability triage, leverage VEX (Vulnerability Exploitability eXchange) data, and produce compliant Software Bills of Materials (SBOMs). By following these steps, your team can reduce false positives, cut triage costs, and meet regulatory obligations such as the European Cyber Resilience Act or FDA medical device standards.

Mastering Container Security: A Step-by-Step Guide to Docker Hardened Images with Black Duck — Source: www.docker.com

What You Need

Docker Hardened Images (DHI) subscription – Access to secure-by-default base images with built-in VEX statements.
Black Duck account – Either Black Duck Binary Analysis (BDBA) or Software Composition Analysis (SCA) license. BDBA is the primary integration as of April 2026; SCA support follows soon.
Container runtime environment – e.g., Docker Desktop, Docker Engine, or Kubernetes cluster.
Access to the Black Duck scan interface – Web UI or CLI/API.
Optional: CI/CD pipeline – For automated scanning (e.g., GitHub Actions, Jenkins).

Step-by-Step Guide

Step 1: Set Up Docker Hardened Images

Start by subscribing to Docker Hardened Images. These images are built on a secure-by-default foundation and include VEX statements that indicate which vulnerabilities are exploitable and which are not. Pull a DHI base image using a tag such as docker.io/docker/dhi:ubuntu-22.04. Verify the image signature to ensure integrity. For example:

docker pull docker/dhi:ubuntu-22.04

Once pulled, you can use it as the base layer for your application containers.

Step 2: Integrate Black Duck with Your Docker Environment

Navigate to your Black Duck instance. Under Integrations, enable the Docker connector. Provide your Docker registry credentials and specify the DHI repository. Black Duck will automatically detect DHI base images without manual tagging – this is the zero-config recognition feature. For BDBA (Binary Analysis), ensure your Black Duck version is 2026.04 or later. For SCA users, wait for the upcoming release that unifies DHI intelligence with source-side dependency management.

Step 3: Enable VEX Data Integration

In Black Duck, navigate to Policies and activate the VEX Exploitability Filter. This setting instructs Black Duck to consume Docker-provided VEX statements. By doing so, the scanner marks vulnerabilities that Docker declares “not affected” as ignored or de-prioritized. This reduces triage noise by up to 70% (as per Docker data). You can also create custom policies that fail a build only if a vulnerability is both present and labeled “exploitable” in the VEX.

Step 4: Perform a Container Scan

Run a scan on your DHI-based container image. Use Black Duck’s CLI or web UI. For example:

blackduck scan --image myapp:latest

Black Duck will automatically identify the base image as a DHI and cross-reference its VEX data. The scan produces a vulnerability report that separates base-layer “noise” from application-layer risks. The report includes:

Vulnerabilities with VEX status (affected, not affected, under investigation).
Black Duck Security Advisories (BDSAs) for additional context.
Exploitability scores from both Docker and Black Duck’s proprietary research.

Step 5: Triage with Precision

Review the filtered vulnerability list. Open the VEX Filtered View in Black Duck. Here you will see only vulnerabilities that are either “affected” or have no VEX statement. For each remaining item, check the Exploitability column – it combines Docker’s threat assessment with Black Duck’s intelligence. You can bulk-mark items as “ignore” if they are confirmed not exploitable in your runtime context. This step reduces manual triage from hours to minutes.

Step 6: Generate a High-Fidelity SBOM

After scanning, export the Software Bill of Materials. In Black Duck, go to Reports → SPDX 2.3 or CycloneDX. Enable the option to include VEX exploitability status. The resulting SBOM will list every component with its associated vulnerability, VEX verdict, and compliance metadata. This export supports global regulations like the EU Cyber Resilience Act (CRA) and FDA medical device standards. You can also automate this step in your CI/CD pipeline to produce an SBOM on every build.

Step 7: Automate in CI/CD (Optional but Recommended)

Integrate Black Duck scanning into your pipeline. For GitHub Actions, use the blackduck/scan-action with the --dhi flag. Example snippet:

jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: blackduck/scan-action@v1 with: image: myapp:latest dhi: true

This step ensures every container image is scanned and VEX-filtered before deployment.

Conclusion & Tips

By following this guide, you’ve established a precision container security workflow that eliminates base-layer noise and focuses on real application risk. Here are some additional tips to maximize your results:

Keep DHI Updated – Regularly pull the latest DHI images to benefit from the most recent security patches and VEX updates.
Combine BDBA and SCA – When SCA support for DHI becomes available, use both analysis types: BDBA for binary-level accuracy and SCA for source-level dependency tracking. This gives you a comprehensive SBOM across the entire SDLC.
Leverage Custom Policies – Create Black Duck policies that automatically fail builds when a critical exploitable vulnerability is found. Use VEX status as a policy condition.
Monitor the Roadmap – Black Duck plans to extend DHI recognition to its SCA platform soon. Check release notes to benefit from unified intelligence.
Audit Compliance – Use the enriched SBOM to demonstrate compliance with regulations like the Cyber Resilience Act or FDA guidelines. The VEX data is a strong audit trail.
Train Your Team – Educate developers on interpreting VEX status and Black Duck reports. This reduces time spent on false positives.

Remember, the “Better Together” philosophy of Docker and Black Duck transforms container security from a noisy, error-prone chore into a streamlined, compliant process. Start with these steps and iterate as your environment evolves.

Tags: