Achieving Precision Container Security with Docker and Black Duck

Introduction

Modern containerized applications generate a torrent of vulnerability alerts, many of which are noise—flaws present in base layers but irrelevant to your app's runtime. The integration of Docker Hardened Images (DHI) with Black Duck cuts through this clutter. This guide walks you through setting up a precision container security workflow that automatically filters out irrelevant vulnerabilities, leverages VEX (Vulnerability Exploitability eXchange) data, and delivers actionable SBOMs for compliance. By the end, you'll have a repeatable process for separating base-layer noise from true application risk.

What You Need

• Docker account with access to Docker Hardened Images (DHI) – a subscription is required.
• Black Duck instance (on-prem or cloud) with Binary Analysis (BDBA) enabled (available from April 14, 2026). Optional: Black Duck SCA (coming soon for DHI integration).
• Container runtime (Docker Engine, containerd, etc.) to run and scan images.
• Basic familiarity with Docker CLI and Black Duck scanning workflows.
• Network access to Docker Hub and Black Duck APIs.

Step-by-Step How-To Guide

Step 1: Pull and Verify a Docker Hardened Image

Docker Hardened Images are pre-configured with security defaults, stripped of unnecessary packages, and include a VEX manifest that declares which known vulnerabilities do not affect the image. Start by pulling a DHI from Docker Hub:

docker pull docker.io/docker/dhi:latest

Verify the image is indeed a DHI by checking the label:

docker inspect docker.io/docker/dhi:latest --format='{{.Config.Labels}}'

Look for a label like com.docker.hardened.image or com.docker.vex. This confirms VEX data is embedded.

Step 2: Configure Black Duck to Auto-Identify DHI

Black Duck automatically recognizes DHI base images during scanning—no manual tagging required. Ensure your Black Duck instance is updated to the version that includes DHI detection (BDBA integration released April 14, 2026). In the Black Duck UI, navigate to System Settings > Container Scanning and enable Auto-detect Docker Hardened Images. This step leverages zero-config recognition so your scans will automatically treat DHI layers as trusted sources.

Step 3: Scan the Container with Black Duck Binary Analysis

Use the Black Duck CLI or API to initiate a binary analysis scan of the DHI. Example with the Black Duck CLI:

blackduck scan --type container --image docker.io/docker/dhi:latest --output sbom.json

Black Duck’s BDBA engine performs a deep, signature-based inspection of compiled assets (libraries, binaries) within the image. Because DHI often strip package metadata, binary fingerprinting ensures accurate component identification even when manifest files are missing or altered.

Step 4: Apply VEX Data to Filter Out Noise

Docker provides VEX statements inside the image metadata. Black Duck reads these during the scan and cross-references its own Security Advisories (BDSAs). In the scan results, vulnerabilities marked as “not affected” by Docker’s VEX will be automatically suppressed or tagged as ignorable noise. To apply this filtering in Black Duck:

1. Go to the scan report in Black Duck.
2. Use the VEX Status filter: choose Not Affected to hide base-layer noise.
3. Enable Precision Triage mode to apply Docker-provided exploitability data alongside BDSAs. This reduces triage costs by eliminating false positives before they reach your team.

Step 5: Generate a High-Fidelity SBOM with VEX Context

Compliance demands transparency. Generate a Software Bill of Materials (SBOM) enriched with VEX exploitability status. In Black Duck, export the SBOM in SPDX or CycloneDX format:

blackduck export --scan-id <scan-id> --format cyclonedx --output sbom-vex.json

This SBOM includes CVE entries with Docker’s VEX status (e.g., exploitability: none) and Black Duck’s proprietary analysis. Such enriched SBOMs satisfy regulations like the European Cyber Resilience Act (CRA), FDA medical device guidelines, and government mandates.

Step 6: (Future) Extend to Black Duck SCA for Unified Governance

Black Duck’s roadmap promises DHI identification support in the SCA platform. When available, you will be able to apply the same governance policies to DHI-based containers as to your application source code. For now, rely on BDBA. Once the SCA update releases, simply enable the integration in Policies > Container Compliance. All future scans will automatically unify DHI intelligence with your existing dependency management, providing a single-pane-of-glass view across the SDLC.

Tips for Success

• Automate the process – Integrate the scanning and VEX filtering into your CI/CD pipeline (e.g., GitHub Actions, Jenkins) to catch noise early. Use Black Duck’s API to trigger scans on every push and automatically apply VEX suppression.
• Audit your VEX consumption – Not all VEX statements are perfect. Periodically review a subset of “not affected” vulnerabilities to ensure Docker’s assessment matches your runtime environment. Black Duck’s BDSAs can serve as a second opinion.
• Layer-specific scanning – DHI only secures the base layer. If you add custom layers (application code, additional packages), scan those layers separately with Black Duck SCA (when available) to catch application-level risks. BDBA currently scans the entire image as a whole; future updates may expose per-layer results.
• Stay updated – Docker Hardened Images receive regular patches. Ensure you re-pull and rescan images at least weekly to keep your SBOMs current and your security posture strong.
• Compliance documentation – When exporting SBOMs, include the VEX status field in your compliance reports. Regulators increasingly require not just a list of CVEs but evidence of exploitability assessment. The Black Duck + Docker combination delivers this natively.