April 14, 2026 — A new integration between Black Duck and Docker Hardened Images (DHI) now lets security teams automatically disregard vulnerabilities that exist in a container’s base layer but pose zero actual risk, slashing triage time and cutting false positives.
“Developers have been drowning in noise—vulnerabilities flagged from the operating system layer that are never exploitable in the application runtime,” said a Black Duck spokesperson. “With VEX statements built into Docker’s secure-by-default images and Black Duck’s analysis engines, we can now surgically separate base-layer noise from application-layer risk.”
Zero-Config Recognition
Black Duck automatically identifies DHI base images during scanning without requiring manual tagging. This recognition enables immediate, accurate vulnerability assessment from the moment a container is scanned.
Precision Triage
The system leverages Docker-provided VEX (Vulnerability Exploitability eXchange) data along with Black Duck Security Advisories (BDSAs) to categorize base image vulnerabilities as “not affected,” effectively ignoring them in security reports.
Comprehensive Vulnerability Intelligence
By combining Docker’s exploitability data with Black Duck’s proprietary research, teams can reduce triage costs and eliminate false positives. The result is a high-fidelity Software Bill of Materials (SBOM) enriched with VEX exploitability status.
Compliance on Autopilot
These enriched SBOMs support global regulations such as the European Cyber Resilience Act (CRA), FDA medical device mandates, and governmental agency standards. Exporting VEX-enriched SBOMs automates vulnerability disclosure obligations.
Background
Modern containerized applications often bundle hundreds of open-source components across multiple layers. Standard scanners flag every vulnerability in the file system, regardless of whether it is reachable or exploitable at runtime. This “noise” overwhelms security teams and slows development cycles.
Docker Hardened Images are designed with a minimal attack surface and include VEX statements that document which CVEs are not exploitable. Black Duck’s integration reads these VEX statements automatically, eliminating the need for manual analysis.
How It Works
Two complementary analysis technologies provide 360-degree visibility:
Black Duck Binary Analysis (BDBA)
BDBA performs deep, signature-based inspection of compiled assets within DHI, verifying the “as-shipped” state of containers without source code access. This integration launched on April 14, 2026.
Black Duck Software Composition Analysis (SCA) – Coming Soon
An upcoming release will unify DHI identification with source-side dependency management. Teams will apply the same governance policies to DHI-based containers as they do to application source code, all within a single pane of glass.
Key Benefits at a Glance
- Signature-Based Accuracy: Binary fingerprinting ensures component identification even if package metadata is stripped.
- Layer-Specific Analysis: Separate base-layer vulnerabilities from application-layer risks.
- Same Policies, One View: Unify SCA and binary analysis under a single governance framework.
What This Means
For security teams, this integration transforms container vulnerability management from a noisy, manual process into an automated, precision-driven workflow. Triage costs drop dramatically as false positives are eliminated.
For compliance officers, VEX-enriched SBOMs provide transparent, audit-ready evidence of exploitability status, simplifying adherence to the Cyber Resilience Act and other regulations. Developers can focus on shipping secure code instead of drowning in irrelevant alerts.
— Reporting by [Your News Organization]