How to verify Docker Hardened Images CVEs are actually fixed and not just suppressed via VEX, been running DHI for months and now I'm not sure

Posted by Sufficient-Owl-9737@reddit | linuxadmin | View on Reddit | 3 comments

Switched to Docker Hardened Images earlier this year. Scans looked clean so I assumed things were fine.

Read this today and I'm not sure that means anything:

DHI runs on Debian and Alpine. When a CVE gets patched upstream but Debian hasn't shipped it yet, Docker marks it "not affected" via VEX and it disappears from scan results. The fix isn't in the image, the finding is just gone.

IDK how long I've been looking at clean scans that weren't actually clean. Looking for something that rebuilds from source when upstream patches drop instead of waiting on Debian's release cycle and calling it resolved. What would you go with?

[-]

PrincipleActive9230@reddit

VEX suppression is the dirty secret of "clean" scan results across most hardened image providers. The finding disappears, the vulnerability does not.

The root cause is exactly what you identified. Images built on top of Debian or Alpine inherit that release cycle. When upstream patches but Debian has not shipped it yet, VEX lets vendors mark it resolved without the fix actually being in the image. Your scanner sees clean, your image is not.

The only architectural fix is building from source so you are not waiting on a downstream distro to ship what upstream already patched.

We switched to Minimus after the same realization. Built from source, patches applied directly when upstream drops them, not when Debian gets around to it. What shows as clean in your scanner is actually clean. Signed SBOMs per image so you can verify exactly what is in there rather than trusting the scan output alone.

You have been asking the right question. Most people never do.

h2opologod94@reddit

You can also scan images without DHI's VEX in the loop: https://docs.docker.com/dhi/how-to/scan/#trivy

Aggravating_Log9704@reddit

integrate runtime protections and exploit mitigation in addition to image scanning. Even with rebuilt images, new CVEs appear. Scans alone never tell the full story; you need observability at runtime and maybe automated rebase pipelines that don’t wait for Debian’s schedule.