Vulnerabilities

All container images are scanned with Grype against the latest vulnerability database. Scans run weekly (Monday 06:00 UTC) and on every pre-release build. Known false positives are suppressed via per-image VEX statements.

Methodology

1. SBOMs are extracted from OCI attestations attached to each container image
2. Grype scans each SBOM against the latest vulnerability database
3. Known false positives are suppressed via per-image VEX statements — the VEX status column shows the triage decision and justification
4. Remaining findings are triaged per the remediation SLA

Stock DHI images receive VEX documents from Docker Hardened Images (OpenVEX JSON, signed, broad coverage). Custom images use hand-written OpenVEX YAML maintained alongside the DHI YAML definitions.

VEX Assessments

Stock DHI images (4): VEX documents provided by Docker Hardened Images — available in the compliance pack.

Custom images (2): Hand-written OpenVEX YAML maintained alongside DHI YAML definitions.