Docker Hardened Images Enhanced Vulnerability Scanning with Docker and Aikido
Docker has partnered with Aikido to embed VEX attestations into its Hardened Images, enabling automatic suppression of CVEs that Docker has deemed non‑exploitable. The integration pulls signed SBOMs and OpenVEX statements, allowing Aikido to present only truly vulnerable findings to developers. As a result, triage queues collapse from hundreds of alerts to a handful of actionable issues, saving time and reducing noise. This streamlined workflow also provides auditable evidence for compliance regimes such as FedRAMP and SOC 2.
What Is AI Governance? Frameworks, Principles, and Best Practices
AI governance bridges the gap between rapid AI agent adoption—60% of organizations already run agents in production—and the security, compliance, and ethical challenges that stall further scaling. It establishes policies, roles, and review processes that align AI systems with business...
How to Secure AI Agents: A Practical Overview for Development Teams
Docker’s practical guide warns that 45% of organizations struggle to secure AI agents, which are moving to production faster than security practices can keep up. Because agents autonomously select tools, chain actions, and retain memory, traditional static controls fall short....
Mitigating CVE-2026-31431 (“Copy Fail”) In Docker Engine
Docker Engine version 29.4.3 introduces a layered mitigation for CVE‑2026‑31431, known as “Copy Fail,” by adding AppArmor and SELinux rules that block AF_ALG socket creation while retaining the original seccomp filter. The vulnerability is a Linux‑kernel privilege‑escalation flaw affecting kernels released...
Meet Gordon: Docker’s AI Agent For Your Entire Container Workflow
Docker announced Gordon, an AI‑powered agent built into Docker Desktop 4.74+ and the CLI, that can read container logs, compose files, and the local environment to diagnose and fix issues. Gordon proposes actions—such as repairing broken builds, generating Dockerfiles, or...
Coding Agent Horror Stories: The Security Crisis Threatening Developer Infrastructure
AI coding agents now power roughly 60% of developer tasks, accelerating feature delivery but also exposing critical security gaps. Documented incidents from late 2024 to early 2026 show agents unintentionally wiping files, deleting production environments, and leaking credentials. The root...
NIST Narrows the NVD: What Container Security Programs Should Reassess
On April 15, NIST announced a prioritized enrichment model for the National Vulnerability Database, limiting full CVSS scores, CPE mappings, and CWE classifications to three categories of CVEs: those in the CISA KEV catalog, federal‑government software, and "critical" software under Executive...
Generate Images Locally with Docker Model Runner and Open WebUI
Docker Model Runner now lets developers pull and run image‑generation models locally, exposing a fully OpenAI‑compatible API that Open WebUI can consume. By using the DDUF packaging format, a stable‑diffusion model (≈7 GB) can be fetched with a single Docker command...
Precision Container Security with Docker and Black Duck
Black Duck has launched an integration with Docker Hardened Images (DHI) that leverages Docker’s VEX statements and Black Duck’s binary analysis to automatically distinguish harmless base‑layer vulnerabilities from real application risks. The solution provides zero‑config detection of DHI, precision triage...
A Virtual Agent Team at Docker: How the Coding Agent Sandboxes Team Uses a Fleet of Agents to Ship Faster
Docker’s Coding Agent Sandboxes team has launched a "Fleet" of seven autonomous AI agent roles that run inside microVM‑based sandboxes. The agents, defined by persona‑focused markdown skill files, handle testing, issue triage, release‑note generation and even code fixes across macOS,...
Trivy, KICS, and the Shape of Supply Chain Attacks so Far in 2026
Docker reported a supply‑chain compromise of Checkmarx’s KICS scanner on April 22, 2026. Threat actors used stolen publisher credentials to overwrite five tags and add two new malicious tags in the checkmarx/kics Docker Hub repository. The malicious images exfiltrated scan...
Why MicroVMs: The Architecture Behind Docker Sandboxes
Docker announced Docker Sandboxes, a microVM‑based solution that isolates each AI coding agent in its own lightweight virtual machine. The architecture couples a dedicated microVM with a private Docker daemon, delivering full Docker‑build, run, and compose capabilities without host‑level privileges....
Why We Chose the Harder Path: Docker Hardened Images, One Year Later
One year after launching Docker Hardened Images (DHI), Docker reports over 500,000 daily pulls and more than one million builds, with a catalog exceeding 2,000 hardened images, Helm charts, and system packages across Debian and Alpine. The DHI Community tier...
Reclaim Developer Hours Through Smarter Vulnerability Prioritization with Docker and Mend.io
Mend.io has integrated with Docker Hardened Images (DHI) to deliver a zero‑configuration solution that automatically distinguishes base‑image vulnerabilities from application‑layer risks. By leveraging Docker’s VEX (Vulnerability Exploitability eXchange) data, the platform filters out non‑exploitable and unreachable CVEs, allowing developers to...
Docker Offload Now Generally Available: The Full Power of Docker, for Every Developer, Everywhere.
Docker announced Docker Offload is now generally available, moving the Docker engine to a fully managed cloud service. The shift lets developers run Docker Desktop in VDI, locked‑down laptops, and other restricted environments without changing workflows or UI. Offload offers...