From cf3dadce89d4b4f1adacf8d9216a698a99355520 Mon Sep 17 00:00:00 2001 From: Craig Osterhout Date: Mon, 15 Jun 2026 15:36:09 -0700 Subject: [PATCH] dhi: add aws inspector Signed-off-by: Craig Osterhout --- content/manuals/dhi/explore/scanner-integrations.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/content/manuals/dhi/explore/scanner-integrations.md b/content/manuals/dhi/explore/scanner-integrations.md index b3393eaf798..ee1481aa9e3 100644 --- a/content/manuals/dhi/explore/scanner-integrations.md +++ b/content/manuals/dhi/explore/scanner-integrations.md @@ -1,7 +1,7 @@ --- title: Scanner integrations description: Learn which vulnerability scanners work with Docker Hardened Images and how to choose the right scanner for accurate vulnerability assessment. -keywords: scanner integration, vulnerability scanning, docker scout, trivy, grype, wiz, black duck, aikido, container security scanners +keywords: scanner integration, vulnerability scanning, docker scout, trivy, grype, wiz, black duck, aikido, aws inspector, container security scanners weight: 40 --- @@ -10,7 +10,7 @@ accurate results that reflect the actual security posture of these images, your scanner needs to understand the VEX (Vulnerability Exploitability eXchange) attestations included with each image. -## Scanners with VEX support +## Supported scanners for Docker Hardened Images The following scanners can read and apply VEX attestations included with Docker Hardened Images: @@ -27,6 +27,12 @@ Hardened Images: For step-by-step instructions for Docker Scout, Trivy, and Grype, see [Scan Docker Hardened Images](/manuals/dhi/how-to/scan.md). For Wiz, Mend.io, Black Duck, and Aikido, refer to their respective documentation. +Most scanners can scan Docker Hardened Images. Scanners not listed in the table, +such as [AWS Inspector](https://docs.aws.amazon.com/inspector/latest/user/supported.html), +can scan DHI but won't apply VEX filtering. Results will include more reported +CVEs than the actual risk profile of the image. To reduce false positives, use a +vendor-specific suppression method, such as [AWS Inspector suppression rules](https://docs.aws.amazon.com/inspector/latest/user/findings-managing-supression-rules.html). + ## Choosing a scanner for Docker Hardened Images When selecting a scanner for use with Docker Hardened Images, whether it @@ -168,4 +174,3 @@ exceptions. This requires: Learn how to [scan Docker Hardened Images](/manuals/dhi/how-to/scan.md) with VEX-compliant scanners. -