da Agency

Precision Container Security with Docker and Black Duck

The complexity of modern containerized applications often leaves developers drowning in a sea of “noise”—vulnerabilities that exist in the file system but pose zero actual risk to the application. The integration between Black Duck and Docker Hardened Images (DHI) provides a definitive answer to this challenge. By combining Docker’s secure-by-default foundations, using VEX (Vulnerability Exploitability eXchange) statements, and Black Duck’s industry-leading analysis engines, teams can now automatically separate base-layer noise from application-layer risk.

By combining Docker’s secure-by-default foundations, using VEX (Vulnerability Exploitability eXchange) statements, and Black Duck’s industry-leading analysis engines, teams can now automatically separate base-layer noise from application-layer risk.

TL;DR: The Black Duck + Docker Value Proposition

Zero-Config Recognition: Black Duck automatically identifies DHI base images during scanning without manual tagging.

Precision Triage: Leverage Docker-provided VEX data and Black Duck Security Advisories (BDSAs) to ignore “not affected” base image vulnerabilities.

Comprehensive Vulnerability Intelligence: Combine Docker’s exploitability data with Black Duck’s proprietary research to reduce triage costs and eliminate false positives.

Compliance on Autopilot: Export high-fidelity SBOMs enriched with VEX exploitability status, supporting transparent vulnerability obligations present in global regulations like the European Cyber Resilience Act (CRA) and industry standards such as those mandated by the FDA for medical devices and governmental agencies.

A Comprehensive Strategy for Software Integrity

Black Duck’s strategy for container security is built on a “Better Together” philosophy, leveraging two distinct but complementary analysis technologies to provide 360-degree visibility:

Black Duck Binary Analysis (BDBA): Our primary integration for DHI was released on April 14, 2026. BDBA provides deep, signature-based inspection of compiled assets within DHI, verifying the “as-shipped” state of your containers without needing access to source code.

Black Duck Software Composition Analysis (SCA): Soon, Black Duck will extend this DHI identification and verification support to our flagship SCA platform. This upcoming release will unify DHI intelligence with source-side dependency management, providing a single, comprehensive Software Bill of Materials (SBOM) across the entire SDLC.

Deep Visibility with Binary Match & SCA Roadmap

While traditional scanners often rely on simple package manager manifests, Black Duck looks deeper.

Signature-Based Accuracy: Using BDBA (launching March 31st), Black Duck identifies DHI components by their binary “fingerprint,” ensuring accuracy even if package metadata is stripped or modified.

The Path to Unified SCA: Our roadmap includes bringing these DHI insights directly into Black Duck SCA. This will allow security teams to apply the same governance policies to DHI-based containers as they do to their application source code, all within a single pane of glass.

Layer-Specific Analysis: Easily pivot between the hardened base image and your custom application layers to understand exactly where a risk was introduced.

Dynamic Risk Triage: VEX + BDSA Intelligence

The most significant drain on developer productivity is manual triage. This integration operationalizes “Reachability” and “Exploitability” through automated data streams:

VEX Integration: Black Duck ingests Docker’s VEX statements as a primary source of truth. If Docker confirms a base image vulnerability is “not_affected” due to the hardening process, Black Duck automatically suppresses the alert.

Beyond the NVD: While competitors rely on the National Vulnerability Database (NVD), Black Duck uses BDSAs. These advisories often arrive days before the NVD, providing deeper exploitability context and specific remediation paths.

Bulk Policy Enforcement: Security teams can set global Black Duck policies to automatically “ignore” any vulnerability backed by a “not_affected” vulnerability status statement from Docker, potentially clearing thousands of non-actionable alerts with zero manual effort.

Operationalizing Security with Automated Workflows

Black Duck does more than find issues; it manages the lifecycle of the container:

SLA Tracking: Automatically trigger Jira tickets or email alerts when a vulnerability in a custom layer exceeds your organization’s risk threshold.

Pipeline Gating: Use the Black Duck Detect CLI to fail builds only when reachable or unaddressed risks are found in your application code, keeping the CI/CD pipeline moving.

Continuous Patching: For Enterprise DHI users, Black Duck verifies when a patched base image is mirrored to your private repository, confirming mitigation without requiring a developer to manually “re-scan” to prove compliance.

Get started for free

Check Docker Documentation on VEX at https://docs.docker.com/dhi/core-concepts/vex/

Learn more Docker’s approach to CVE exploitability and auditability at https://www.docker.com/blog/why-we-chose-the-harder-path-docker-hardened-images-one-year-later/

Read on Black Duck’s VEX documentation at https://documentation.blackduck.com/bundle/bd-hub/page/Reporting/vexReport_global.html

Quelle: https://blog.docker.com/feed/

da Agency

Amazon Aurora DSQL now supports the JSON data type with compression

Amazon Aurora DSQL introduces support for the PostgreSQL JSON data type with optional compression. With JSON data type support, you can now use code and tools that depend on PostgreSQL’s JSON type with Aurora DSQL without modification, making it easier to store semi-structured data alongside relational data. You can use the JSON data type when creating or modifying tables to store semi-structured data such as API payloads, configuration objects, or event logs. With PostgreSQL compression enabled by default, larger JSON payloads are stored more efficiently, helping reduce storage costs. For details on the supported data types, see the Aurora DSQL documentation. Get started with Aurora DSQL for free with the AWS Free Tier. For information about Regional availability, see the AWS Region table. To learn more about Aurora DSQL, visit the webpage.
Quelle: aws.amazon.com

da Agency

Amazon FSx is now available in the AWS Asia Pacific (New Zealand) Region

Amazon FSx, a fully-managed service that makes it easy and cost effective to launch, run, and scale feature-rich, high-performance file systems in the cloud, is now available in the AWS Asia Pacific (New Zealand) Region.
Amazon FSx lets you choose between four widely-used file systems: NetApp ONTAP, Windows File Server, Lustre, and OpenZFS. It supports a wide range of workloads with its reliability, security, scalability, and broad set of capabilities. Amazon FSx is built on the latest AWS compute, networking, and disk technologies to provide high performance and lower TCO. And as a fully managed service, it handles hardware provisioning, patching, and backups — freeing you up to focus on your applications, your end users, and your business.
To learn more about Amazon FSx, visit our product page, and see the AWS Region Table for complete regional availability information.
Quelle: aws.amazon.com

da Agency

Amazon WorkSpaces Applications now supports host-to-client URL redirection

Amazon WorkSpaces Applications now supports host-to-client URL redirection, which automatically launches URLs from streaming sessions in the user’s local browser. Administrators can configure allow and deny URL patterns through the AWS Management Console to control which web content is redirected, enabling organizations to keep sensitive applications securely within the streaming environment while offloading resource-intensive content such as video streaming to local devices. With host-to-client URL redirection, organizations reduce the load on streaming infrastructure by shifting bandwidth-heavy web workloads to local devices, lowering infrastructure costs without impacting the end-user experience. The feature works for browser navigation and embedded links in applications such as Microsoft Word, with support for Chrome and Edge web browsers on the streaming host. URLs in the configured allow list open in the user’s local default browser automatically. Host-to-client URL redirection for Amazon WorkSpaces Applications is available in multiple AWS Regions including US East (N. Virginia and Ohio), US West (Oregon), Asia Pacific (Malaysia, Mumbai, Seoul, Singapore, Sydney, and Tokyo), Canada (Central), Europe (Frankfurt, Ireland, London, Milan, and Paris), South America (São Paulo), Israel (Tel Aviv), AWS GovCloud (US-West and US-East). To learn more about host-to-client URL redirection for Amazon WorkSpaces Applications, see host to client URL redirection. For more information about Amazon WorkSpaces Applications, visit the Amazon WorkSpaces Applications page.
Quelle: aws.amazon.com

da Agency

Amazon CloudWatch Logs Insights supports querying by log group tags

Amazon CloudWatch Logs Insights query language now supports querying log groups using tags, making it easier to analyze logs without listing the log groups explicitly. In addition to querying logs by log group names, data sources, and facets, customers can now query using log group tags. Tags are key-value pairs that customers can assign to log groups to categorize them — for example, Environment: Production, Application: PaymentService, or Owner: TeamName. With this launch, customers can run a query across all log groups that share common tags. As log group tags are added or removed, queries automatically reflect the matching log groups, reducing operational overhead as environments grow. Querying by log group tags is available today in all commercial AWS Regions. To learn more, see the Amazon CloudWatch Logs documentation.
Quelle: aws.amazon.com