da Agency

Reduce Vulnerability Noise with VEX: Wiz + Docker Hardened Images

Open source components power most modern applications. A new generation of hardened container images can establish a more secure foundation, but even with hardened images, vulnerability scanners often return dozens or hundreds of CVEs with little prioritization. This noise slows teams down and complicates security triage. The VEX (Vulnerability Exploitability eXchange) standard addresses the problem by providing information on whether a specific vulnerability actually impacts an organization’s application stack and infrastructure.

A new integration between Docker Hardened Images (DHI) and Wiz CLI now gives security and platform teams accurate reachability insights by analyzing VEX data. Wiz worked with Docker to tune its scanners to properly ingest and parse the VEX statements included with every one of the more than 1,000 DHI images in the catalog. The integration helps users cut through vulnerability noise with scan results that deliver clear, actionable insights.

When the Wiz scanner detects a Docker Hardened Image, it pulls from the image’s VEX documents and OSV advisories to filter out false positives. For organizations already using Wiz, this means a simpler path to adopting hardened images across their container fleet. Finally, for organizations pursuing FedRAMP or other compliance certifications that specify VEX coverage, the ability of Wiz to read DHI VEX statements can accelerate compliance, reducing time to deployment and consequently time to revenue.

TL;DR

Integrate Docker with Wiz to:

Minimize false positives using VEX and OSV data

Identify base images and software components more accurately

Provide security teams with clear visibility into software bills of materials (SBOMs)

Reduce manual validation efforts by integrating detailed issue summaries into your remediation workflows

Better image quality assurance with up-to-date package metadata and SPDX snippets

Migrate to Docker Hardened Images with greater confidence

Why VEX?

VEX (Vulnerability Exploitability eXchange) is a machine-readable way for software suppliers to state whether a known vulnerability actually affects a specific product. Instead of inferring risk from dependency lists alone, VEX explicitly declares whether a vulnerability is not affected, affected, fixed, or under investigation. This matters because many scanner findings are not exploitable in real products, leading to false positives, wasted effort, and obscured real risk.VEX  enables transparent, auditable vulnerability status that security tools and customers can independently verify, unlike proprietary advisory feeds that obscure context and historical risk.

Before you begin

Ensure you have access to both your Docker and Wiz organizations;

Confirm your are using a Docker Hardened Image

Ensure you have SBOM export and scan visibility enabled in Wiz.

Identifying Docker Hardened Images via the Integration on Wiz

With the integration, Wiz automatically detects Docker Hardened Images. The integration consists of two main functionalities on the Wiz dashboard. First, we will verify how many resources and organizations are using Docker Hardened Images by following these steps: 

Navigate to the Wiz Docker integration page and click connect

You’ll be prompted to log in to your Wiz dashboard

Once logged in, navigate to the “Inventory” section on the left side bar of your dashboard

You’ll be redirected to the “Technology” dashboard, where Wiz detects all technologies running on customer environments. Now, look for “Docker Hardened Images” on the search bar

Wiz automatically detects the specific operating systems running on each container mounts and flags them as hardened images

Checking for vulnerabilities on the Wiz dashboard:

Once you’ve validated that Wiz can identify Docker Hardened Images, you will be able to check for vulnerabilities using Wiz’s security graph and Docker’s container metadata. In order to do that, follow these steps from the technologies tab:

Go to inventory/technologies page and filter by operating systems or search for specific technology

Click on the OS/technology to view metadata and resource count

Click to access the security graph view showing all resources running that technology

Add a condition to filter for CVEs detected on those resources. 

View all resources with their associated vulnerabilities in table or graph format

Final Check

After setup, the vulnerabilities will appear according to your pre-set policies. You’ll be able to get a detailed overview on each CVE listed, including graph visualizations for dependency relationships, severity distribution, and potential exploit paths. These insights will help you prioritize remediation efforts, track resolution progress, and ensure compliance with your organization’s security standards.

Integrating Docker Hardened Images for better software supply chain visibility

The Docker-Wiz integration is more than just a checkbox in your security checklist. It provides:

Clarity: VEX documents and accurate base image identification eliminate guesswork, providing clear, contextual vulnerability data.

Confidence: Minimized false positives through OSV advisories and Docker-provided metadata ensures security teams can trust what they see.

Control: Enhanced visibility into SBOMs and technology usage empowers teams to prioritize and manage remediation effectively.

Coverage: Full-stack integration with Wiz surfaces vulnerabilities across all Docker environments, including hardened images and source-built components.This partnership helps DevSecOps teams move fast and remain proactive against container vulnerabilities, an essential capability for modern, lean teams managing fast-paced releases, open source risk, and complex cloud-native environments.

Ready to Get Started?

If you’re already using Docker Hardened Images and Wiz, you’re just a few clicks away from reducing false positives, improving SBOM visibility, and making vulnerability data more actionable.

Check the Docker + Wiz solutions brief

Visit the Docker + Wiz integration page

Read more about VEX in our documentation

Quelle: https://blog.docker.com/feed/

da Agency

Amazon EC2 I7ie instances now available in AWS Canada (Central)

AWS is announcing Amazon EC2 I7ie instances are now available in AWS Canada (Central) regions. Designed for large storage I/O intensive workloads, I7ie instances are powered by 5th Gen Intel Xeon Processors with an all-core turbo frequency of 3.2 GHz, offering up to 40% better compute performance and 20% better price performance over existing I3en instances. I7ie instances offer up to 120TB local NVMe storage density (highest in the cloud) for storage optimized instances and offer up to twice as many vCPUs and memory compared to prior generation instances. Powered by 3rd generation AWS Nitro SSDs, I7ie instances deliver up to 65% better real-time storage performance, up to 50% lower storage I/O latency, and 65% lower storage I/O latency variability compared to I3en instances. I7ie are high density storage optimized instances, ideal for workloads requiring fast local storage with high random read/write performance at very low latency consistency to access large data sets. These instances are available in 9 different virtual sizes and deliver up to 100Gbps of network bandwidth and 60Gbps of bandwidth for Amazon Elastic Block Store (EBS). To learn more, visit the I7ie instances page.
Quelle: aws.amazon.com

da Agency

AWS Glue launches native REST API connector for universal data integration

AWS Glue now offers a native REST-based connector that enables customers to easily read data from any source with a REST-based API. Customers can now create custom connectors to any REST-enabled data source and seamlessly integrate that data into their AWS Glue ETL (Extract, Transform, and Load) jobs. This capability extends AWS Glue’s existing connectivity to 100+ non-AWS data sources through 60+ native connectors and additional options on AWS Marketplace. Previously, connecting to proprietary systems or emerging platforms required customers to build custom connectors by providing specialized JARs with the necessary libraries. The new native REST API connector eliminates this complexity, making it easier to integrate data from any REST-enabled source. It reduces operational overhead by eliminating the need to install, update, or manage custom libraries, freeing teams from maintenance burdens. The connector also enhances flexibility, enabling organizations to quickly adapt to new data sources as business needs evolve. It also streamlines ETL management by allowing data engineers to focus on data transformation and business logic rather than spending time building and maintaining connector infrastructure. The AWS Glue REST API connector is available in all AWS commercial regions where AWS Glue is available. You can start using the AWS Glue REST API connector using AWS Glue APIs, AWS Command Line Interface (CLI), or AWS Software Development Kit (SDK). To get started, see AWS Glue documentation.
Quelle: aws.amazon.com

da Agency

Amazon WorkSpaces launches Graphics G6, Gr6, and G6f bundles

Today, Amazon WorkSpaces announces the availability of 12 new Graphics G6, Gr6, and G6f WorkSpaces bundles built on the Amazon EC2 G6 family. These bundles expand customers’ options for running graphics-intensive and GPU-accelerated workloads, and are available on both Amazon WorkSpaces Personal and Amazon WorkSpaces Core.
The new bundles are designed to support a wide range of performance, memory, and cost requirements: G6 bundles include five sizes with 1:4 vCPU-to-memory configurations, suitable for graphic design, CAD/CAM, and ML model training workloads. Gr6 bundles include two sizes with memory-optimized 1:8 vCPU-to-memory configurations, designed for higher-memory workloads such as 3D rendering, seismic visualization, and GIS processing. G6f bundles include five sizes and offer fractional GPU options (1/8, 1/4, and 1/2 GPU), enabling cost-effective access to GPU acceleration for workloads that do not require a full GPU. All Graphics G6, Gr6, and G6f WorkSpaces support Windows Server 2022 and allow customers to bring their own Windows desktop licenses for Windows 11.
These bundles are available in 13 AWS Regions: US East (N. Virginia), US West (Oregon), Canada (Central), Europe (Paris, Frankfurt, London), Asia Pacific (Tokyo, Mumbai, Sydney, Seoul), South America (São Paulo), and AWS GovCloud (US-West and US-East).
To get started, create a Graphics G6, Gr6, or G6f WorkSpace using the Amazon WorkSpaces console. For pay-as-you-go pricing details, see the Amazon WorkSpaces Pricing Page and the Amazon WorkSpaces Core Pricing Page.
Quelle: aws.amazon.com

da Agency

AWS Builder ID now supports Sign in with Apple

AWS Builder ID, your profile for accessing AWS applications including AWS Builder Center, AWS Training and Certification, AWS re:Post, AWS Startups, and Kiro, now supports Sign in with Apple as a social login provider. This expansion of sign-in options builds on the existing Sign in with Google capability, providing Apple users with a streamlined way to access AWS resources without managing separate credentials on AWS.
With Sign in with Apple integration, developers and builders can now enjoy access to their AWS Builder ID profile using their Apple Account credentials. This enhancement eliminates password management complexity, reduces forgotten password issues, and provides a frictionless experience for both new user registration and returning user sign-ins. Whether you’re accessing development resources in AWS Builder Center, enrolling in certification programs, participating in community discussions on AWS re:Post, exploring startup resources, or using Kiro to code your next app, your Apple Account now serves as a secure gateway to your builder AWS journey. 
To learn more about AWS Builder ID and get started with Sign in with Apple, visit the AWS Builder ID documentation.

Quelle: aws.amazon.com

da Agency

Amazon EC2 G6e instances now available in Dubai region

Starting today, the Amazon EC2 G6e instances powered by NVIDIA L40S Tensor Core GPUs is now available in Middle East (UAE) Region. G6e instances can be used for a wide range of machine learning and spatial computing use cases.
Customers can use G6e instances to deploy large language models (LLMs) and diffusion models for generating images, video, and audio. Additionally, the G6e instances will unlock customers’ ability to create larger, more immersive 3D simulations and digital twins for spatial computing workloads. G6e instances feature up to 8 NVIDIA L40S Tensor Core GPUs with 48 GB of memory per GPU and third generation AMD EPYC processors. They also support up to 192 vCPUs, up to 400 Gbps of network bandwidth, up to 1.536 TB of system memory, and up to 7.6 TB of local NVMe SSD storage.  Amazon EC2 G6e instances are available today in the AWS US East (N. Virginia, Ohio), US West (Oregon), Asia Pacific (Tokyo, Seoul), Middle East (UAE) and Europe (Frankfurt, Spain, Stockholm) Regions. Customers can purchase G6e instances as On-Demand Instances, Reserved Instances, Spot Instances, or as part of Savings Plans. To get started, visit the AWS Management Console, AWS Command Line Interface (CLI), and AWS SDKs. To learn more, visit the G6e instance page.
Quelle: aws.amazon.com