BellSoft has unveiled a new container security solution designed to tackle the growing vulnerability crisis in enterprise software supply chains.
Announced at KubeCon 2025, the new ‘Hardened Images’ offering combines Java runtime optimisation, operating system hardening and proactive CVE remediation. According to the press release, BellSoft claims this unified approach can reduce known vulnerabilities by 95 per cent while lowering resource consumption by up to 30 per cent.
Container security remains a persistent challenge for development teams, with BellSoft citing industry data from NetRise suggesting that a typical container image can harbour over 600 known vulnerabilities. Java workloads face specific risks; the announcement reports that nearly half of all Java services currently contain known-exploited vulnerabilities, compared to significantly lower rates in Go and other languages. This new release attempts to mitigate these risks by embedding security controls directly into the container lifecycle, addressing the increasing demand for ‘shift-left’ security strategies.
The technical foundation of these images is Alpaquita Linux, a lightweight distribution created by BellSoft that utilises BusyBox and APK. This addresses a common friction point for developers migrating from standard Linux distributions, who often face compatibility issues when moving to minimal, musl-only environments like Alpine Linux.
To achieve hardening, the images are minimised by removing package managers and non-essential components, effectively locking the configuration. This immutability aims to prevent attackers from introducing malware or tampering with the runtime environment. The solution also includes a detailed Software Bill of Materials (SBOM) to assist with auditing and regulatory compliance standards.
BellSoft states that organisations migrating to their Liberica JDK Lite, which is included in these images, can observe significant efficiency gains. The press release notes that internal benchmarks cite a 30 per cent reduction in RAM and disk space usage. By handling patch development in-house rather than relying solely on upstream releases, BellSoft claims it can offer faster remediation times for critical CVEs compared to standard community-maintained images.
In the press release accompanying the announcement, Aleksei Voitylov, CTO at BellSoft, said: ‘BellSoft Hardened Images is a response to the growing demand in the market for secure, high-performance container solutions and is consistent with our commitment to providing the most complete and reliable Java experience. By combining expert Java runtime optimisation, proactive CVE remediation and a lightweight, flexible foundation, our hardened images give organisations a secure, audit-ready platform that reduces vulnerabilities, improves performance and simplifies migration.’
The market for hardened container images has grown significantly as supply chain security becomes an enterprise priority. BellSoft’s offering enters a competitive landscape populated by established players. Chainguard offers a similar suite of low-CVE images based on its Wolfi OS, with a heavy focus on software supply chain integrity. Docker also provides Hardened Images, while Google’s ‘Distroless’ images pioneered the concept of removing shells and package managers.
However, Distroless images are often criticised for being difficult to debug because they lack a shell. BellSoft positions its solution as a more flexible alternative for Java shops, specifically leveraging its expertise as a top OpenJDK contributor to optimise the runtime layer alongside the OS. This offers a middle ground between the extreme minimalism of Distroless and the usability of standard images.
BellSoft Hardened Images are available immediately in three tiers. A free Community tier offers Hardened Liberica Runtime Containers on Docker Hub. Standard and Premium tiers provide broader language support, including GraalVM, Go and Python, along with SLAs for critical CVE remediation and technical support.