Find BellSoft Hardened Images

Available on Docker Hub, GHCR, MCR, GCR and Amazon ECR

Secure, production-ready hardened images continuously patched for CVEs and backed by 24/7 enterprise support. Get hardened container images
for OpenJDK, Python, Go, GCC/C++, and GraalVM — all based on Alpaquita Linux.

Docker Hub imagesGHCR imagesMCR imagesGCR imagesAmazon ECR images
Learn more

How to use BellSoft Hardened Container Images

Getting Started

Step 1: Pull an Image

Pull an image from any supported container registry:

docker pull bellsoft/<repository>:<image_tag>
Step 2: Run a Container

Start a container from the pulled image

docker run --name my-app bellsoft/<repository>:<image_tag>

Step 3: Use as Base Image

Specify as a base image in your Dockerfile:

FROM bellsoft/<repository>:<image_tag>

Example: Hardened Java Runtime

# Pull the latest hardened Java runtime
docker pull bellsoft/hardened-liberica-runtime-container:jdk-21-glibc
# Run with your application
docker run -v /path/to/app:/app bellsoft/hardened-liberica-runtime-container:jdk-21-glibc java -jar /app/myapp.jar
# Use in a Dockerfile
FROM bellsoft/hardened-liberica-runtime-container:jdk-21-glibc

Available Hardened Repositories

BellSoft provides hardened container images for multiple programming languages and runtimes, all based on Alpaquita Linux. The same repositories are available across all container registries (Docker Hub, GitHub CR, Microsoft CR, Google CR, and Amazon ECR):

Repository NameDescriptionSupported Versions
hardened-baseMinimal hardened base images for running pre-built applicationsAlpaquita Linux Stream
hardened-liberica-runtime-containerHardened images with Liberica JDK Lite (OpenJDK)LTS versions (21 and 25) and the latest non-LTS release
hardened-liberica-native-image-kit-containerHardened images with Liberica Native Image Kit (GraalVM)NIK 23 (JDK 17, 21), and NIK 25 (JDK 25).
hardened-pythonHardened images with Python and Python and basic Python utilitiesPython 3.x
hardened-goHardened Alpaquita Linux images for building Go applicationsGo 1.x
hardened-gccHardened Alpaquita Linux images with the GCC compiler, tools, and libraries for development in C/C++GCC 15.x

Understanding Hardened Image Tags

Tag Structure Formula

All hardened repositories use consistent tag structure across all container registries

Repository NameTag Pattern
hardened-baseTag Pattern: <libc>
  • glibc - an image with glibc
  • musl - an image with musl
hardened-liberica-runtime-containerAll tags follow the pattern:
<jdk-type>-<java-version>-[crac]-[cds]-<libc>
Where:
  • jdk-type
    • jdk – Liberica JDK Lite, optimized for cloud use
    • jdk-all – Full Liberica JDK, compatible with jlink
    • jre – Runtime-only image without development tools
  • java-version – Java version, either:
    • Major only (e.g., 21)
    • Full version (e.g., 21.0.7_9 for Liberica JDK 21.0.7+9)
    • crac – (optional) includes Coordinated Restore at Checkpoint (CRaC) support
    • cds – (optional) includes Class Data Sharing archives for faster startup
  • libc – either
    • glibc
    • musl
Tag examples:
  • jdk-21-glibc
  • jdk-all-21-musl
  • jre-25-cds-glibc
  • jdk-21-crac-musl
hardened-liberica-native-image-kit-containerAll tags follow the pattern:
jdk-<java-version>-nik-< nik-version>-<libc>
Where:
  • java-version – Base JDK version (e.g., 21, 25)
  • nik-version – Native Image Kit version (e.g., 23, 25)
  • debug – (optional) includes Apache Maven and GNU GDB for development
  • libc – either glibc or musl
Tag examples:
  • jdk-21-nik-23-musl
  • jdk-25-nik-25-glibc
  • jdk-25-nik-25-debug-musl
hardened-python<python-version>-<libc>

Where:
  • Available versions: Python 3.12
  • libc – either glibc or musl
Tag examples:
  • 3.12-musl
  • 3.12-glibc
hardened-go<go-version>-<libc>

Where:
  • Available versions: Go 1.25 (1.25.3). If no version is specified, the latest available Go image will be pulled automatically.
  • libc – either glibc or musl
Tag examples:
  • 1.25-musl
  • 1.25.3-glibc
hardened-gcc<gcc-version>-<libc>

Where:
  • Available versions: GCC 15.2. If no version is specified, the latest available GCC image will be pulled automatically.
  • libc – either glibc or musl
Tag examples:
  • 15.2-musl
  • 15.2-glibc

Pull Hardened Images from Container Registries

BellSoft Hardened Container Images are available on all major container registries:

RegistryURL FormatAuth Required
Docker Hubdocker.io/bellsoft/<repository>:<tag>No
GitHub CRghcr.io/bell-sw/<repository>:<tag>No
Microsoft CRbellsoft.azurecr.io/<repository>:<tag>No
Google CRus-docker.pkg.dev/bellsoft/gcr.io/<repository>:<tag>Yes
Amazon ECRpublic.ecr.aws/bellsoft/<repository>:<tag>No

Docker Hub

Pull from Docker Hub:

1. Hardened Base

Minimal hardened Alpaquita Linux image — ideal for extending with your own binaries.

docker pull bellsoft/hardened-base:glibc
docker pull bellsoft/hardened-base:musl
2. Hardened Liberica Runtime (OpenJDK)
docker pull bellsoft/hardened-liberica-runtime-container:jdk-all-musl
docker pull bellsoft/hardened-liberica-runtime-container:jdk-all-glibc
docker pull bellsoft/hardened-liberica-runtime-container:jre-musl
docker pull bellsoft/hardened-liberica-runtime-container:jre-glibc
docker pull bellsoft/hardened-liberica-runtime-container:jdk-crac-musl
docker pull bellsoft/hardened-liberica-runtime-container:jdk-crac-glibc
docker pull bellsoft/hardened-liberica-runtime-container:jre-crac-musl
docker pull bellsoft/hardened-liberica-runtime-container:jre-crac-glibc
3. Hardened Liberica Native Image Kit (GraalVM)
docker pull bellsoft/hardened-liberica-native-image-kit-container:jdk-25-nik-25-musl
docker pull bellsoft/hardened-liberica-native-image-kit-container:jdk-25-nik-25-glibc
docker pull bellsoft/hardened-liberica-native-image-kit-container:jdk-24-nik-24-musl
docker pull bellsoft/hardened-liberica-native-image-kit-container:jdk-24-nik-24-glibc
4. Hardened Python
docker pull bellsoft/hardened-python:3.12-musl
docker pull bellsoft/hardened-python:3.12-glibc
5. Hardened Go
docker pull bellsoft/hardened-go:1.25-musl
docker pull bellsoft/hardened-go:1.25-glibc
6. Hardened C / C++
docker pull bellsoft/hardened-gcc:15.2-musl
docker pull bellsoft/hardened-gcc:15.2-glibc

GitHub Container Registry

Pull from GitHub CR (anonymous access supported):

1. Hardened Base

Minimal hardened Alpaquita Linux image — ideal for extending with your own binaries.

docker pull ghcr.io/bell-sw/hardened-base:glibc
docker pull ghcr.io/bell-sw/hardened-base:musl
2. Hardened Liberica Runtime (OpenJDK)
docker pull ghcr.io/bell-sw/hardened-liberica-runtime-container:jdk-all-musl
docker pull ghcr.io/bell-sw/hardened-liberica-runtime-container:jdk-all-glibc
docker pull ghcr.io/bell-sw/hardened-liberica-runtime-container:jre-musl
docker pull ghcr.io/bell-sw/hardened-liberica-runtime-container:jre-glibc
docker pull ghcr.io/bell-sw/hardened-liberica-runtime-container:jdk-crac-musl
docker pull ghcr.io/bell-sw/hardened-liberica-runtime-container:jdk-crac-glibc
docker pull ghcr.io/bell-sw/hardened-liberica-runtime-container:jre-crac-musl
docker pull ghcr.io/bell-sw/hardened-liberica-runtime-container:jre-crac-glibc
3. Hardened Liberica Native Image Kit (GraalVM)
docker pull ghcr.io/bell-sw/hardened-liberica-native-image-kit-container:jdk-25-nik-25-musl
docker pull ghcr.io/bell-sw/hardened-liberica-native-image-kit-container:jdk-25-nik-25-glibc
docker pull ghcr.io/bell-sw/hardened-liberica-native-image-kit-container:jdk-24-nik-24-musl
docker pull ghcr.io/bell-sw/hardened-liberica-native-image-kit-container:jdk-24-nik-24-glibc
4. Hardened Python
docker pull ghcr.io/bell-sw/hardened-python:3.12-musl
docker pull ghcr.io/bell-sw/hardened-python:3.12-glibc
5. Hardened Go
docker pull ghcr.io/bell-sw/hardened-go:1.25-musl
docker pull ghcr.io/bell-sw/hardened-go:1.25-glibc
6. Hardened C / C++
docker pull ghcr.io/bell-sw/hardened-gcc:15.2-musl
docker pull ghcr.io/bell-sw/hardened-gcc:15.2-glibc

Microsoft Container Registry

Pull from Microsoft CR:

1. Hardened Base

Minimal hardened Alpaquita Linux image — ideal for extending with your own binaries.

docker pull bellsoft.azurecr.io/hardened-base:glibc
docker pull bellsoft.azurecr.io/hardened-base:musl
2. Hardened Liberica Runtime (OpenJDK)
docker pull bellsoft.azurecr.io/hardened-liberica-runtime-container:jdk-all-musl
docker pull bellsoft.azurecr.io/hardened-liberica-runtime-container:jdk-all-glibc
docker pull bellsoft.azurecr.io/hardened-liberica-runtime-container:jre-musl
docker pull bellsoft.azurecr.io/hardened-liberica-runtime-container:jre-glibc
docker pull bellsoft.azurecr.io/hardened-liberica-runtime-container:jdk-crac-musl
docker pull bellsoft.azurecr.io/hardened-liberica-runtime-container:jdk-crac-glibc
docker pull bellsoft.azurecr.io/hardened-liberica-runtime-container:jre-crac-musl
docker pull bellsoft.azurecr.io/hardened-liberica-runtime-container:jre-crac-glibc
3. Hardened Liberica Native Image Kit (GraalVM)
docker pull bellsoft.azurecr.io/hardened-liberica-native-image-kit-container:jdk-25-nik-25-musl
docker pull bellsoft.azurecr.io/hardened-liberica-native-image-kit-container:jdk-25-nik-25-glibc
docker pull bellsoft.azurecr.io/hardened-liberica-native-image-kit-container:jdk-24-nik-24-musl
docker pull bellsoft.azurecr.io/hardened-liberica-native-image-kit-container:jdk-24-nik-24-glibc
4. Hardened Python
docker pull bellsoft.azurecr.io/hardened-python:3.12-musl
docker pull bellsoft.azurecr.io/hardened-python:3.12-glibc
5. Hardened Go
docker pull bellsoft.azurecr.io/hardened-go:1.25-musl
docker pull bellsoft.azurecr.io/hardened-go:1.25-glibc
6. Hardened C / C++
docker pull bellsoft.azurecr.io/hardened-gcc:15.2-musl
docker pull bellsoft.azurecr.io/hardened-gcc:15.2-glibc

Google Container Registry

Note: Authentication is required to pull from GCR:

Use gcloud auth configure-docker before running these commands.

Pull from Google CR:

1. Hardened Base

Minimal hardened Alpaquita Linux image — ideal for extending with your own binaries.

docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-base:glibc
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-base:musl
2. Hardened Liberica Runtime (OpenJDK)
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-runtime-container:jdk-all-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-runtime-container:jdk-all-glibc
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-runtime-container:jre-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-runtime-container:jre-glibc
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-runtime-container:jdk-crac-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-runtime-container:jdk-crac-glibc
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-runtime-container:jre-crac-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-runtime-container:jre-crac-glibc
3. Hardened Liberica Native Image Kit (GraalVM)
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-native-image-kit-container:jdk-25-nik-25-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-native-image-kit-container:jdk-25-nik-25-glibc
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-native-image-kit-container:jdk-24-nik-24-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-liberica-native-image-kit-container:jdk-24-nik-24-glibc
4. Hardened Python
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-python:3.12-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-python:3.12-glibc
5. Hardened Go
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-go:1.25-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-go:1.25-glibc
6. Hardened C / C++
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-gcc:15.2-musl
docker pull us-docker.pkg.dev/bellsoft/gcr.io/hardened-gcc:15.2-glibc

Amazon Elastic Container Registry

Pull from Amazon ECR Public Gallery (optimal for AWS environments):

1. Hardened Base

Minimal hardened Alpaquita Linux image — ideal for extending with your own binaries.

docker pull public.ecr.aws/bellsoft/hardened-base:glibc
docker pull public.ecr.aws/bellsoft/hardened-base:musl
2. Hardened Liberica Runtime (OpenJDK)
docker pull public.ecr.aws/bellsoft/hardened-liberica-runtime-container:jdk-all-musl
docker pull public.ecr.aws/bellsoft/hardened-liberica-runtime-container:jdk-all-glibc
docker pull public.ecr.aws/bellsoft/hardened-liberica-runtime-container:jre-musl
docker pull public.ecr.aws/bellsoft/hardened-liberica-runtime-container:jre-glibc
docker pull public.ecr.aws/bellsoft/hardened-liberica-runtime-container:jdk-crac-musl
docker pull public.ecr.aws/bellsoft/hardened-liberica-runtime-container:jdk-crac-glibc
docker pull public.ecr.aws/bellsoft/hardened-liberica-runtime-container:jre-crac-musl
docker pull public.ecr.aws/bellsoft/hardened-liberica-runtime-container:jre-crac-glibc
3. Hardened Liberica Native Image Kit (GraalVM)
docker pull public.ecr.aws/bellsoft/hardened-liberica-native-image-kit-container:jdk-25-nik-25-musl
docker pull public.ecr.aws/bellsoft/hardened-liberica-native-image-kit-container:jdk-25-nik-25-glibc
docker pull public.ecr.aws/bellsoft/hardened-liberica-native-image-kit-container:jdk-24-nik-24-musl
docker pull public.ecr.aws/bellsoft/hardened-liberica-native-image-kit-container:jdk-24-nik-24-glibc
4. Hardened Python
docker pull public.ecr.aws/bellsoft/hardened-python:3.12-musl
docker pull public.ecr.aws/bellsoft/hardened-python:3.12-glibc
5. Hardened Go
docker pull public.ecr.aws/bellsoft/hardened-go:1.25-musl
docker pull public.ecr.aws/bellsoft/hardened-go:1.25-glibc
6. Hardened C / C++
docker pull public.ecr.aws/bellsoft/hardened-gcc:15.2-musl
docker pull public.ecr.aws/bellsoft/hardened-gcc:15.2-glibc