| Repository | Description | Use Case |
bellsoft/hardened-base | Minimal hardened base images for running pre-built applications | Runtime base for compiled applications |
BellSoft Hardened Container Images
BellSoft provides hardened container images designed for production environments that require enhanced security, predictable vulnerability management, and transparent build processes. These minimal, regularly updated images come with a comprehensive Security Advisory and represent a unified vendor approach to container hardening.
BellSoft hardened images are available on Docker Hub for the following programming languages and runtimes:
Advanced Security
Proactive CVE patching and comprehensive image hardening
Languages/Runtime
Hardened containers for Java, Go, Python, GCC/C++, and GraalVM
Enterprise Reliability
24/7 support with proven performance and LTS commitment
How to use BellSoft Hardened Container Images
Getting Started
Pull an image from Docker Hub
docker pull bellsoft/<repository>:<image_tag>Start a container
docker run --name my-app bellsoft/<repository>:<image_tag>Specify as a base image in a Dockerfile:
FROM bellsoft/<repository>:<image_tag>Example usage
# Pull the latest hardened Java runtime
docker pull bellsoft/hardened-liberica-runtime-container:jdk-21-glibc
# Run with your application
docker run -v /path/to/app:/app bellsoft/hardened-liberica-runtime-container:jdk-21-glibc java -jar /app/myapp.jar
# Use in a Dockerfile
FROM bellsoft/hardened-liberica-runtime-container:jdk-21-glibcAvailable Repositories
Hardened Base Images
Tags:
- glibc - Base image with glibc
- musl, latest - Base image with musl (default)
Hardened Java Runtime Images
| Repository | Description | JDK Types Available |
bellsoft/hardened-liberica-runtime-container | Hardened Liberica JDK Lite and JRE Lite optimized for Cloud | jdk, jdk-all, jre |
bellsoft/hardened-liberica-native-image-kit-container | Hardened Liberica Native Image Kit (NIK) | jdk, jdk-all, jre |
Other Language Hardened Images
| Repository | Description | Language/Runtime |
bellsoft/hardened-python | Hardened Python with basic utilities (pip, setuptools, wheel) | Python 3.x |
bellsoft/hardened-go | Hardened Go compiler and runtime for building applications | Go 1.x |
bellsoft/hardened-gcc | Hardened GCC compiler, tools, and libraries for C/C++ development | GCC |
Python Tags:
- X.Y-glibc - specified version of Python with glibc
- X.Y-musl - specified version of Python with musl
- glibc - latest Python version with glibc
- musl, latest - latest Python version with musl
Go Tags:
- 1.X-glibc, 1.X.Y-glibc - specified version of Go with glibc
- 1.X-musl, 1.X.Y-musl - specified version of Go with musl
- glibc - latest Go version with glibc
- musl, latest - latest Go version with musl
GCC Tags:
- X.Y-glibc - specified version of GCC with glibc
- X.Y-musl - specified version of GCC with musl
- glibc - latest GCC version with glibc
- musl, latest - latest GCC version with musl
Java Runtime Tags:
Tags follow the <JDK type>-<Java version>-[crac]-[cds]-<libc> structure:
Available Java Versions:
8, 11, 17, 21, 24Examples:
- jdk-21-glibc - Liberica JDK Lite 21 with glibc
- jre-17-musl - Liberica JRE Lite 17 with musl
- jdk-11-crac-glibc - JDK 11 with CRaC support and glibc
- jdk-17-cds-musl - JDK 17 with Class Data Sharing and musl
- jre-8-glibc - Liberica JRE Lite 8 with glibc
- jdk-24-musl - Liberica JDK Lite 24 with musl
- jdk-21.0.7_9-glibc - Specific JDK version 21.0.7+9
Native Image Kit Tags: Tags follow the jdk-<Java version>-nik-<NIK version>-<libc> structure:
- jdk-21-nik-24-glibc - NIK 24 for Java 21 with glibc
- jdk-17-nik-24.1.2-musl - NIK 24.1.2 for Java 17 with musl
Tag Structure
Libc Variants
All hardened images are available in two libc implementations:
- glibc - Standard GNU C Library, better compatibility with existing applications
- musl - Lightweight, security-focused C library, smaller image sizes
Java Runtime Tag Structure
Java images follow the <JDK type>-<Java version>-[crac]-[cds]-<libc> pattern:
JDK Types:
- jdk - Liberica JDK Lite optimized for Cloud
- jdk-all - Full JDK for creating custom runtimes with jlink
- jre - JRE Lite for running Java applications only
Optional Features:
- crac - Coordinated Restore at Checkpoint support for instant startup
- cds - Class Data Sharing archives for faster JRE startup
Examples:
- jdk-21-glibc - JDK 21 Lite with glibc
- jre-17-cds-musl - JRE 17 with Class Data Sharing and musl
- jdk-21-crac-glibc - JDK 21 with CRaC support and glibc
- jdk-21.0.7_9-glibc - Specific JDK version 21.0.7+9
Native Image Kit Tag Structure
NIK images follow the jdk-<Java version>-nik-<NIK version>-<libc> pattern:
Examples:
- jdk-21-nik-24-glibc - NIK 24 for Java 21 with glibc
- jdk-17-nik-24.1.2-musl - NIK 24.1.2 for Java 17 with musl
Other Language Tag Structure
Other languages follow the <version>-<libc> pattern:
Examples:
- 3.10-glibc - Python 3.10 with glibc
- 1.21-musl - Go 1.21 with musl
- 11.2-glibc - GCC 11.2 with glibc
Architecture Support
All hardened images support multiple architectures:
- amd64 (x86_64) - Default if no architecture specified
- arm64 (aarch64) - ARM 64-bit architecture
- armv7 - ARM 32-bit architecture (selected images)
Multi-arch examples:**
bash
docker pull bellsoft/hardened-liberica-runtime-container:jdk-21-glibc
docker pull bellsoft/hardened-go:1.21-muslNote: All hardened images support multiple architectures. The appropriate architecture will be automatically selected based on your platform.
License Information
Important: It is the image user's responsibility to ensure that any use of BellSoft hardened container images complies with all relevant licenses for software contained within the images.
All BellSoft hardened container images contain various software components distributed under different licenses. The table below summarizes the primary licenses for each image type:
License Summary by Image Type
| Repository | Primary Components | Main Licenses |
bellsoft/hardened-base | Base system libraries, musl/glibc | MIT, LGPL-2.1+ |
bellsoft/hardened-liberica-runtime-container | Liberica JDK/JRE, base system | GPL-2.0 with Classpath Exception, MIT |
hardened-liberica-native-image-kit-container | Liberica NIK, GraalVM components | GPL-2.0 with Classpath Exception, UPL-1.0 |
bellsoft/hardened-python | Python runtime, pip, setuptools | Python Software Foundation License, MIT |
bellsoft/hardened-go | Go compiler and runtime | BSD-3-Clause |
bellsoft/hardened-gcc | GCC compiler, C/C++ libraries | GPL-3.0+, LGPL-3.0+ |
License Compliance Commands
Inspect All Licenses in an Image
# List all installed packages with licenses
docker run --rm bellsoft/hardened-liberica-runtime-container:jdk-21-glibc \
grep -E '^[PVL]:' /var/lib/apk/db/installed
Extract License Information by Component
# Get package information (P), version (V), and license (L)
docker run --rm bellsoft/hardened-python:3.12-glibc \
awk '/^P:/{pkg=$2} /^V:/{ver=$2} /^L:/{lic=$2; print pkg, ver, lic}' \
/var/lib/apk/db/installed
Search for Specific License Types
# Find all GPL-licensed components
docker run --rm bellsoft/hardened-gcc:14.3-glibc \
grep -A2 -B2 "GPL" /var/lib/apk/db/installed