What’s Up with Bitnami? Unraveling the Myths About Your Favorite Pre-Packaged Open Source Software Catalog

Published: 0 month ago (December 22, 2025 at 12:38 PM EST)

5 min read

Source: VMware Blog

Bitnami’s Big Year: What’s Really Happening

It’s been a big year for Bitnami. In addition to turning 18 this spring, the open‑source catalog has been streamlined and a new commercial offering was launched. As expected, the flurry of activity generated some confusion, and a few competitors tried to sow fear, uncertainty, and doubt.

Below is a clear, factual rundown so Bitnami users and customers can understand what’s really going on with the only open‑source catalog and its related commercial offerings.

“Rumors of my demise are greatly exaggerated!” – (a nod to Mark Twain)

The Reality

Bitnami remains open source and free.
The catalog is still publicly available, and the source code for all assets is hosted on GitHub.
Commercial vendors still rely on Bitnami’s open‑source work.
Many companies package Bitnami’s open‑source images and charts as part of their own solutions.
A robust engineering legacy.
Over its 18‑year history, the Bitnami engineering team has created more than 110 best‑in‑class Helm charts.
All source code is still accessible.
- Debian‑based container images:
- Helm charts:
You can still build your own images and charts from the publicly available source.

Stay informed, stay confident, and keep building with Bitnami.

Bitnami’s Docker Hub Registry Is Still Available

New hardened images – We have added 40 hardened OCI images that were never before available to the community.
Reduced CVEs – Communities that were seeing > 100 CVEs on average now see near‑zero CVEs thanks to these hardened builds.

What’s changed?

Old images	New images	Benefits
Debian‑based images	PhotonOS‑based images	• Drop‑in replacements • Same Helm‑chart compatibility • No CI/CD or Helm‑chart changes required
Limited security metadata	Full security metadata (SBOM, VEX, etc.)	• Viewable via the public catalog interface

Example: The Bitnami MariaDB image on Docker Hub now provides the latest hardened version and continues to receive patch updates.
Security details can be inspected in the public catalog interface.

Availability

40 hardened images are freely available on Docker Hub.
- Note: These images are overwritten with each update, and we only support the latest tag. They are suitable for development and testing, but not recommended for production use without a subscription.
Enterprise subscription – For teams that need more than the 40 images, the commercial Bitnami subscription provides access to > 280 hardened applications.

Bottom line: Switch to the PhotonOS‑based images for an instant security boost—no changes to your Helm charts or CI/CD pipelines required.

Bitnami’s Helm Charts Are Unmatched

Bitnami has spent many years becoming a leader in authoring first‑party Helm charts. The rapid appearance of “replacement” Bitnami charts is therefore suspicious—those replacements are, in fact, Bitnami charts under the hood. Building more than 110 Helm charts from scratch, with security‑by‑design principles and continuous testing across multiple Kubernetes distributions, requires significant time and expertise.

Over the years, Bitnami has received countless GitHub issues and pull requests that continuously improve the charts, shaping them into what they are today. This is why some vendors have had to admit they “soft‑forked” Bitnami’s work (see the Chainguard announcement). If Bitnami’s charts weren’t freely available, such copying wouldn’t be possible.

The real myth is that other vendors can provide the same production‑grade support as Bitnami. In reality, Bitnami’s long‑standing commitment to quality, security, and community collaboration makes its Helm charts uniquely reliable.

All Patches Are Not Equal

The power of Bitnami’s automation capabilities truly shines when it comes to releasing patches quickly—often within a few hours of a fix becoming available.

Example

Bitnami’s response to a Python CVE (summer 2025) illustrates this speed. When Bitnami detects a new upstream version, it automatically:

Triggers the build and verification pipelines.
Updates Helm charts, container images, and all related dependencies.
Ensures everything works as intended.

Because Bitnami never forks upstream, you receive authentic builds that have been vetted by the original project maintainers.

Why Not “Quick‑Fix” Forks?

Some teams release modified code (e.g., swapping JAR files) before an official patch is available. While this may appear faster, it sacrifices:

Quality – the code isn’t reviewed through the upstream’s normal process.
Durability – future updates can break the custom changes.
Security – bypasses peer review and established open‑source controls.

Patching outside the prescribed upstream pathway creates a fork, undermining the best practices of open‑source development.

Bitnami’s Approach

Build from source using official releases, guaranteeing that dependencies remain unchanged and operational uniformity is maintained.
VEX assessment data for CVEs not yet addressed upstream. This data explains how a vulnerability impacts the application, enabling customers to quickly triage the risk profile. See the VEX assessment documentation.

Comprehensive SBOMs

Bitnami automatically fetches the source code directly for the application—including the source URL, version, and license—information that cannot be discovered merely by scanning the image. This allows Bitnami to identify what is in your software with deeper, more transparent insight, making audits easier, reducing risk, and improving supply‑chain security (see the SLSA definition of supply‑chain threats).

Many vendors use scanning tools to generate Software Bill of Materials (SBOM) documents from an image. While scanners can provide a certain level of visibility, they often fail to recognize proper licenses or binaries that are not part of packages because there is no metadata to rely on. Consequently, you don’t get comprehensive coverage of what’s inside the software you are ingesting.

Bitnami’s approach:

Builds SBOMs from the very first build steps in the pipeline.
Captures source URL, version, and license information directly from the source code.
Provides complete, accurate visibility of all components, including those without package metadata.

Bitnami’s Enduring Enterprise Appeal

For organizations that run their businesses on open source, Bitnami offers the highest level of transparency, enabling rapid response to security breaches and vulnerabilities. Bitnami continues to pioneer how enterprises use open source with swift releases of CVE patches—sometimes within hours of discovery.

Our transparent approach ensures that organizations can act with full knowledge of their options and the implications of each decision.

Explore Bitnami’s catalog of over 280 secure, hardened container images: Bitnami Catalog
Request a free trial: Contact Us