BellSoft

If you want to see how this looks in practice, BellSoft Hardened Images are here, including what’s covered and the available variants: bell-sw.com/bellsoft-har...

That’s how BellSoft Hardened Images are built: each image ships with a complete SBOM, and image signing lets you verify integrity and authenticity across registries, so “what’s inside” and “is it the right artifact” are answered by default, not on request.

Once you start treating SBOMs and signing as routine parts of the pipeline, the next step is having them available at the base image level, not stitched on later.

📚 For the practical side, we’ve also published a step-by-step guide to generating SBOMs for Java artifacts and container images using common open-source tooling, with concrete Maven/Gradle workflows you can plug into CI: bell-sw.com/blog/how-to-...

📚 If you need a clear SBOM baseline, this walkthrough covers what an SBOM is, what it typically includes (component names/versions, suppliers, dependency relationships), and how teams use it for vulnerability and compliance work: bell-sw.com/blog/what-is...

Together, SBOMs and signing remove a lot of friction in incident response and audits. When someone asks “what’s running” and “where did it come from,” you can answer with data and verification, not screenshots from a scanner or a reconstruction from CI logs.

Image signing answers the second question: is this the exact image we meant to deploy? Instead of trusting tags and copy/paste, you verify integrity and provenance cryptographically, which matters most when artifacts move across registries and environments.

SBOMs answer the first question: what’s inside this image? A Dockerfile and a tag rarely tell the full story once images get rebuilt, mirrored, or retagged, so an SBOM gives you a stable, machine-readable inventory of what is being shipped.

🧵 THREAD: SBOMs and image signing often get treated like “compliance paperwork.” In practice, they solve two very operational problems: knowing what’s inside an image, and proving that the image you deploy is the image you intended to deploy.

In #Java26, JEP 500 makes “final” more final. Reflective writes to final fields warn by default (--illegal-final-field-mutation=warn), can be allowed (--enable-final-field-mutation), or denied (--illegal-final-field-mutation=deny). Hacks still work, but cleanup is coming. Repro 👇

Happy Lunar New Year to everyone celebrating today.
新年快乐! 祝大家新的一年马到成功 🧧

Secrets No More: Spring K8s Mastery + Kotlin Glow, Thu, Feb 19, 2026, 6:30 PM | Meetup Join us for the next Spring User Group Berlin meetup! This time, we are bridging the gap between rock-solid operations and developer joy. **Talk 1: Secure and Seamless: In

Berlin: @asm0dey.site is hosting Spring User Group Berlin this Thu (Feb 19).
K8s Secrets in Spring, the production way (env vars vs files, rotation) + Kotlin for Spring 7 (pros/cons).
18:30 CET. RSVP: www.meetup.com/spring-user-...

Platform adoption can fail even when the tech is fine. Mandates create “usage,” then teams build workarounds to keep shipping. You pay the platform cost and you still inherit the extra tech debt. Good breakdown here on what changes the outcome: platformengineering.com/features/why...

YouTube video by Coffee + Software Is Your Container Security Strategy Setting You Up for Failure?

We’re live now with @dashaun.com and @cat-edelveis.bsky.social. Real talk on container security from the Devoxx 2025 survey. Join here: www.youtube.com/watch?v=Sqmx...

YouTube video by Coffee + Software Is Your Container Security Strategy Setting You Up for Failure?

Your container security strategy might be setting you up for failure and you won't know until it matters.
⚡ Live TODAY 09:30 ET: @dashaun.com & @cat-edelveis.bsky.social break down the 2025 State of Container Security survey from Devoxx: www.youtube.com/watch?v=Sqmx...

YouTube video by CyberJAR Spring Data MongoDB: From Repositories to Aggregations

Spring Data MongoDB takes the best of MongoDB and Spring Data. @cat-edelveis.bsky.social covers indexing, projections, custom queries, and aggregation pipelines. Real queries, actual data volumes, analytics. Practical patterns for production use: youtu.be/LCHMQk_uAv4

Most Java security incidents are predictable engineering debt: vulnerable deps, weak boundaries, and no visibility when things break. We wrote a practical #Java app security checklist that covers code, runtime, and containers: bell-sw.com/blog/a-guide...

In the upcoming #Java26, lazy constants get their second preview (JEP 526). java.lang.LazyConstant lets the app initialize them on demand with at-most-once semantics even under concurrency. Once initialized, the JVM can treat the value as a true constant and apply constant folding.👇

Onboarding a new team taking weeks instead of hours is usually a symptom, not the problem itself. This article explains how ad-hoc DevOps practices stop working at scale, and where platform engineering really helps: platformengineering.com/social-faceb...

More on BellSoft Hardened Images, including the remediation SLA, SBOM/signing, and available variants: bell-sw.com/bellsoft-har...

You also get SBOM coverage, image signing, and a remediation SLA (7 days for critical, 14 days for others), so “what’s the plan?” has a concrete answer.

BellSoft Hardened Images are built around that lifecycle idea. We start with minimized images, keep the component set immutable (no package manager), and run continuous CVE monitoring with rebuilds when fixes land.

To make this sustainable, the baseline image has to be treated like a maintained deliverable: fewer moving parts, controlled drift, and a predictable remediation loop when CVEs appear. Without that, hardening stays a snapshot and ops pays the bill.

Every bounce costs time, so the only sustainable model is lifecycle-based: minimize the surface, lock the config to prevent drift, and keep rebuilds and fixes running as part of the release process.

The gap usually appears during remediation. A scanner flags an OS or runtime CVE, and responsibility starts bouncing between internal teams.

Minimization helps, but it’s primarily a baseline improvement. Fewer packages means fewer caveats and fewer moving parts for inventory. Risk still stays open unless you have a reliable post-discovery workflow: clear ownership, predictable fixes, and repeatable rebuilds.

The mistake is treating “hardening” as a one-time step. You shrink the image today, but new vulnerabilities are discovered, CVE records get updated, and what looked “clean enough” yesterday can look worse in the next scan without you changing a byte.

This isn’t only a security-team concern. In Red Hat’s 2024 Kubernetes security survey, two-thirds of respondents said Kubernetes security concerns delayed or slowed deployments, and almost half reported adverse effects from container security and compliance incidents.
www.redhat.com/en/resources...

In its container risk research, NetRise reports 600+ known vulnerabilities in an average container image. It also highlights that some vulnerabilities are over five years old, and that a subset of critical/high issues are already weaponized and actively exploited.
www.techmonitor.ai/technology/c...

🧵 Thread: CVEs in container images don’t “end” just because you cleaned up an image once. If you run containers in prod, save this for later.