Urgent: Bitnami’s Docker Hub and Helm Chart Changes – Act Before September 29, 2025
For anyone leveraging Kubernetes from vSphere Kubernetes Service on VCF, Tanzu Kubernetes Grid Integrated, Red Hat OpenShift, or hyperscaler service offerings, please note the upcoming changes for the Bitnami community users. Starting September 29th, Bitnami’s community artifacts will evolve to a focused set of minimum runtime, zero/near-zero CVE’s, for ~40 OCI artifacts and ~10 helm charts. These artifacts will only be available via the latest tag and are intended for developer use-only. The prior Bitnami community images will be archived into a legacy repository, no longer receiving security patches or updates. Without action, pipelines and Kubernetes clusters pulling from the current Bitnami community repository will break.
⚠️ Changes Effective September 29th
- Bitnami will archive its Docker Hub images and charts and gradually move existing ones to a Bitnami Legacy repository.
- A limited free community tier will be available, providing ~40 images and ~10 Helm charts — and these will only be available on the “latest” tag, and are intended for development use only.
- You can find them at Bitnami Secure Images repository
- Helm charts and container images’ open-source code will continue to be maintained up-to-date and accessible on GitHub under the Apache 2 license.
Why are these changes happening?
Bitnami has been building and maintaining a significant library of OCI images and it has become unsustainable. Operating a build pipeline and OCI registry for the public is expensive. Users can continue to freely access the Helm chart source to build their own images, however a subscription will be required if an organization needs the images and charts built and hosted in an OCI registry for them.
Switching to Bitnami Secure Images (BSI)
Bitnami Secure Images are Photon based images, instead of Debian. Some BSI images will be free and only meant for use in development/testing situations. A commercial subscription is recommended for access to the entire catalog, stable tags, long-term support versions, and more. Users are advised to upgrade and start using the hardened Photon Linux-based images when possible. They have been designed as replacement images for any of the Debian images and work with the same Helm charts.
The Photon images provide many other benefits not previously available to users of Debian images, including:
- Drastically reduced CVE count (e.g., 100+ CVEs to in some cases 0)
- VEX statements for easier triage, along with Known Exploitable Vulnerabilities (KEV) and EPSS scores
- A self-service UI/API with powerful reporting and metadata capabilities
- More advanced Helm charts are not available on Docker Hub, such as Bitnami’s “distroless charts” which offer an 83% smaller attack surface (by MB).
- Support for customizing the images built by our secure SLSA 3 software factory
- Images and Helm charts are delivered to a private and secure OCI registry dedicated to each customer instead of relying on a public registry with rate limits like Docker Hub.
- Access to over 90 VM Images in OVA format
- Enterprise support for packaging and installation issues
**A list of all currently available applications can be found here: https://app-catalog.vmware.com/bitnami/apps
How do I access Helm charts going forward?
We recommend reviewing your Kubernetes environment for Bitnami Helm chart usage immediately and begin planning your migration to Bitnami Secure Images with one of the available options:
- Build Helm chart images from source and store them on an image registry
- Consume Helm charts and images through Bitnami Secure Images
- Consume Helm charts and images through VMware Tanzu Application Catalog – This is essentially the same as option #2, except artifacts are consumed via a Tanzu branded interface
Stop gambling with your security and compliance posture
One CVE is enough to cost a company millions, or even their ability to operate resulting in a complete loss of the company. According to IBM, the average cost of a data breach in 2025 is around $4.4 million which means that the cost of investing in BSI to greatly reduce your attack surface is pretty small in comparison.
Additionally, due to regulations in the USA and the EU, many organizations have been obligated to provide guarantees about the software they use. BSI is making it easier than ever for these organizations to manage their software and risk compliance by reducing NIST accreditation time by up to 80%. BSI offers built-in compliance for FIPS, STIG, FedRAMP, and has out-of-the-box support for air-gapped environments.
| Free OSS BSI | BSI Secure Images by Tanzu | |
| Near-Zero CVEs | No ⮽ | Yes ☑ |
| Container images | ~40 | >420 |
| Helm charts | ~10 | >110 |
| Linux distributions | Debian | Debian, Ubuntu, RedHat UBI, Photon, Distroless |
| Versions supported | Latest | All LTS branches |
| Support | Community | Enterprise |
| SBOMs and scan reports | No ⮽ | Yes ☑ |
| Photon Hardened images | No ⮽ | Yes ☑ |
| VEX statements for rapid triage of CVEs | No ⮽ | Yes ☑ |
| Accreditation optimized applications | No ⮽ | Yes ☑ |
| FIPS, STIG | No ⮽ | Yes ☑ |
| Container customization | No ⮽ | Yes ☑ |
| Bring your own golden image | No ⮽ | Yes ☑ |
| Distro-less application Helm charts | No ⮽ | Yes ☑ |
| Air Gap support | No ⮽ | Yes ☑ |
⏰ Time is of the essence - Contact us today! Capstone IT Solutions is a Broadcom Expert Advantage Partner (EAP) that can help you evaluate the options and find the best fit for your needs and implement the chosen solution if needed.