Azul & Chainguard partner on zero-CVE Java containers

Techday NZ

19-06-2025

Azul and Chainguard have announced a partnership focused on strengthening container security for Java workloads through combined commercial Java support and secure container images.
The collaboration will see Chainguard create Java container images built from source, incorporating Azul's commercially supported build of OpenJDK from the Azul Platform Core. This approach is designed to allow enterprises to deliver production workloads more efficiently while addressing the complexities of securing the full software stack for Java applications.
Complexity in Java security
Java remains integral to a wide range of enterprise applications, with growing challenges around ensuring timely access to secure builds. Securing Java workloads requires reliable updates and consistent patching, traditionally necessitating expertise and timely intervention by vendors. Azul aims to fulfil this role by delivering fully supported OpenJDK builds intended as a direct replacement for Oracle Java, enabling organisations to maintain compliance and security while reducing expenditure and freeing development teams from remediation tasks.
Chainguard Containers supports customers by securing operating systems and application runtime environments. The combination targets gaps in current protection practices that too often see engineering and security teams handle numerous vulnerability disclosures, deal with inconsistent patching, and attempt to harden containers without slowing developer productivity. For Java workloads, which require both rapid security response and commercial support, these difficulties are particularly pressing.
Recent research from NetRise indicates that the average container carries 604 known vulnerabilities in underlying software components. Notably, over 45% of these CVEs are two to ten years old. This accumulation of unaddressed vulnerabilities increases risks for organisations that depend on containerised apps.
Findings from Azul's 2025 State of Java Survey & Report further highlight the impact of security issues. According to the report, 33% of respondents stated their DevOps teams spend more than half their time addressing false positives from Java-related vulnerabilities. Additionally, 49% of surveyed companies reported they are still encountering vulnerabilities from Log4j in production environments, nearly three years after the initial disclosure. The need to secure all layers, from operating systems to toolchains, forms a critical part of the software development lifecycle.
Hardened, zero-CVE Java containers
The partnership between Azul and Chainguard is positioned as a direct response to challenges identified by industry research. The joint offering will deliver zero-CVE containers for Java versions 21 and above, built from Azul's source code and supported commercially through Azul's Java expertise. Customers are expected to benefit from a streamlined way to secure Java application foundations, reducing overall risk exposure and enabling more consistent, reliable deployments.
The new container images will be constructed entirely from source and tested in accordance with the Java Compatibility Kit, providing assurance of compatibility and feature parity. Azul's approach to stabilised, security-only Critical Patch Updates gives engineering teams the opportunity to deploy updated Java images more efficiently, minimising manual patching and testing efforts. This is intended to help organisations redirect development resources away from platform maintenance and towards application delivery. "Our customers need solutions that reduce risk and build trust at every layer of their modern software deployment stack," said Dan Lorenc, co-founder and CEO at Chainguard. "Today, we're bringing Chainguard's expertise in building minimal, zero-CVE images and Azul's expertise in Java together to create the most secure, commercial-grade containers for cloud-native workloads."
Scott Sellers, co-founder and CEO at Azul, added: "Choosing a hardened container shouldn't mean sacrificing timely security-only updates and commercial support services for your Java runtimes. Today, we're excited to offer enterprises best-in-breed hardened Java containers from Chainguard while leveraging world-class commercial support from Azul."
Customers adopting Azul Java container images through Chainguard Containers will have access to commercial Java support within the Azul Platform Core portfolio. This ensures ongoing access to patches and direct assistance for Java runtime issues in critical enterprise environments.