News

Azul and Chainguard Partner on Secure Java Container Images

• By John K. Waters
• June 30, 2025

Java platform provider Azul and container security company Chainguard have formed a strategic partnership to deliver secure container images for Java applications, addressing enterprise concerns about software supply chain vulnerabilities.

The collaboration combines Azul's commercial OpenJDK distributions with Chainguard's container security technology to produce what the companies describe as "zero-CVE" Java containers for versions 21 and beyond. The containers will be built from source code and include commercial support through Azul Platform Core offering.

The partnership addresses a growing enterprise challenge in securing containerized Java applications. According to a NetRise study cited by the companies, the average container contains 604 known vulnerabilities, with more than 45% of those Common Vulnerabilities and Exposures (CVEs) being 2-10 years old.

Java applications face particular security challenges in enterprise environments. Azul's 2025 State of Java Survey found that 33% of respondents reported their DevOps teams spend more than half their time addressing false positives from Java-related security vulnerabilities. Additionally, 49% of companies continue to encounter Log4j security vulnerabilities in production environments three years after the initial discovery.

"Our customers need solutions that reduce risk and build trust at every layer of their modern software deployment stack," said Dan Lorenc, co-founder and CEO of Chainguard, in a statement. "Today, we're bringing Chainguard's expertise in building minimal, zero-CVE images and Azul's expertise in Java together to create the most secure, commercial-grade containers for cloud-native workloads."

The joint solution aims to streamline security updates for Java containers. Chainguard will build container images incorporating Azul's commercially supported OpenJDK builds, which are tested using the Java Compatibility Kit. Azul will provide security-focused Critical Patch Updates to enable faster deployment of updated Java images.

"Choosing a hardened container shouldn't mean sacrificing timely security-only updates and commercial support services for your Java runtimes," said Scott Sellers, co-founder and CEO of Azul, in a statement. "Today, we're excited to offer enterprises best-in-breed hardened Java containers from Chainguard while leveraging world-class commercial support from Azul."

Azul, headquartered in Sunnyvale, California, focuses exclusively on Java platform services and counts 36% of Fortune 100 companies among its customers, including BMW, Mastercard, and Salesforce. The company provides OpenJDK distributions as alternatives to Oracle's Java offerings.

Chainguard, based in Kirkland, Washington, specializes in secure software supply chains and container security. Its customers include Fortune 500 companies such as ANZ Bank, Hewlett Packard Enterprise, and Snowflake. The company is backed by investors including Sequoia Capital, Kleiner Perkins, and Amplify.

The partnership targets enterprises seeking to reduce the complexity of maintaining secure Java deployments while retaining commercial support. Organizations using the joint solution will receive Java support services through Azul Platform Core when consuming Chainguard's container images.