V OpenVet / docs
/ landscape / Bitnami

Bitnami

Long-running curated catalogue of pre-built open-source application stacks, container images, and Helm charts; a Broadcom offering with a paid security-hardened tier.

What it is #

Bitnami is a curator and distributor of pre-built open-source software stacks. It predates the modern provenance ecosystem by about a decade and started as a packager of installable application stacks; today its main products are several hundred container images and Helm charts for mainstream open-source applications (PostgreSQL, MariaDB, Redis, MongoDB, Kafka, WordPress, and so on), plus a smaller catalogue of language-runtime images covering Java, Python, Node.js, Ruby, and .NET.

Bitnami was acquired by VMware in 2019 and is now part of Broadcom. The catalogue is offered in two tiers:

  • Free tier. A subset of Bitnami Secure Images, restricted to the latest tag and to non-production use. Hosted on Docker Hub.
  • Bitnami Secure Images. The paid catalogue (also marketed as “Bitnami Premium” or under the “VMware Tanzu Application Catalog” name). Ships SLSA 3 build provenance, SBOMs, VEX documents, CVE scan results, and an SLA for CVE patching.

Like Chainguard, the product is not another way to audit existing packages: it is a different supply of pre-built artefacts. Customers substitute Bitnami’s build (docker pull bitnami/postgresql, or the corresponding Helm chart) for an upstream or vendor-provided one.

Trust model #

Trust in Bitnami is single-anchor and commercial. The customer trusts Bitnami, operated by Broadcom, to track upstream releases, rebuild from source, patch CVEs, and run the catalogue with no out-of-protocol surprises. In the paid tier that trust is backed by SLSA 3 attestations, signed artefacts, and SBOMs; in the free tier it reduces to Bitnami’s reputation and the integrity of Docker Hub hosting.

Bitnami’s claim about an artefact is about its build, packaging, and ongoing maintenance, not about whether the upstream source has been read. Bitnami scans packages using existing open-source vulnerability scanners, applies fixes as upstream packaging releases them, runs an automated functional test suite over each release, and commits to publishing security-critical updates within a stated window. It does not audit upstream source code, and makes no guarantee that the code is correct or free of vulnerabilities.

Comparison to OpenVet #

Bitnami and OpenVet address different layers of the same problem, and can be used together.

What is being attested. Bitnami attests where an artefact came from and how it was built: which upstream release was packaged, what dependencies were patched, by which Bitnami pipeline. OpenVet helps you make attestations about the code itself: whether it is malicious, whether it is implemented correctly, whether there are findings consumers should know about. A Bitnami Secure Images attestation does not say anything about whether the upstream source has been read.

Trust set. Bitnami customers trust one signing identity: Bitnami’s, operated by Broadcom. OpenVet consumers list one or more log URLs in openvet.toml, each independently signed by its owner. One is a single commercial trust anchor, the other is a configurable set.

Scope of artefacts. Bitnami ships around 350 container images and 140 Helm charts, focused on whole-application stacks (databases, message brokers, web platforms) plus a smaller set of language-runtime images. OpenVet covers the full package set of each supported ecosystem (Cargo, npm, PyPI, Go modules, RubyGems), since audits attach to packages that already exist in those registries.

Cost and access. Bitnami’s free tier is restricted to the latest tag and to non-production use. Production deployments need the paid Bitnami Secure Images subscription. OpenVet is open infrastructure: running an audit log requires no agreement with anyone. Audits are licensed under permissive licenses, giving you the right to use them however you like at no cost.

Using alongside OpenVet #

The two operate at different layers of the dependency tree.

Application stacks vs source-level audit. Bitnami’s unit of distribution is a whole application packaged as a runnable container or Helm chart (a PostgreSQL release, a Kafka release). OpenVet’s unit of attestation is an individual source package. Bitnami’s pitch is “here is a ready-to-run Postgres, built and signed by us”; OpenVet’s pitch is “here is what auditors you trust have said about the source packages your own application depends on”.

Stacking them. Use Bitnami images or Helm charts for runtime dependencies you would otherwise package yourself, and OpenVet to check whether the source dependencies of your own application have been audited by people you trust. The two answer different questions about different parts of the same deployment.

Where the curated catalogue ends. Bitnami’s coverage is, by definition, what Bitnami has chosen to build. For anything outside the catalogue (your own application, niche libraries, less popular runtimes) the answer is self-packaging and self-review. OpenVet does not change that, but it does provide a way to share the review part with other consumers.

Edit this page on GitLab