SAN JOSE — A survey from BellSoft discovered that Spring builders don’t know their Dockerfiles have an effect on their safety posture, aren’t utilizing hardened photos and may’t identify their compliance framework, exposing their organizations, purposes and customers to appreciable threat.
BellSoft surveyed 250 Spring builders, DevOps engineers and Java architects on-site at Spring I/O 2026, one of the crucial vital annual occasions within the European Java ecosystem. The survey probed not simply instrument adoption however the underlying data gaps, decision-making buildings and practices that decide whether or not Java container deployments are safe.
Listed here are the important thing findings:
64% of Spring builders didn’t know their Dockerfile was a safety threat
- Essentially the most vital discovering on this survey was not a spot in tooling however data. Sixty-four p.c of respondents at Spring I/O, among the many most engaged practitioners within the European Java ecosystem, had by no means thought-about that Dockerfile authoring choices immediately affected their safety posture.
42% of survey respondents had by no means heard of hardened photos
- Solely 22% of respondents at present use hardened container photos in manufacturing, and 42% have by no means encountered the idea in any respect. It is a structural consciousness hole: adoption can’t outpace data. The 14% who mentioned they’re however haven’t began but, and the seven p.c who’re planning adoption, symbolize a pipeline, however one which requires training earlier than it converts to observe.
44% of engineers couldn’t identify the compliance guidelines governing their container stack
- DORA and ISO 27001 every utilized to 22% of surveyed organizations, with NIS2 including a further 12%. These will not be aspirational frameworks. They’re in power at present, with binding necessities for software program provide chain safety, vulnerability administration and digital resilience. Their engineering implications are direct: picture provenance, CVE patching cadence, SBOM era and incident response all fall inside scope.
- And but, 44% of respondents answered “unsure, managed by one other group,” when requested about their compliance framework. This isn’t essentially negligence: massive organizations route compliance by devoted GRC features, and builders are sometimes shielded from the specifics. However when engineers don’t know which frameworks apply, they can’t construct programs that meet them. The connection between every day engineering choices (base picture choice, patching cadence, signing, and so forth.) and regulatory obligations should be higher understood on the practitioner degree.
16% of respondents apply zero of the 5 most vital container safety practices
- These 5 practices — scanning, hardening, patching, SBOMs and picture signing — type a layered container safety protection. Every layer compensates for the gaps within the others. Fewer than 2% of respondents have all 5 in place, roughly 65% apply zero or one observe, and 16% apply none in any respect, counting on cloud suppliers to handle a safety area that cloud suppliers explicitly don’t personal below the shared duty mannequin.
“Container safety is not a distinct segment concern for platform engineers,” mentioned Alex Belokrylov, CEO at BellSoft. “Builders are woefully under-informed concerning the scope of this challenge, and the info is obvious: controls embedded on the platform degree obtain common, constant protection, whereas controls that rely on particular person developer consciousness don’t. The pressing precedence is training, the second is automation.”
