SAN JOSE — A survey from BellSoft discovered that Spring builders don’t know their Dockerfiles have an effect on their safety posture, aren’t utilizing hardened photographs and may’t identify their compliance framework, exposing their organizations, purposes and customers to appreciable threat
BellSoft surveyed 250 Spring builders, DevOps engineers and Java architects on-site at Spring I/O 2026, probably the most vital annual occasions within the European Java ecosystem. The survey probed not simply device adoption however the underlying data gaps, decision-making constructions and practices that decide whether or not Java container deployments are safe.
Listed below are the important thing findings:
64% of Spring builders didn’t know their Dockerfile was a safety threat
- Essentially the most vital discovering on this survey was not a spot in tooling however data. Sixty-four p.c of respondents at Spring I/O, among the many most engaged practitioners within the European Java ecosystem, had by no means thought of that Dockerfile authoring selections instantly affected their safety posture.
42% of survey respondents had by no means heard of hardened photographs
- Solely 22% of respondents at present use hardened container photographs in manufacturing, and 42% have by no means encountered the idea in any respect. This can be a structural consciousness hole: adoption can’t outpace data. The 14% who stated they’re however haven’t began but, and the seven p.c who’re planning adoption, symbolize a pipeline, however one which requires training earlier than it converts to observe.
44% of engineers couldn’t identify the compliance guidelines governing their container stack
- DORA and ISO 27001 every utilized to 22% of surveyed organizations, with NIS2 including an extra 12%. These aren’t aspirational frameworks. They’re in power immediately, with binding necessities for software program provide chain safety, vulnerability administration and digital resilience. Their engineering implications are direct: picture provenance, CVE patching cadence, SBOM technology and incident response all fall inside scope.
- And but, 44% of respondents answered “unsure, managed by one other crew,” when requested about their compliance framework. This isn’t essentially negligence: giant organizations route compliance by means of devoted GRC features, and builders are sometimes shielded from the specifics. However when engineers don’t know which frameworks apply, they can’t construct techniques that meet them. The connection between each day engineering selections (base picture choice, patching cadence, signing, and many others.) and regulatory obligations have to be higher understood on the practitioner degree.
16% of respondents apply zero of the 5 most necessary container safety practices
- These 5 practices — scanning, hardening, patching, SBOMs and picture signing — kind a layered container safety protection. Every layer compensates for the gaps within the others. Fewer than 2% of respondents have all 5 in place, roughly 65% apply zero or one observe, and 16% apply none in any respect, counting on cloud suppliers to handle a safety area that cloud suppliers explicitly don’t personal underneath the shared accountability mannequin.
“Container safety is not a distinct segment concern for platform engineers,” stated Alex Belokrylov, CEO at BellSoft. “Builders are woefully under-informed concerning the scope of this challenge, and the information is obvious: controls embedded on the platform degree obtain common, constant protection, whereas controls that rely on particular person developer consciousness don’t. The pressing precedence is training, the second is automation.”