Software supply chain security has become a top concern for developers, DevOps engineers, and IT leaders. High-profile breaches and dependency compromises have shown that open source components can introduce risk if not properly vetted and maintained. Although containerization has become commonplace in contemporary development and deployment, it can have drawbacks in terms of reproducibility and security.
There is a dire need for container builds that are not only simple to deploy, but also safe, repeatable, and maintained long-term against new threats – and that’s why Canonical is introducing the Container Build Service.
The open source security challenge
The use of open source software (OSS) is becoming more and more prevalent in enterprise environments. With analyses
According to a report from Canonical and IDC, organizations are adopting OSS primarily to reduce costs (44%), accelerate development (36%), and increase reliability (31%). Despite nine out of ten organizations expressing a preference to source packages from trusted OS repositories like those in their OS, most still pull directly from upstream registries. This means that the responsibility for patching falls heavily on IT teams. The report found that seven in ten teams dedicate over six hours per week (almost a full working day) to sourcing and applying security updates., and tThe same proportion mandates that high and critical-severity vulnerabilities arebe patched within 24 hours, yet only 41% feel confident they can meet that SLA. What’s also interesting is that more than half of organizations do not automatically upgrade their in-production systems or applications to the newest versions, leaving them exposed to known vulnerabilities.
Supply chain attacks are also becoming more frequent. A study conducted by Sonatype displayed how the number of software supply chain attacks doubled in 2024 alone, and according to a study done by Blackberry over 75% of organizations experienced a supply chain-related attack in the previous year. The Sonatype study also highlighted how malicious packages became highly prevalent in the last 12 months, with more than 500,000 malicious packages being found in public repositories – a 156% increase from the previous year. This highlights how attackers target upstream open source in order to compromise downstream users.
In light of these trends, development teams are seeking ways to ensure the integrity of their container images. Practices like reproducible builds and signed images are gaining popularity as defenses against tampering, while minimal images promise fewer vulnerabilities. However, implementing these measures requires significant effort and expertise. This is where Canonical’s latest offering comes in.
Canonical’s Container Build Service: reproducible, hardened and security-maintained images
Canonical has launched a new Container Build Service designed to meet the above challenges head-on. In essence, through this service, Canonical’s engineers will custom-build container images for any open source project or stack, with security and longevity as primary features. Whether it’s an open source application or a custom base image containing all the dependencies for your app, Canonical will containerize it according to your specifications and harden the image for production. The resulting container image is delivered in the Open Container Initiative (OCI) format and comes with up to 12 years of security maintenance.
The entire container supported for up to 12 years
Every package and library in the container – even those not originally in Ubuntu’s repositories – is covered under Canonical’s security maintenance commitment. We have a track record of patching critical vulnerabilities within an average of 24 hours on average, ensuring quick remediation of emerging threats. Unlike standard base images that cover only OS components, Canonical’s service will include all required upstream open source components in the container build. In other words, your entire open source dependency tree is kept safe – even if some parts of it were not packaged in Ubuntu before. This means teams can confidently use the latest frameworks, AI/ML libraries, or niche utilities, knowing Canonical will extend Ubuntu’s famous long-term support to those pieces as well.
Each container image build comes with a guaranteed security updates period of up to 12 years. This far outlasts the typical support window for community container images. It ensures that organizations in regulated or long-lived environments can run containers in production for a decade or more with ongoing patching.
Truly portable
The hardened images are designed to run on any popular Linux host or Kubernetes platform. Whether your infrastructure is Ubuntu, RHEL, VMware, or a public cloud Kubernetes service, Canonical will support these images on that platform. This broad compatibility means you don’t have to be running Ubuntu on the host to benefit: the container images are truly portable and backed by Canonical across environments.
Long-term reproducibility and automation
Canonical’s build pipeline emphasizes reproducibility and automation. Once your container image is designed and built, an automated pipeline takes over to continuously rebuild and update the image with the latest security patches. This ensures the image remains up to date over time without manual intervention, and it provides a reproducible build process (verifiable by Canonical) to guarantee that the image you run in production exactly matches the source and binaries that were vetted.
In short, the new Container Build Service delivers secure, reproducible, and highly dependable container images, tailor-made for your applications by the experts behind Ubuntu. It effectively offloads the heavy lifting of container security maintenance to Canonical, so your teams can focus on writing code and deploying features and not constantly chasing the next vulnerability in your container image.
Minimal footprint, optimal performance
A standout aspect of Canonical’s approach is the use of chiseled Ubuntu container images. Chiseled images are Canonical’s take on the “distroless” container concept – ultra-minimal images that include only the essential runtime components needed by your application and nothing more. By stripping away unnecessary packages, utilities, and metadata, chiseled images dramatically reduce image size and attack surface.
What exactly are chiseled images? They are built using an open source tool called Chisel which effectively sculpts down an application to its bare essentials. A chiseled Ubuntu container image still originates from the Ubuntu base you know, but with all surplus components carved away.
Chiseled images include only the files and libraries strictly required to run your application, excluding surplus distro metadata, shells, package managers, and other tools not needed in production. Because of this minimalist approach, chiseled images are significantly smaller than typical Ubuntu images. This not only means less storage and faster transfer, but also inherently fewer places for vulnerabilities to hide. In a .NET container optimization exercise done by the ACA team at Microsoft, chiseling reduced the Backend API image size from 226 MB to 119 MB, a 56.6% reduction, and slashed CVEs from 25 to just 2 meaning a 92% decrease. Packages also dropped from 451 to 328, offering far fewer potential vulnerabilities to manage.
With less bloat, chiseled containers start up faster and use less memory. They have only the essentials, so pulling images and launching containers is quicker. For example, chiseling the .NET runtime images trimmed about 100 MB from the official image and produced a runtime base as small as 6 MB (compressed) for self-contained apps. Such a tiny footprint translates to faster network transfers and lower memory overhead at scale.
By using chiseled Ubuntu images in its container builds, Canonical ensures that each container is as small and locked down as possible, while still being based on the world’s most popular Linux distribution for developers. It’s a combination that delivers strong security out of the box. And because these images are built on Ubuntu, they inherit Ubuntu’s long-term support policies. Our container images align with Ubuntu LTS release cycles and receive the same five years of free security updates, extended to ten years with Ubuntu Pro, for the core components. In the new build service, that support can stretch to 12 years for enterprise customers, keeping even the minimal runtime components patched against CVEs over the long term.
Built on Ubuntu Pro
Canonical coined the term “Long Term Support (LTS)” back in 2006 with Ubuntu 6.06 LTS, pioneering the idea of stable OS releases with 5 years of guaranteed updates. Since then, Ubuntu LTS has become a byword for reliability in enterprises. In 2019, Canonical introduced Ubuntu Pro, which expanded on this foundation by providing comprehensive security maintenance not just for Ubuntu’s core system, but for thousands of community (universe) packages as well, along with enterprise features like FIPS 140 certified cryptography. Today, Ubuntu Pro is a very comprehensive open source security offering, covering over 36,000 packages with 10-year maintenance.
This background matters because the new Container Build Service is essentially Ubuntu Pro for your container images. Canonical is extending its expertise in automated patching, vulnerability remediation, and long-term maintenance to the full stack inside your containers. By having Canonical design and maintain your container image, you’re effectively gaining a dedicated team to watch over your software supply chain. Every upstream project included in your container is continually monitored for security issues. If a new vulnerability emerges in any layer of your stack – whether it’s in the OS, a shared library, or an obscure Python package – Canonical will proactively apply the patch and issue an updated image through the automated pipeline. All of this happens largely behind the scenes, and you receive notifications or can track updates as needed for compliance. It’s a level of diligence that would be costly and difficult to replicate in-house.
Furthermore, Canonical’s involvement provides a chain of custody and trust that is hard to achieve with self-built images. The containers are built and signed by Canonical using the same infrastructure that builds official Ubuntu releases, ensuring integrity. Canonical and its partners have even established a zero-distance supply chain for critical assets – meaning there’s tight integration and verification from source code to the final container artefact. This approach greatly reduces the risk of tampering or hidden malware in the supply chain.
Because Ubuntu is so widely trusted, Canonical’s container images come pre-approved for use in highly regulated environments. Notably, hardened Ubuntu container images are already certified and available in the U.S. Department of Defense’s “Iron Bank” repository, which is a collection of hardened containers for government use. By leveraging Canonical’s service, organizations inherit this level of credibility and compliance. It’s easier to meet standards like FedRAMP, DISA-STIG, or the upcoming EU Cyber Resilience Act when your base images and components are backed by Ubuntu Pro’s security regime and provide auditable evidence of maintenance.
In summary, the Container Build Service stands on the shoulders of Ubuntu Pro and Canonical’s long experience in open source security. Your custom container isn’t just another bespoke image, it becomes an enterprise-grade artifact, with clear maintenance commitments and security SLAs that auditors and IT governance teams will appreciate.
Canonical’s container build service aims to have every layer of the container stack – from OS to app dependencies – maintained. With optimized chiseled sizes, a decade of updates, and Canonical’s support, these images are crafted for production.
Learn more about Canonical’s Container build Service >
Get in touch to discuss securing your container stack today >
Discover more from Ubuntu-Server.com
Subscribe to get the latest posts sent to your email.
