Red Hat launches Project Hummingbird for zero-CVE images

Red Hat has introduced Project Hummingbird, an early access programme providing a collection of minimal, hardened container images for its subscription customers. The project aims to address demand from IT organisations to strengthen application security while maintaining rapid software deployment.

Security and velocity

Red Hat says IT teams are often required to accelerate application delivery to meet business demands. At the same time, they must ensure systems remain secure against vulnerabilities. Balancing speed and risk mitigation has become increasingly challenging, especially as supply chain threats and the use of AI-assisted coding tools become more widespread.

Project Hummingbird offers a catalogue of production-ready container images that are stripped down to essential components. These containers are built to contain only what developers need for application stacks, focusing on popular languages and runtimes such as .Net, Go, Java, Node, as well as developer databases like mariadb and postgresql, and web servers and proxies including Nginx and caddy.

Zero-CVE focus

A key feature of Project Hummingbird is its "Zero-CVE" status. Container images are shipped free of known vulnerabilities, alongside completed functionality testing to ensure their reliability in production environments. The project also provides a curated selection of containers that reflect the most requested usage cases among Red Hat's customer base.

Organisations face mounting pressure to adhere to compliance requirements and manage complex software supply chains. Project Hummingbird seeks to address this by offering a complete software bill of materials (SBOM) for each image. This allows users to verify contents and meet compliance needs more effectively.

"The speed of business today depends on the speed of software. As supply chain attacks grow in prominence, organisations are often forced to choose between moving fast and maintaining security posture," says Gunnar Hellekson, Vice President and General Manager, Red Hat Enterprise Linux, Red Hat. "Project Hummingbird is designed to remove that trade-off by providing a minimal, trusted, and transparent zero-CVE foundation for building cloud-native applications. This limits vulnerabilities so development and IT security teams have a clear, direct path to business value with speed, agility, security, and peace of mind."

Supply chain assurance

When the programme becomes generally available, Red Hat says it will extend full production support to its subscription customers. Participants will have access to a hardened and documented software supply chain, as well as Red Hat's enterprise experience in maintaining open source code in critical production systems.

The company added that unsupported Project Hummingbird images will be available and redistributable at the time of general availability, following a similar model to other Red Hat offerings like Red Hat Universal Base Image.

Project Hummingbird builds on Red Hat's open-source development approach and is based on Fedora Linux components. Unsupported container images will be made freely available and redistributable upon general release, in line with the company's existing model for other solutions.