Starting today, Chkk detects when Bitnami Helm charts are being used in your Kubernetes environment. Detections surface as Operational Risks (RSigs) with clear ownership boundaries (one RSig per add-on or application service), continuous rescans every 12 hours, and notifications when new occurrences appear. You can consume these signals in the Chkk Dashboard, via the API, through the Risk Feed MCP Server (for coding assistants), over Slack/email, and by opening Jira tickets directly from KBAs. This release focuses on detection and short-term mitigation guidance.

In the coming weeks, we are also launching a Chart Migration Assistant which selects the least disruptive migration path and then helps you migrate to another upstream chart without impact.

TL;DR

• Detect Bitnami chart usage with per-resource RSigs (separate RSigs for each add-on and application service allow clean routing to the right owners).
  
  
• 12-hour rescans + notifications catch new or reintroduced risks quickly.
  
  
• Why now: on Aug 28th, 2025, all existing versioned tags move to docker.io/bitnamilegacy; charts remain as OCI but stop receiving updates. You have 1 month to adapt your workloads before the deletion of the Bitnami public catalog on September 29th, 2025.
  
  
• No remediation yet; a temporary mitigation keeps workloads running while you plan migrations.
  
  
• Fastest path: Chkk CLI (zero install, no Helm chart) → https://cli.chkk.io/
  

What Changed and Why It Matters

Starting August 28th, 2025, Broadcom moves all existing container image versions from docker.io/bitnami to docker.io/bitnamilegacy (archived, unpatched). Already packaged Helm charts remain as OCI under docker.io/bitnamicharts, but they won’t receive updates and can fail unless image references are overridden.

Operational symptoms

• ImagePullBackOffs when images aren’t available.
  
  
• Failed rollouts/rollbacks and stalled pipelines from missing tags.
  
  
• Exposure to unpatched CVEs when relying on archived images.
  
  

Shared-responsibility reality (Platform ↔ App teams)

• Many orgs let Application teams self-service infra with Helm. Even if Platform engineers clean up Platform-managed add-ons, an App team can redeploy a deprecated Bitnami chart tomorrow and reintroduce the risk.
  
  
• Platform is still accountable for reliability/security, but doesn’t control every deployment—visibility and continuous detection are how you stay ahead.
  

What Chkk Detects & Immediate Mitigation

Signal

• Per-resource RSigs: We create separate Operational Risks for each open-source project’s Helm chart usage. This matches how Platform teams naturally slice work and define ownership of infrastructure components.
  
  
• Continuous coverage: Clusters are rescanned every 12 hours. If a new workload introduces a deprecated Bitnami chart, you’ll be notified (Slack/email, Dashboard updates).
  
  

Temporary mitigation (not a fix)

• Keep your current chart version and override image repository fields to bitnamilegacy/... to prevent pull failures in the near term. Some charts define multiple image repositories (e.g., metrics, volume-permissions); update those as needed. Treat this strictly as temporary—legacy images are not patched.
  

We are not shipping a long-term remediation in this release.

Integrate This Signal Into Your Existing Workflows

• Chkk Dashboard (Risk Ledger)
  Investigate detections centrally and track progress in the Risk Ledger.
  https://docs.chkk.io/product/risk-ledger/overview#overview
  
  
• Chkk API
  Pull RSigs, list affected resources, and automate reporting/routing (resource + namespace data included).
  https://docs.chkk.io/api-reference/introduction#api-usage-examples
  
  
• Risk Feed & MCP Server
  Use the Risk Feed with the MCP Server to expose RSigs in coding assistants (e.g., IDE copilots), and slice by namespace to route findings into team Slack channels, Jira queues, or operational dashboards.
  https://docs.chkk.io/ai/risk-feed-mcp
  
  
• Notifications & Jira
  Receive Slack/email alerts on new occurrences. From the KBA page in the Dashboard, open a Jira ticket so the right owner can pick it up with context.
  
  
• Passing visibility to App teams
  Share the KBA with App teams (written so non-Kubernetes specialists can stop the immediate impact) OR use Chkk API’s namespace-level routing so each team sees only what they own.
  

Next Steps

1. See which resources in your Kubernetes environment are using deprecated Bitnami Helm charts: https://cli.chkk.io/ . Zero install, CLI-first, takes 1–2 minutes.
   
   
2. Migrate away from Bitnami Charts with Chkk: We are in the process of launching a Chart Migration Assistant to help you migrate to another upstream chart without impact. Share your chart if you would like it be included in this launch: