Skip to content

Java 11 LTS

linux/amd64 linux/arm64

Adoptium + Bouncy Castle + Wolfi OS Wolfi OS
Adoptium Upstream Release Metadata
Source Property Value
Full Version 11.0.30+7
SemVer 11.0.30+7
Security Level psu-30
Upstream Update ⏱️ 2026-01-28T09:20:16Z
Distribution Eclipse Temurin by Adoptium

Full Development Suite

Security Policy: Comprehensive environment containing the JDK, shell, and package manager for building and debugging applications.

Artifact Registry

Pull by Version Tag 

docker pull ghcr.io/taha2samy/java:11-jdk_standard

Pull by Floating Tag 

docker pull ghcr.io/taha2samy/java:11.0.30+7-jdk_standard

Pull by Immutable Digest (Recommended) 

docker pull ghcr.io/taha2samy/java@sha256:b4935955c0bb4f1a929579d5f1e922d31903e962aa6a078e8d20a5776171ba7d

Integrity Metadata: L3 Provenance | CycloneDX SBOM

Security & Compliance Reports

Target: ghcr.io/taha2samy/java@sha256:b4935955c0bb4f1a929579d5f1e922d31903e962aa6a078e8d20a5776171ba7d  |  Scanner: Trivy v0.69.3

  • Total CVEs Found

    0
    Detected in Image Layers

  • Packages Analyzed

    45
    Verified Dependencies

  • Critical / High

    0
    Immediate Action

  • Medium / Low

    0
    Risk Mitigation

Zero-CVE State Confirmed

Impeccable Security Posture: No known vulnerabilities were detected in the 45 analyzed packages.

🛡️

Clean Security Signature

No active threats detected in the 45 analyzed components.

Software Bill of Materials (SBOM)

Component Name Version License Classification
apk-tools 2.14.10-r10 GPL-2.0-only System (Wolfi)
bash 5.3-r5 GPL-3.0-or-later System (Wolfi)
busybox 1.37.0-r54 GPL-2.0-only System (Wolfi)
ca-certificates 20251003-r3 MPL-2.0, MIT System (Wolfi)
ca-certificates-bundle 20251003-r3 MPL-2.0, MIT System (Wolfi)
curl 8.18.0-r3 MIT System (Wolfi)
cyrus-sasl 2.1.28-r46 BSD-3-Clause System (Wolfi)
gdbm 1.26-r2 GPL-3.0-or-later System (Wolfi)
glibc 2.43-r2 LGPL-2.1-or-later System (Wolfi)
glibc-locale-posix 2.43-r2 LGPL-2.1-or-later System (Wolfi)
heimdal-libs 7.8.0-r43 BSD-3-Clause System (Wolfi)
keyutils-libs 1.6.3-r38 GPL-2.0-or-later, LGPL-2.0-or-later System (Wolfi)
krb5-conf 1.0-r8 MIT System (Wolfi)
krb5-libs 1.22.2-r1 MIT System (Wolfi)
ld-linux 2.43-r2 LGPL-2.1-or-later System (Wolfi)
libbrotlicommon1 1.2.0-r1 MIT System (Wolfi)
libbrotlidec1 1.2.0-r1 MIT System (Wolfi)
libcom_err 1.47.3-r3 GPL-2.0-or-later, LGPL-2.0-or-later, BSD-3-Clause, MIT System (Wolfi)
libcrypt1 2.43-r2 LGPL-2.1-or-later System (Wolfi)
libcrypto3 3.6.1-r2 Apache-2.0 System (Wolfi)
libcurl-openssl4 8.18.0-r3 MIT System (Wolfi)
libgcc 15.2.0-r10 GPL-3.0-or-later WITH GCC-exception-3.1 System (Wolfi)
libidn2 2.3.8-r4 GPL-2.0-or-later, LGPL-3.0-or-later System (Wolfi)
libldap 2.6.10-r5 OLDAP-2.8 System (Wolfi)
libnghttp2-14 1.68.0-r1 MIT System (Wolfi)
libpsl 0.21.5-r7 MIT System (Wolfi)
libssl3 3.6.1-r2 Apache-2.0 System (Wolfi)
libstdc++ 15.2.0-r10 GPL-3.0-or-later WITH GCC-exception-3.1 System (Wolfi)
libunistring 1.4.2-r0 GPL-2.0-or-later, LGPL-3.0-or-later System (Wolfi)
libverto 0.3.2-r6 MIT System (Wolfi)
libxcrypt 4.5.2-r2 GPL-2.0-or-later, LGPL-2.1-or-later System (Wolfi)
ncurses 6.6_p20251230-r5 MIT System (Wolfi)
ncurses-terminfo-base 6.6_p20251230-r5 MIT System (Wolfi)
nghttp3 1.15.0-r1 MIT System (Wolfi)
posix-libc-utils 2.43-r2 LGPL-2.1-or-later System (Wolfi)
posix-libc-utils-bin 2.43-r2 LGPL-2.1-or-later System (Wolfi)
readline 8.3-r1 GPL-3.0-or-later System (Wolfi)
sqlite-libs 3.51.1-r0 blessing System (Wolfi)
tzdata 2026a-r0 CC-PDDC System (Wolfi)
wolfi-baselayout 20230201-r28 MIT System (Wolfi)
wolfi-keys 1-r13 MIT System (Wolfi)
zlib 1.3.2-r1 MPL-2.0, MIT System (Wolfi)
org.bouncycastle:bc-fips 2.1.2 Java Runtime
org.bouncycastle:bctls-fips 2.1.22 Java Runtime
org.bouncycastle:bcutil-fips 2.1.5 Java Runtime

Supply Chain Transparency

Download SBOM JSON

Target: Java Development Kit (JDK)  |  Profile: Level 1 - Container  |  Benchmark Ver: docker-cis-1.6.0

  • Automated Score --- 100%
    Based on 6 Automated Checks

  • Manual Review --- 6
    Requires Operational Audit

  • Blocking Failures --- 0
    Critical Config Errors

Operational Context Required

Automated checks passed. Manual controls (e.g., Content Trust) must be verified at the host level.

Detailed Audit Log

Status ID Control Description Severity
4.1 Ensure a user for the container has been created HIGH
4.4 Ensure images are scanned and rebuilt to include security patches CRITICAL
4.6 Ensure HEALTHCHECK instructions have been added to the container image LOW
4.7 Ensure update instructions are not used alone in the Dockerfile HIGH
4.9 Ensure COPY is used instead of ADD LOW
4.10 Ensure secrets are not stored in Dockerfiles CRITICAL

Manual Review Controls

Status ID Control Description Severity
4.2 Ensure that containers use only trusted base images (Manual) HIGH
4.3 Ensure unnecessary packages are not installed in the container (Manual) HIGH
4.5 Ensure Content trust for Docker is Enabled (Manual) LOW
4.8 Ensure setuid and setgid permissions are removed in the images (Manual) HIGH
4.11 Ensure only verified packages are installed (Manual) MEDIUM
4.12 Ensure all signed artifacts are validated (Manual) MEDIUM

Audit Legend:
Passed: Hardcoded configuration is correct.
Failed: Violation detected in image layers.
Manual: Host/Infrastructure level responsibility.

Scope: Java Development Kit (JDK)  |  Guidance Ver: 1.0  |  Profile: Container Hardening

  • Image Adherence --- 100%
    Verified Configuration

  • Infrastructure Dependency --- 4
    Cluster-Level Controls

  • Actionable Violations --- Zero
    Direct Container Risks

Shared Responsibility Disclaimer

The NSA/CISA hardening guidance for Java Development Kit (JDK) focuses on container-level security. * Image Scope: We enforce non-root users and file system integrity. * Cluster Scope: Infrastructure controls (e.g., NetworkPolicies, RBAC) must be applied by the Cluster Admin.

Control Matrix (Automated Checks)

ID Hardening Control Severity Audit Status
1.0 Non-root containers MEDIUM
1.1 Immutable container file systems LOW
1.2 Preventing privileged containers HIGH
1.3 Share containers process namespaces HIGH
1.4 Share host process namespaces HIGH
1.5 Use the host network HIGH
1.6 Run with root privileges or with root group membership LOW
1.7 Restricts escalation to root privileges MEDIUM
1.8 Sets the SELinux context of the container MEDIUM
1.9 Restrict a container's access to resources with AppArmor MEDIUM
1.10 Sets the seccomp profile used to sandbox containers. LOW
1.11 Protecting Pod service account tokens MEDIUM
1.12 Namespace kube-system should not be used by users MEDIUM
2.0 Pod and/or namespace Selectors usage MEDIUM
4.0 Use ResourceQuota policies to limit resources MEDIUM
4.1 Use LimitRange policies to limit resources MEDIUM
5.1 Encrypt etcd communication CRITICAL
6.1 Check that encryption resource has been set CRITICAL
6.2 Check encryption provider CRITICAL
7.0 Make sure anonymous-auth is unset CRITICAL
7.1 Make sure -authorization-mode=RBAC CRITICAL
8.1 Audit log path is configure MEDIUM
8.2 Audit log aging MEDIUM

Cluster Admin Responsibility (Manual)

ID Hardening Control Severity Responsibility
3.0 Use CNI plugin that supports NetworkPolicy API (Manual) CRITICAL
5.0 Control plan disable insecure port (Manual) CRITICAL
6.0 Ensure kube config file permission (Manual) CRITICAL
8.0 Audit policy is configure (Manual) HIGH

Hardening Principles Applied: 1. Non-Root Execution: Container runs as a non-privileged user to limit exploit impact. 2. Verified Toolchain: All system components are sourced from the hardened Wolfi ecosystem. 3. SBOM Transparency: Full CycloneDX SBOM is provided for all included dependencies.


Enforcement Level: Restricted  |  Scope: Build Environment Isolation  |  K8s Ver: v1.24+

  • Policy Status
    READY
    SDK is Restricted-Capable

    • Rules Satisfied
      17 / 17
      Baseline + Restricted Policies

  • Blocking Violations
    0
    Must Resolve in Dockerfile

Secure Pipeline Ready

The variant satisfies all Static PSS Checks. It is safe to use as a CI/CD build agent in hardened, multi-tenant Kubernetes clusters.

Policy Enforcement Matrix

ID Restriction Rule Severity Static Audit
1 HostProcess HIGH
2 Host Namespaces HIGH
3 Privileged Containers HIGH
4 Capabilities MEDIUM
5 HostPath Volumes MEDIUM
6 host ports HIGH
7 AppArmor HIGH
8 SELinux MEDIUM
9 /proc Mount Type MEDIUM
10 Seccomp MEDIUM
11 Sysctls MEDIUM
12 Volume Types LOW
13 Privilege Escalation MEDIUM
14 Running as Non-root MEDIUM
15 Running as Non-root user LOW
16 Seccomp LOW
17 Capabilities LOW


Why This Matters:
1. Isolation: Prevents access to host network or sensitive kernel namespaces.
2. Least Privilege: Ensuring build agents run as non-root prevents "Escape-to-Host" attacks.
3. Consistency: Matches the security posture of the production Distroless image.

Standard Production Runtime

Security Policy: Standard environment for running Java applications, equipped with a shell and system utilities for operational flexibility.

Artifact Registry

Pull by Version Tag 

docker pull ghcr.io/taha2samy/java:11-jre_standard

Pull by Floating Tag 

docker pull ghcr.io/taha2samy/java:11.0.30+7-jre_standard

Pull by Immutable Digest (Recommended) 

docker pull ghcr.io/taha2samy/java@sha256:fa11bed52ae5ce9ba23b779e7cc9fd49a18324e1ed5da9c4e345692113292fa7

Integrity Metadata: L3 Provenance | CycloneDX SBOM

Security & Compliance Reports

Target: ghcr.io/taha2samy/java@sha256:fa11bed52ae5ce9ba23b779e7cc9fd49a18324e1ed5da9c4e345692113292fa7  |  Scanner: Trivy v0.69.3

  • Total CVEs Found

    0
    Detected in Image Layers

  • Packages Analyzed

    25
    Verified Dependencies

  • Critical / High

    0
    Immediate Action

  • Medium / Low

    0
    Risk Mitigation

Zero-CVE State Confirmed

Impeccable Security Posture: No known vulnerabilities were detected in the 25 analyzed packages.

🛡️

Clean Security Signature

No active threats detected in the 25 analyzed components.

Software Bill of Materials (SBOM)

Component Name Version License Classification
apk-tools 2.14.10-r10 GPL-2.0-only System (Wolfi)
bash 5.3-r5 GPL-3.0-or-later System (Wolfi)
busybox 1.37.0-r54 GPL-2.0-only System (Wolfi)
ca-certificates 20251003-r3 MPL-2.0, MIT System (Wolfi)
ca-certificates-bundle 20251003-r3 MPL-2.0, MIT System (Wolfi)
glibc 2.43-r2 LGPL-2.1-or-later System (Wolfi)
glibc-locale-posix 2.43-r2 LGPL-2.1-or-later System (Wolfi)
ld-linux 2.43-r2 LGPL-2.1-or-later System (Wolfi)
libcrypt1 2.43-r2 LGPL-2.1-or-later System (Wolfi)
libcrypto3 3.6.1-r2 Apache-2.0 System (Wolfi)
libgcc 15.2.0-r10 GPL-3.0-or-later WITH GCC-exception-3.1 System (Wolfi)
libssl3 3.6.1-r2 Apache-2.0 System (Wolfi)
libstdc++ 15.2.0-r10 GPL-3.0-or-later WITH GCC-exception-3.1 System (Wolfi)
libxcrypt 4.5.2-r2 GPL-2.0-or-later, LGPL-2.1-or-later System (Wolfi)
ncurses 6.6_p20251230-r5 MIT System (Wolfi)
ncurses-terminfo-base 6.6_p20251230-r5 MIT System (Wolfi)
posix-libc-utils 2.43-r2 LGPL-2.1-or-later System (Wolfi)
posix-libc-utils-bin 2.43-r2 LGPL-2.1-or-later System (Wolfi)
tzdata 2026a-r0 CC-PDDC System (Wolfi)
wolfi-baselayout 20230201-r28 MIT System (Wolfi)
wolfi-keys 1-r13 MIT System (Wolfi)
zlib 1.3.2-r1 MPL-2.0, MIT System (Wolfi)
org.bouncycastle:bc-fips 2.1.2 Java Runtime
org.bouncycastle:bctls-fips 2.1.22 Java Runtime
org.bouncycastle:bcutil-fips 2.1.5 Java Runtime

Supply Chain Transparency

Download SBOM JSON

Target: Java Runtime Environment (JRE)  |  Profile: Level 1 - Container  |  Benchmark Ver: docker-cis-1.6.0

  • Automated Score --- 100%
    Based on 6 Automated Checks

  • Manual Review --- 6
    Requires Operational Audit

  • Blocking Failures --- 0
    Critical Config Errors

Operational Context Required

Automated checks passed. Manual controls (e.g., Content Trust) must be verified at the host level.

Detailed Audit Log

Status ID Control Description Severity
4.1 Ensure a user for the container has been created HIGH
4.4 Ensure images are scanned and rebuilt to include security patches CRITICAL
4.6 Ensure HEALTHCHECK instructions have been added to the container image LOW
4.7 Ensure update instructions are not used alone in the Dockerfile HIGH
4.9 Ensure COPY is used instead of ADD LOW
4.10 Ensure secrets are not stored in Dockerfiles CRITICAL

Manual Review Controls

Status ID Control Description Severity
4.2 Ensure that containers use only trusted base images (Manual) HIGH
4.3 Ensure unnecessary packages are not installed in the container (Manual) HIGH
4.5 Ensure Content trust for Docker is Enabled (Manual) LOW
4.8 Ensure setuid and setgid permissions are removed in the images (Manual) HIGH
4.11 Ensure only verified packages are installed (Manual) MEDIUM
4.12 Ensure all signed artifacts are validated (Manual) MEDIUM

Audit Legend:
Passed: Hardcoded configuration is correct.
Failed: Violation detected in image layers.
Manual: Host/Infrastructure level responsibility.

Scope: Java Runtime Environment (JRE)  |  Guidance Ver: 1.0  |  Profile: Container Hardening

  • Image Adherence --- 100%
    Verified Configuration

  • Infrastructure Dependency --- 4
    Cluster-Level Controls

  • Actionable Violations --- Zero
    Direct Container Risks

Shared Responsibility Disclaimer

The NSA/CISA hardening guidance for Java Runtime Environment (JRE) focuses on container-level security. * Image Scope: We enforce non-root users and file system integrity. * Cluster Scope: Infrastructure controls (e.g., NetworkPolicies, RBAC) must be applied by the Cluster Admin.

Control Matrix (Automated Checks)

ID Hardening Control Severity Audit Status
1.0 Non-root containers MEDIUM
1.1 Immutable container file systems LOW
1.2 Preventing privileged containers HIGH
1.3 Share containers process namespaces HIGH
1.4 Share host process namespaces HIGH
1.5 Use the host network HIGH
1.6 Run with root privileges or with root group membership LOW
1.7 Restricts escalation to root privileges MEDIUM
1.8 Sets the SELinux context of the container MEDIUM
1.9 Restrict a container's access to resources with AppArmor MEDIUM
1.10 Sets the seccomp profile used to sandbox containers. LOW
1.11 Protecting Pod service account tokens MEDIUM
1.12 Namespace kube-system should not be used by users MEDIUM
2.0 Pod and/or namespace Selectors usage MEDIUM
4.0 Use ResourceQuota policies to limit resources MEDIUM
4.1 Use LimitRange policies to limit resources MEDIUM
5.1 Encrypt etcd communication CRITICAL
6.1 Check that encryption resource has been set CRITICAL
6.2 Check encryption provider CRITICAL
7.0 Make sure anonymous-auth is unset CRITICAL
7.1 Make sure -authorization-mode=RBAC CRITICAL
8.1 Audit log path is configure MEDIUM
8.2 Audit log aging MEDIUM

Cluster Admin Responsibility (Manual)

ID Hardening Control Severity Responsibility
3.0 Use CNI plugin that supports NetworkPolicy API (Manual) CRITICAL
5.0 Control plan disable insecure port (Manual) CRITICAL
6.0 Ensure kube config file permission (Manual) CRITICAL
8.0 Audit policy is configure (Manual) HIGH

Hardening Principles Applied: 1. Non-Root Execution: Container runs as a non-privileged user to limit exploit impact. 2. Verified Toolchain: All system components are sourced from the hardened Wolfi ecosystem. 3. SBOM Transparency: Full CycloneDX SBOM is provided for all included dependencies.


Enforcement Level: Restricted  |  Scope: Build Environment Isolation  |  K8s Ver: v1.24+

  • Policy Status
    READY
    SDK is Restricted-Capable

    • Rules Satisfied
      17 / 17
      Baseline + Restricted Policies

  • Blocking Violations
    0
    Must Resolve in Dockerfile

Secure Pipeline Ready

The variant satisfies all Static PSS Checks. It is safe to use as a CI/CD build agent in hardened, multi-tenant Kubernetes clusters.

Policy Enforcement Matrix

ID Restriction Rule Severity Static Audit
1 HostProcess HIGH
2 Host Namespaces HIGH
3 Privileged Containers HIGH
4 Capabilities MEDIUM
5 HostPath Volumes MEDIUM
6 host ports HIGH
7 AppArmor HIGH
8 SELinux MEDIUM
9 /proc Mount Type MEDIUM
10 Seccomp MEDIUM
11 Sysctls MEDIUM
12 Volume Types LOW
13 Privilege Escalation MEDIUM
14 Running as Non-root MEDIUM
15 Running as Non-root user LOW
16 Seccomp LOW
17 Capabilities LOW


Why This Matters:
1. Isolation: Prevents access to host network or sensitive kernel namespaces.
2. Least Privilege: Ensuring build agents run as non-root prevents "Escape-to-Host" attacks.
3. Consistency: Matches the security posture of the production Distroless image.

Hardened Production Runtime

Security Policy: Minimalist rootfs with zero shell and zero utilities, optimized for high-assurance production environments.

Artifact Registry

Pull by Version Tag 

docker pull ghcr.io/taha2samy/java:11-jre_distroless

Pull by Floating Tag 

docker pull ghcr.io/taha2samy/java:11.0.30+7-jre_distroless

Pull by Immutable Digest (Recommended) 

docker pull ghcr.io/taha2samy/java@sha256:ae3da5731c52897012df1b97731505c5a3031956b58b9a33307dfb7cd75a157a

Integrity Metadata: L3 Provenance | CycloneDX SBOM

Security & Compliance Reports

Target: ghcr.io/taha2samy/java@sha256:ae3da5731c52897012df1b97731505c5a3031956b58b9a33307dfb7cd75a157a  |  Scanner: Trivy v0.69.3

  • Total CVEs Found

    0
    Detected in Image Layers

  • Packages Analyzed

    15
    Verified Dependencies

  • Critical / High

    0
    Immediate Action

  • Medium / Low

    0
    Risk Mitigation

Zero-CVE State Confirmed

Impeccable Security Posture: No known vulnerabilities were detected in the 15 analyzed packages.

🛡️

Clean Security Signature

No active threats detected in the 15 analyzed components.

Software Bill of Materials (SBOM)

Component Name Version License Classification
ca-certificates 20251003-r3 MPL-2.0, MIT System (Wolfi)
ca-certificates-bundle 20251003-r3 MPL-2.0, MIT System (Wolfi)
glibc 2.43-r2 LGPL-2.1-or-later System (Wolfi)
glibc-locale-posix 2.43-r2 LGPL-2.1-or-later System (Wolfi)
ld-linux 2.43-r2 LGPL-2.1-or-later System (Wolfi)
libcrypto3 3.6.1-r2 Apache-2.0 System (Wolfi)
libgcc 15.2.0-r10 GPL-3.0-or-later WITH GCC-exception-3.1 System (Wolfi)
libstdc++ 15.2.0-r10 GPL-3.0-or-later WITH GCC-exception-3.1 System (Wolfi)
tzdata 2026a-r0 CC-PDDC System (Wolfi)
wolfi-baselayout 20230201-r28 MIT System (Wolfi)
wolfi-keys 1-r13 MIT System (Wolfi)
zlib 1.3.2-r1 MPL-2.0, MIT System (Wolfi)
org.bouncycastle:bc-fips 2.1.2 Java Runtime
org.bouncycastle:bctls-fips 2.1.22 Java Runtime
org.bouncycastle:bcutil-fips 2.1.5 Java Runtime

Supply Chain Transparency

Download SBOM JSON

Target: Java Runtime Environment (Distroless)  |  Profile: Level 1 - Container  |  Benchmark Ver: docker-cis-1.6.0

  • Automated Score --- 100%
    Based on 6 Automated Checks

  • Manual Review --- 6
    Requires Operational Audit

  • Blocking Failures --- 0
    Critical Config Errors

Operational Context Required

Automated checks passed. Manual controls (e.g., Content Trust) must be verified at the host level.

Detailed Audit Log

Status ID Control Description Severity
4.1 Ensure a user for the container has been created HIGH
4.4 Ensure images are scanned and rebuilt to include security patches CRITICAL
4.6 Ensure HEALTHCHECK instructions have been added to the container image LOW
4.7 Ensure update instructions are not used alone in the Dockerfile HIGH
4.9 Ensure COPY is used instead of ADD LOW
4.10 Ensure secrets are not stored in Dockerfiles CRITICAL

Manual Review Controls

Status ID Control Description Severity
4.2 Ensure that containers use only trusted base images (Manual) HIGH
4.3 Ensure unnecessary packages are not installed in the container (Manual) HIGH
4.5 Ensure Content trust for Docker is Enabled (Manual) LOW
4.8 Ensure setuid and setgid permissions are removed in the images (Manual) HIGH
4.11 Ensure only verified packages are installed (Manual) MEDIUM
4.12 Ensure all signed artifacts are validated (Manual) MEDIUM

Audit Legend:
Passed: Hardcoded configuration is correct.
Failed: Violation detected in image layers.
Manual: Host/Infrastructure level responsibility.

Scope: Java Runtime Environment (Distroless)  |  Guidance Ver: 1.0  |  Profile: Container Hardening

  • Image Adherence --- 100%
    Verified Configuration

  • Infrastructure Dependency --- 4
    Cluster-Level Controls

  • Actionable Violations --- Zero
    Direct Container Risks

Shared Responsibility Disclaimer

The NSA/CISA hardening guidance for Java Runtime Environment (Distroless) focuses on container-level security. * Image Scope: We enforce non-root users and file system integrity. * Cluster Scope: Infrastructure controls (e.g., NetworkPolicies, RBAC) must be applied by the Cluster Admin.

Control Matrix (Automated Checks)

ID Hardening Control Severity Audit Status
1.0 Non-root containers MEDIUM
1.1 Immutable container file systems LOW
1.2 Preventing privileged containers HIGH
1.3 Share containers process namespaces HIGH
1.4 Share host process namespaces HIGH
1.5 Use the host network HIGH
1.6 Run with root privileges or with root group membership LOW
1.7 Restricts escalation to root privileges MEDIUM
1.8 Sets the SELinux context of the container MEDIUM
1.9 Restrict a container's access to resources with AppArmor MEDIUM
1.10 Sets the seccomp profile used to sandbox containers. LOW
1.11 Protecting Pod service account tokens MEDIUM
1.12 Namespace kube-system should not be used by users MEDIUM
2.0 Pod and/or namespace Selectors usage MEDIUM
4.0 Use ResourceQuota policies to limit resources MEDIUM
4.1 Use LimitRange policies to limit resources MEDIUM
5.1 Encrypt etcd communication CRITICAL
6.1 Check that encryption resource has been set CRITICAL
6.2 Check encryption provider CRITICAL
7.0 Make sure anonymous-auth is unset CRITICAL
7.1 Make sure -authorization-mode=RBAC CRITICAL
8.1 Audit log path is configure MEDIUM
8.2 Audit log aging MEDIUM

Cluster Admin Responsibility (Manual)

ID Hardening Control Severity Responsibility
3.0 Use CNI plugin that supports NetworkPolicy API (Manual) CRITICAL
5.0 Control plan disable insecure port (Manual) CRITICAL
6.0 Ensure kube config file permission (Manual) CRITICAL
8.0 Audit policy is configure (Manual) HIGH

Hardening Principles Applied: 1. Non-Root Execution: Container runs as a non-privileged user to limit exploit impact. 2. Verified Toolchain: All system components are sourced from the hardened Wolfi ecosystem. 3. SBOM Transparency: Full CycloneDX SBOM is provided for all included dependencies.


Enforcement Level: Restricted  |  Scope: Build Environment Isolation  |  K8s Ver: v1.24+

  • Policy Status
    READY
    SDK is Restricted-Capable

    • Rules Satisfied
      17 / 17
      Baseline + Restricted Policies

  • Blocking Violations
    0
    Must Resolve in Dockerfile

Secure Pipeline Ready

The variant satisfies all Static PSS Checks. It is safe to use as a CI/CD build agent in hardened, multi-tenant Kubernetes clusters.

Policy Enforcement Matrix

ID Restriction Rule Severity Static Audit
1 HostProcess HIGH
2 Host Namespaces HIGH
3 Privileged Containers HIGH
4 Capabilities MEDIUM
5 HostPath Volumes MEDIUM
6 host ports HIGH
7 AppArmor HIGH
8 SELinux MEDIUM
9 /proc Mount Type MEDIUM
10 Seccomp MEDIUM
11 Sysctls MEDIUM
12 Volume Types LOW
13 Privilege Escalation MEDIUM
14 Running as Non-root MEDIUM
15 Running as Non-root user LOW
16 Seccomp LOW
17 Capabilities LOW


Why This Matters:
1. Isolation: Prevents access to host network or sensitive kernel namespaces.
2. Least Privilege: Ensuring build agents run as non-root prevents "Escape-to-Host" attacks.
3. Consistency: Matches the security posture of the production Distroless image.


FIPS 140-3 Validation Tests

FIPS COMPLIANT Module BC-FJA is active and enforcing Approved Mode.

  • Total Tests --- 32
  • Passed --- 32
  • Failed --- 0
  • Time --- 75.81s


Our high-assurance validation lifecycle ensures every artifact meets uncompromising FIPS 140-3 standards. We compile our security suite using a trusted JDK before mounting it into a hardened, isolated JRE runtime. Within this boundary, Bouncy Castle FIPS is strictly injected and set to "Approved Only" mode to block legacy primitives. The engine then executes rigorous positive and negative assertions to verify cryptographic enforcement in real-time. This continuous auditing provides a zero-trust foundation for your mission-critical Java workloads.


Cryptographic Testing Workflow

graph LR
    subgraph "Compilation Stage"
    A[Java Test Suite] -->|JDK javac| B(Validated Bytecode)
    end

    subgraph "Execution Boundary"
    B -->|Mount| C[Target JRE Image]
    D[BCFIPS Provider] -->|Inject| C
    E[Strict Policy] -->|approved_only=true| C
    end

    subgraph "Analysis"
    C -->|Run| F{Assert Security}
    F -->|Success| G[FIPS Verified]
    F -->|Violation| H[Security Breach]
    end

    style G fill:#00c853,color:#fff
    style H fill:#d50000,color:#fff
    style C stroke-width:4px


Diagnostics Log

Verify EC P-256 Key Generation is allowed 2.013s

Confirms successful generation of Elliptic Curve keys using the NIST P-256 curve. This curve is an approved standard for secure and efficient asymmetric cryptography in FIPS environments.

Verify AES-CBC with PKCS7 Padding 2.026s

Verifies that AES in Cipher Block Chaining (CBC) mode is available. CBC remains a FIPS-approved encryption mode for various legacy and standard interoperability requirements.

Verify Anonymous Cipher Suites (DH_anon) are rejected 2.612s

Ensures that anonymous Diffie-Hellman cipher suites are disabled. These suites fail to provide server authentication and are explicitly forbidden in FIPS mode to prevent man-in-the-middle attacks.

Verify PBKDF2 with short salt (<128 bits) is rejected 2.062s

Validates that PBKDF2 operations require a minimum salt length. FIPS standards enforce sufficient entropy in key derivation to protect against pre-computed dictionary attacks.

Verify SecureRandom uses FIPS-Approved DRBG 1.948s

Confirms that the default SecureRandom implementation utilizes the Bouncy Castle FIPS-approved DRBG (Deterministic Random Bit Generator). This ensures all entropy and random value generation within the JVM meets the strict NIST SP 800-90A security requirements.

Verify 1024-bit DSA Key Generation is rejected 1.964s

Ensures that 1024-bit DSA keys are rejected. FIPS compliance mandates higher security strengths, effectively blocking legacy DSA parameters that do not meet the 112-bit security threshold.

Verify BCJSSE is the mandated SSLContext provider 2.572s

Validates that the default SSLContext is using the Bouncy Castle JSSE provider. This configuration ensures that all JVM-wide network operations utilize the FIPS-validated cryptographic module.

Verify PBKDF2WithHmacSHA256 is allowed 2.069s

Ensures that PBKDF2 (Password-Based Key Derivation Function 2) is available. It verifies that secure cryptographic keys can be derived from passwords using FIPS-approved iteration and hashing methods.

Verify JKS Keystore is strictly rejected in FIPS Mode 1.875s

Ensures that legacy Java KeyStore (JKS) files are strictly rejected at runtime. Blocking non-compliant keystore formats is a mandatory security control to prevent the accidental use of weak integrity checks and non-approved cryptographic primitives.

Verify AES-GCM is allowed by BCFIPS 2.021s

Verifies that AES in Galois/Counter Mode (GCM) is available and operational. AES-GCM is a FIPS-approved authenticated encryption algorithm that provides both confidentiality and data integrity.

Verify BCFKS Keystore is allowed and functional 2.011s

Verifies that the Bouncy Castle FIPS KeyStore (BCFKS) is fully supported and operational. BCFKS is the mandated storage format for keys and certificates within a FIPS 140-3 environment to ensure the protection of sensitive security parameters using approved algorithms.

Verify SHA1PRNG is rejected by BCFIPS 1.867s

Ensures that the legacy SHA1PRNG algorithm is strictly prohibited and inaccessible through the BCFIPS provider. FIPS 140-3 standards mandate the use of stronger, approved DRBG mechanisms and forbid the use of non-compliant RNG algorithms.

Verify BouncyCastle FIPS is the primary security provider 1.963s

Checks the security provider chain to confirm that 'BCFIPS' is positioned at the highest priority. This configuration is critical to ensure the JVM uses the FIPS-validated cryptographic module for all operations and prevents accidental fallback to standard, non-certified providers.

Verify Short HMAC Key is rejected 2.013s

Checks that HMAC operations reject keys that are shorter than the minimum required length. This ensures the integrity of the message authentication code meets FIPS security strength requirements.

Verify Default KeyStore type is BCFKS for TLS 1.043s

Ensures that BCFKS is mandated as the default KeyStore type for JSSE operations. This prevents the accidental use of non-compliant storage formats like JKS or PKCS12 for managing trusted certificates.

Verify ECDH Key Agreement using P-256 2.12s

Validates the Elliptic Curve Diffie-Hellman (ECDH) key agreement protocol. This confirms that the environment can securely establish shared secrets using approved elliptic curve primitives.

Verify DES is strictly rejected 1.863s

Ensures that the legacy DES (Data Encryption Standard) algorithm is rejected. FIPS mode prohibits weak block ciphers with 56-bit keys to prevent brute-force vulnerabilities.

Verify TLS 1.0/1.1 are strictly rejected in FIPS Mode 2.626s

Ensures that legacy protocols such as TLS 1.0 and TLS 1.1 are strictly prohibited. These versions are no longer compliant with FIPS 140-3 standards due to known cryptographic weaknesses and vulnerabilities.

Verify RSA 2048-bit Key Generation is allowed 2.343s

Validates the generation of 2048-bit RSA key pairs. This confirms the provider can create asymmetric keys that meet the minimum security strength requirements defined by FIPS 140-3.

Verify RC4 Cipher Suites are strictly rejected 2.45s

Verifies that RC4-based cipher suites are rejected at the JSSE level. RC4 is a broken stream cipher and is strictly prohibited in FIPS environments to maintain data confidentiality.

Verify MD5 is strictly rejected 1.982s

Verifies that the MD5 message digest algorithm is strictly prohibited. As a non-approved hash function in FIPS 140-3, any attempt to instantiate MD5 must result in a security exception.

Verify HMAC-SHA256 is allowed 2.047s

No description provided

Verify Non-NIST Curve (secp160r1) is rejected 1.985s

Ensures that only NIST-approved Elliptic Curves (e.g., P-256, P-384) are allowed. Attempts to use non-standard or custom curves must be rejected by the provider.

Verify 1024-bit RSA is rejected 1.9s

Validates the enforcement of minimum key lengths for RSA. FIPS 140-3 requires a minimum of 2048 bits; attempts to use 1024-bit or smaller keys must be blocked.

Verify RSA PKCS#1 v1.5 Encryption is rejected 2.198s

Verifies rejection of RSA PKCS#1 v1.5 padding for encryption. Under strict FIPS enforcement, modern and secure padding schemes like OAEP are required, and legacy schemes are disabled.

Verify MD4 is strictly rejected 2.006s

Confirms that the MD4 hash algorithm is completely disabled. MD4 is cryptographically broken and strictly forbidden in any FIPS-validated environment.

Verify SHA-1 Signature Generation is rejected 2.486s

Confirms that SHA-1 based digital signatures are rejected for creation. FIPS policy prohibits SHA-1 for digital signature generation due to collision risks.

Verify NULL Encryption Cipher Suites are rejected 2.562s

Confirms the total rejection of NULL cipher suites. Any attempt to establish a network connection without encryption is a severe security violation and is blocked by the FIPS boundary.

Verify SHA-256 is allowed by BCFIPS 1.877s

Ensures the SHA-256 hash algorithm is functioning correctly. SHA-256 is a core FIPS-approved primitive used for secure message digesting and integrity verification.

Verify TLS 1.3 Handshake using BCFIPS Provider 2.748s

Validates successful TLS 1.3 handshake using the Bouncy Castle JSSE provider. This confirms that modern, secure protocol standards are operational within the FIPS cryptographic boundary and utilize approved cipher suites.

Verify JVM starts strictly in FIPS Approved Mode 10.562s

Ensures the JVM is operating in a strict FIPS-approved state by verifying the 'org.bouncycastle.fips.approved_only' system property. This enforcement guarantees that any attempt to use non-FIPS compliant algorithms will be rejected at runtime.

Verify Triple-DES Encryption is rejected 1.992s

Verifies that Triple-DES (TDEA) encryption is prohibited. Following recent NIST guidance, 3DES is no longer an approved encryption algorithm due to its vulnerability to Sweet32 attacks.