Java 25 LTS

linux/amd64 linux/arm64

+

+

Adoptium Upstream Release Metadata

Source Property	Value
Full Version	`25.0.2+10-LTS`
SemVer	`25.0.2+10.0.LTS`
Security Level	`psu-2`
Upstream Update	`⏱️ 2026-01-22T11:18:57Z`
Distribution	Eclipse Temurin by Adoptium

Java Development Kit (JDK) Java Runtime Environment (JRE) Java Runtime Environment (Distroless)

Full Development Suite

Security Policy: Comprehensive environment containing the JDK, shell, and package manager for building and debugging applications.

Artifact Registry

Pull by Version Tag

docker pull ghcr.io/taha2samy/java:25-jdk_standard

Pull by Floating Tag

docker pull ghcr.io/taha2samy/java:25.0.2+10_LTS-jdk_standard

Pull by Immutable Digest (Recommended)

docker pull ghcr.io/taha2samy/java@sha256:483f7814465eadcbbe2e90f94e9baf9f7a81c6a83d6d52d0456968041c1b9be5

Integrity Metadata: L3 Provenance | CycloneDX SBOM

Security & Compliance Reports

Vulnerability Scan Docker CIS K8s NSA K8s PSS

Target: ghcr.io/taha2samy/java@sha256:483f7814465eadcbbe2e90f94e9baf9f7a81c6a83d6d52d0456968041c1b9be5 | Scanner: Trivy v0.69.3

Total CVEs Found

0
Detected in Image Layers
Packages Analyzed

46
Verified Dependencies
Critical / High

0
Immediate Action
Medium / Low

0
Risk Mitigation

Zero-CVE State Confirmed

Impeccable Security Posture: No known vulnerabilities were detected in the 46 analyzed packages.

🛡️

Clean Security Signature

No active threats detected in the 46 analyzed components.

Software Bill of Materials (SBOM)

Component Name	Version	License	Classification
`apk-tools`	`2.14.10-r10`	GPL-2.0-only	System (Wolfi)
`bash`	`5.3-r6`	GPL-3.0-or-later	System (Wolfi)
`busybox`	`1.37.0-r54`	GPL-2.0-only	System (Wolfi)
`ca-certificates`	`20251003-r4`	MPL-2.0, MIT	System (Wolfi)
`ca-certificates-bundle`	`20251003-r4`	MPL-2.0, MIT	System (Wolfi)
`curl`	`8.19.0-r0`	MIT	System (Wolfi)
`cyrus-sasl`	`2.1.28-r46`	BSD-3-Clause	System (Wolfi)
`gdbm`	`1.26-r2`	GPL-3.0-or-later	System (Wolfi)
`glibc`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`glibc-locale-posix`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`heimdal-libs`	`7.8.0-r43`	BSD-3-Clause	System (Wolfi)
`keyutils-libs`	`1.6.3-r38`	GPL-2.0-or-later, LGPL-2.0-or-later	System (Wolfi)
`krb5-conf`	`1.0-r8`	MIT	System (Wolfi)
`krb5-libs`	`1.22.2-r1`	MIT	System (Wolfi)
`ld-linux`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`libbrotlicommon1`	`1.2.0-r2`	MIT	System (Wolfi)
`libbrotlidec1`	`1.2.0-r2`	MIT	System (Wolfi)
`libcom_err`	`1.47.4-r1`	GPL-2.0-or-later, LGPL-2.0-or-later, BSD-3-Clause, MIT	System (Wolfi)
`libcrypt1`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`libcrypto3`	`3.6.1-r3`	Apache-2.0	System (Wolfi)
`libcurl-openssl4`	`8.19.0-r0`	MIT	System (Wolfi)
`libgcc`	`15.2.0-r11`	GPL-3.0-or-later WITH GCC-exception-3.1	System (Wolfi)
`libidn2`	`2.3.8-r4`	GPL-2.0-or-later, LGPL-3.0-or-later	System (Wolfi)
`libldap`	`2.6.10-r5`	OLDAP-2.8	System (Wolfi)
`libnghttp2-14`	`1.68.0-r1`	MIT	System (Wolfi)
`libpsl`	`0.21.5-r8`	MIT	System (Wolfi)
`libssl3`	`3.6.1-r3`	Apache-2.0	System (Wolfi)
`libstdc++`	`15.2.0-r11`	GPL-3.0-or-later WITH GCC-exception-3.1	System (Wolfi)
`libunistring`	`1.4.2-r0`	GPL-2.0-or-later, LGPL-3.0-or-later	System (Wolfi)
`libverto`	`0.3.2-r7`	MIT	System (Wolfi)
`libxcrypt`	`4.5.2-r2`	GPL-2.0-or-later, LGPL-2.1-or-later	System (Wolfi)
`ncurses`	`6.6_p20251230-r6`	MIT	System (Wolfi)
`ncurses-terminfo-base`	`6.6_p20251230-r6`	MIT	System (Wolfi)
`nghttp3`	`1.15.0-r1`	MIT	System (Wolfi)
`ngtcp2`	`1.21.0-r0`	MIT	System (Wolfi)
`posix-libc-utils`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`posix-libc-utils-bin`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`readline`	`8.3-r1`	GPL-3.0-or-later	System (Wolfi)
`sqlite-libs`	`3.51.1-r0`	blessing	System (Wolfi)
`tzdata`	`2026a-r0`	CC-PDDC	System (Wolfi)
`wolfi-baselayout`	`20230201-r28`	MIT	System (Wolfi)
`wolfi-keys`	`1-r13`	MIT	System (Wolfi)
`zlib`	`1.3.2-r2`	MPL-2.0, MIT	System (Wolfi)
`org.bouncycastle:bc-fips`	`2.1.2`		Java Runtime
`org.bouncycastle:bctls-fips`	`2.1.22`		Java Runtime
`org.bouncycastle:bcutil-fips`	`2.1.5`		Java Runtime

Supply Chain Transparency

Download SBOM JSON

Target: Java Development Kit (JDK) | Profile: Level 1 - Container | Benchmark Ver: docker-cis-1.6.0

Automated Score --- 100%
Based on 6 Automated Checks
Manual Review --- 6
Requires Operational Audit
Blocking Failures --- 0
Critical Config Errors

Operational Context Required

Automated checks passed. Manual controls (e.g., Content Trust) must be verified at the host level.

Detailed Audit Log

ID	Control Description	Severity
4.1	Ensure a user for the container has been created	HIGH
4.4	Ensure images are scanned and rebuilt to include security patches	CRITICAL
4.6	Ensure HEALTHCHECK instructions have been added to the container image	LOW
4.7	Ensure update instructions are not used alone in the Dockerfile	HIGH
4.9	Ensure COPY is used instead of ADD	LOW
4.10	Ensure secrets are not stored in Dockerfiles	CRITICAL

Manual Review Controls

ID	Control Description	Severity
4.2	Ensure that containers use only trusted base images (Manual)	HIGH
4.3	Ensure unnecessary packages are not installed in the container (Manual)	HIGH
4.5	Ensure Content trust for Docker is Enabled (Manual)	LOW
4.8	Ensure setuid and setgid permissions are removed in the images (Manual)	HIGH
4.11	Ensure only verified packages are installed (Manual)	MEDIUM
4.12	Ensure all signed artifacts are validated (Manual)	MEDIUM

Audit Legend:
Passed: Hardcoded configuration is correct.
Failed: Violation detected in image layers.
Manual: Host/Infrastructure level responsibility.

Scope: Java Development Kit (JDK) | Guidance Ver: 1.0 | Profile: Container Hardening

Image Adherence --- 100%
Verified Configuration
Infrastructure Dependency --- 4
Cluster-Level Controls
Actionable Violations --- Zero
Direct Container Risks

Shared Responsibility Disclaimer

The NSA/CISA hardening guidance for Java Development Kit (JDK) focuses on container-level security. * Image Scope: We enforce non-root users and file system integrity. * Cluster Scope: Infrastructure controls (e.g., NetworkPolicies, RBAC) must be applied by the Cluster Admin.

Control Matrix (Automated Checks)

ID	Hardening Control	Severity
1.0	Non-root containers	MEDIUM
1.1	Immutable container file systems	LOW
1.2	Preventing privileged containers	HIGH
1.3	Share containers process namespaces	HIGH
1.4	Share host process namespaces	HIGH
1.5	Use the host network	HIGH
1.6	Run with root privileges or with root group membership	LOW
1.7	Restricts escalation to root privileges	MEDIUM
1.8	Sets the SELinux context of the container	MEDIUM
1.9	Restrict a container's access to resources with AppArmor	MEDIUM
1.10	Sets the seccomp profile used to sandbox containers.	LOW
1.11	Protecting Pod service account tokens	MEDIUM
1.12	Namespace kube-system should not be used by users	MEDIUM
2.0	Pod and/or namespace Selectors usage	MEDIUM
4.0	Use ResourceQuota policies to limit resources	MEDIUM
4.1	Use LimitRange policies to limit resources	MEDIUM
5.1	Encrypt etcd communication	CRITICAL
6.1	Check that encryption resource has been set	CRITICAL
6.2	Check encryption provider	CRITICAL
7.0	Make sure anonymous-auth is unset	CRITICAL
7.1	Make sure -authorization-mode=RBAC	CRITICAL
8.1	Audit log path is configure	MEDIUM
8.2	Audit log aging	MEDIUM

Cluster Admin Responsibility (Manual)

ID	Hardening Control	Severity
3.0	Use CNI plugin that supports NetworkPolicy API (Manual)	CRITICAL
5.0	Control plan disable insecure port (Manual)	CRITICAL
6.0	Ensure kube config file permission (Manual)	CRITICAL
8.0	Audit policy is configure (Manual)	HIGH

Hardening Principles Applied: 1. Non-Root Execution: Container runs as a non-privileged user to limit exploit impact. 2. Verified Toolchain: All system components are sourced from the hardened Wolfi ecosystem. 3. SBOM Transparency: Full CycloneDX SBOM is provided for all included dependencies.

Enforcement Level: Restricted | Scope: Build Environment Isolation | K8s Ver: v1.24+

Policy Status
READY
SDK is Restricted-Capable
- Rules Satisfied
  17 / 17
  Baseline + Restricted Policies
Blocking Violations
0
Must Resolve in Dockerfile

Secure Pipeline Ready

The variant satisfies all Static PSS Checks. It is safe to use as a CI/CD build agent in hardened, multi-tenant Kubernetes clusters.

Policy Enforcement Matrix

ID	Restriction Rule	Severity
`1`	HostProcess	HIGH
`2`	Host Namespaces	HIGH
`3`	Privileged Containers	HIGH
`4`	Capabilities	MEDIUM
`5`	HostPath Volumes	MEDIUM
`6`	host ports	HIGH
`7`	AppArmor	HIGH
`8`	SELinux	MEDIUM
`9`	/proc Mount Type	MEDIUM
`10`	Seccomp	MEDIUM
`11`	Sysctls	MEDIUM
`12`	Volume Types	LOW
`13`	Privilege Escalation	MEDIUM
`14`	Running as Non-root	MEDIUM
`15`	Running as Non-root user	LOW
`16`	Seccomp	LOW
`17`	Capabilities	LOW

Why This Matters:
1. Isolation: Prevents access to host network or sensitive kernel namespaces.
2. Least Privilege: Ensuring build agents run as non-root prevents "Escape-to-Host" attacks.
3. Consistency: Matches the security posture of the production Distroless image.

Standard Production Runtime

Security Policy: Standard environment for running Java applications, equipped with a shell and system utilities for operational flexibility.

Artifact Registry

Pull by Version Tag

docker pull ghcr.io/taha2samy/java:25-jre_standard

Pull by Floating Tag

docker pull ghcr.io/taha2samy/java:25.0.2+10_LTS-jre_standard

Pull by Immutable Digest (Recommended)

docker pull ghcr.io/taha2samy/java@sha256:05674e9b3058523630280a2f18963e5d8c6995e258f623195aeab78f7f2c9451

Integrity Metadata: L3 Provenance | CycloneDX SBOM

Security & Compliance Reports

Vulnerability Scan Docker CIS K8s NSA K8s PSS

Target: ghcr.io/taha2samy/java@sha256:05674e9b3058523630280a2f18963e5d8c6995e258f623195aeab78f7f2c9451 | Scanner: Trivy v0.69.3

Total CVEs Found

0
Detected in Image Layers
Packages Analyzed

25
Verified Dependencies
Critical / High

0
Immediate Action
Medium / Low

0
Risk Mitigation

Zero-CVE State Confirmed

Impeccable Security Posture: No known vulnerabilities were detected in the 25 analyzed packages.

🛡️

Clean Security Signature

No active threats detected in the 25 analyzed components.

Software Bill of Materials (SBOM)

Component Name	Version	License	Classification
`apk-tools`	`2.14.10-r10`	GPL-2.0-only	System (Wolfi)
`bash`	`5.3-r6`	GPL-3.0-or-later	System (Wolfi)
`busybox`	`1.37.0-r54`	GPL-2.0-only	System (Wolfi)
`ca-certificates`	`20251003-r4`	MPL-2.0, MIT	System (Wolfi)
`ca-certificates-bundle`	`20251003-r4`	MPL-2.0, MIT	System (Wolfi)
`glibc`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`glibc-locale-posix`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`ld-linux`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`libcrypt1`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`libcrypto3`	`3.6.1-r3`	Apache-2.0	System (Wolfi)
`libgcc`	`15.2.0-r11`	GPL-3.0-or-later WITH GCC-exception-3.1	System (Wolfi)
`libssl3`	`3.6.1-r3`	Apache-2.0	System (Wolfi)
`libstdc++`	`15.2.0-r11`	GPL-3.0-or-later WITH GCC-exception-3.1	System (Wolfi)
`libxcrypt`	`4.5.2-r2`	GPL-2.0-or-later, LGPL-2.1-or-later	System (Wolfi)
`ncurses`	`6.6_p20251230-r6`	MIT	System (Wolfi)
`ncurses-terminfo-base`	`6.6_p20251230-r6`	MIT	System (Wolfi)
`posix-libc-utils`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`posix-libc-utils-bin`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`tzdata`	`2026a-r0`	CC-PDDC	System (Wolfi)
`wolfi-baselayout`	`20230201-r28`	MIT	System (Wolfi)
`wolfi-keys`	`1-r13`	MIT	System (Wolfi)
`zlib`	`1.3.2-r2`	MPL-2.0, MIT	System (Wolfi)
`org.bouncycastle:bc-fips`	`2.1.2`		Java Runtime
`org.bouncycastle:bctls-fips`	`2.1.22`		Java Runtime
`org.bouncycastle:bcutil-fips`	`2.1.5`		Java Runtime

Supply Chain Transparency

Download SBOM JSON

Target: Java Runtime Environment (JRE) | Profile: Level 1 - Container | Benchmark Ver: docker-cis-1.6.0

Automated Score --- 100%
Based on 6 Automated Checks
Manual Review --- 6
Requires Operational Audit
Blocking Failures --- 0
Critical Config Errors

Operational Context Required

Automated checks passed. Manual controls (e.g., Content Trust) must be verified at the host level.

Detailed Audit Log

ID	Control Description	Severity
4.1	Ensure a user for the container has been created	HIGH
4.4	Ensure images are scanned and rebuilt to include security patches	CRITICAL
4.6	Ensure HEALTHCHECK instructions have been added to the container image	LOW
4.7	Ensure update instructions are not used alone in the Dockerfile	HIGH
4.9	Ensure COPY is used instead of ADD	LOW
4.10	Ensure secrets are not stored in Dockerfiles	CRITICAL

Manual Review Controls

ID	Control Description	Severity
4.2	Ensure that containers use only trusted base images (Manual)	HIGH
4.3	Ensure unnecessary packages are not installed in the container (Manual)	HIGH
4.5	Ensure Content trust for Docker is Enabled (Manual)	LOW
4.8	Ensure setuid and setgid permissions are removed in the images (Manual)	HIGH
4.11	Ensure only verified packages are installed (Manual)	MEDIUM
4.12	Ensure all signed artifacts are validated (Manual)	MEDIUM

Audit Legend:
Passed: Hardcoded configuration is correct.
Failed: Violation detected in image layers.
Manual: Host/Infrastructure level responsibility.

Scope: Java Runtime Environment (JRE) | Guidance Ver: 1.0 | Profile: Container Hardening

Image Adherence --- 100%
Verified Configuration
Infrastructure Dependency --- 4
Cluster-Level Controls
Actionable Violations --- Zero
Direct Container Risks

Shared Responsibility Disclaimer

The NSA/CISA hardening guidance for Java Runtime Environment (JRE) focuses on container-level security. * Image Scope: We enforce non-root users and file system integrity. * Cluster Scope: Infrastructure controls (e.g., NetworkPolicies, RBAC) must be applied by the Cluster Admin.

Control Matrix (Automated Checks)

ID	Hardening Control	Severity
1.0	Non-root containers	MEDIUM
1.1	Immutable container file systems	LOW
1.2	Preventing privileged containers	HIGH
1.3	Share containers process namespaces	HIGH
1.4	Share host process namespaces	HIGH
1.5	Use the host network	HIGH
1.6	Run with root privileges or with root group membership	LOW
1.7	Restricts escalation to root privileges	MEDIUM
1.8	Sets the SELinux context of the container	MEDIUM
1.9	Restrict a container's access to resources with AppArmor	MEDIUM
1.10	Sets the seccomp profile used to sandbox containers.	LOW
1.11	Protecting Pod service account tokens	MEDIUM
1.12	Namespace kube-system should not be used by users	MEDIUM
2.0	Pod and/or namespace Selectors usage	MEDIUM
4.0	Use ResourceQuota policies to limit resources	MEDIUM
4.1	Use LimitRange policies to limit resources	MEDIUM
5.1	Encrypt etcd communication	CRITICAL
6.1	Check that encryption resource has been set	CRITICAL
6.2	Check encryption provider	CRITICAL
7.0	Make sure anonymous-auth is unset	CRITICAL
7.1	Make sure -authorization-mode=RBAC	CRITICAL
8.1	Audit log path is configure	MEDIUM
8.2	Audit log aging	MEDIUM

Cluster Admin Responsibility (Manual)

ID	Hardening Control	Severity
3.0	Use CNI plugin that supports NetworkPolicy API (Manual)	CRITICAL
5.0	Control plan disable insecure port (Manual)	CRITICAL
6.0	Ensure kube config file permission (Manual)	CRITICAL
8.0	Audit policy is configure (Manual)	HIGH

Hardening Principles Applied: 1. Non-Root Execution: Container runs as a non-privileged user to limit exploit impact. 2. Verified Toolchain: All system components are sourced from the hardened Wolfi ecosystem. 3. SBOM Transparency: Full CycloneDX SBOM is provided for all included dependencies.

Enforcement Level: Restricted | Scope: Build Environment Isolation | K8s Ver: v1.24+

Policy Status
READY
SDK is Restricted-Capable
- Rules Satisfied
  17 / 17
  Baseline + Restricted Policies
Blocking Violations
0
Must Resolve in Dockerfile

Secure Pipeline Ready

The variant satisfies all Static PSS Checks. It is safe to use as a CI/CD build agent in hardened, multi-tenant Kubernetes clusters.

Policy Enforcement Matrix

ID	Restriction Rule	Severity
`1`	HostProcess	HIGH
`2`	Host Namespaces	HIGH
`3`	Privileged Containers	HIGH
`4`	Capabilities	MEDIUM
`5`	HostPath Volumes	MEDIUM
`6`	host ports	HIGH
`7`	AppArmor	HIGH
`8`	SELinux	MEDIUM
`9`	/proc Mount Type	MEDIUM
`10`	Seccomp	MEDIUM
`11`	Sysctls	MEDIUM
`12`	Volume Types	LOW
`13`	Privilege Escalation	MEDIUM
`14`	Running as Non-root	MEDIUM
`15`	Running as Non-root user	LOW
`16`	Seccomp	LOW
`17`	Capabilities	LOW

Why This Matters:
1. Isolation: Prevents access to host network or sensitive kernel namespaces.
2. Least Privilege: Ensuring build agents run as non-root prevents "Escape-to-Host" attacks.
3. Consistency: Matches the security posture of the production Distroless image.

Hardened Production Runtime

Security Policy: Minimalist rootfs with zero shell and zero utilities, optimized for high-assurance production environments.

Artifact Registry

Pull by Version Tag

docker pull ghcr.io/taha2samy/java:25-jre_distroless

Pull by Floating Tag

docker pull ghcr.io/taha2samy/java:25.0.2+10_LTS-jre_distroless

Pull by Immutable Digest (Recommended)

docker pull ghcr.io/taha2samy/java@sha256:8245cdb58bc8c826334f36d28662dcbe28d87a67cb96ff9089370c6f74acbb31

Integrity Metadata: L3 Provenance | CycloneDX SBOM

Security & Compliance Reports

Vulnerability Scan Docker CIS K8s NSA K8s PSS

Target: ghcr.io/taha2samy/java@sha256:8245cdb58bc8c826334f36d28662dcbe28d87a67cb96ff9089370c6f74acbb31 | Scanner: Trivy v0.69.3

Total CVEs Found

0
Detected in Image Layers
Packages Analyzed

15
Verified Dependencies
Critical / High

0
Immediate Action
Medium / Low

0
Risk Mitigation

Zero-CVE State Confirmed

Impeccable Security Posture: No known vulnerabilities were detected in the 15 analyzed packages.

🛡️

Clean Security Signature

No active threats detected in the 15 analyzed components.

Software Bill of Materials (SBOM)

Component Name	Version	License	Classification
`ca-certificates`	`20251003-r4`	MPL-2.0, MIT	System (Wolfi)
`ca-certificates-bundle`	`20251003-r4`	MPL-2.0, MIT	System (Wolfi)
`glibc`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`glibc-locale-posix`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`ld-linux`	`2.43-r2`	LGPL-2.1-or-later	System (Wolfi)
`libcrypto3`	`3.6.1-r3`	Apache-2.0	System (Wolfi)
`libgcc`	`15.2.0-r11`	GPL-3.0-or-later WITH GCC-exception-3.1	System (Wolfi)
`libstdc++`	`15.2.0-r11`	GPL-3.0-or-later WITH GCC-exception-3.1	System (Wolfi)
`tzdata`	`2026a-r0`	CC-PDDC	System (Wolfi)
`wolfi-baselayout`	`20230201-r28`	MIT	System (Wolfi)
`wolfi-keys`	`1-r13`	MIT	System (Wolfi)
`zlib`	`1.3.2-r2`	MPL-2.0, MIT	System (Wolfi)
`org.bouncycastle:bc-fips`	`2.1.2`		Java Runtime
`org.bouncycastle:bctls-fips`	`2.1.22`		Java Runtime
`org.bouncycastle:bcutil-fips`	`2.1.5`		Java Runtime

Supply Chain Transparency

Download SBOM JSON

Target: Java Runtime Environment (Distroless) | Profile: Level 1 - Container | Benchmark Ver: docker-cis-1.6.0

Automated Score --- 100%
Based on 6 Automated Checks
Manual Review --- 6
Requires Operational Audit
Blocking Failures --- 0
Critical Config Errors

Operational Context Required

Automated checks passed. Manual controls (e.g., Content Trust) must be verified at the host level.

Detailed Audit Log

ID	Control Description	Severity
4.1	Ensure a user for the container has been created	HIGH
4.4	Ensure images are scanned and rebuilt to include security patches	CRITICAL
4.6	Ensure HEALTHCHECK instructions have been added to the container image	LOW
4.7	Ensure update instructions are not used alone in the Dockerfile	HIGH
4.9	Ensure COPY is used instead of ADD	LOW
4.10	Ensure secrets are not stored in Dockerfiles	CRITICAL

Manual Review Controls

ID	Control Description	Severity
4.2	Ensure that containers use only trusted base images (Manual)	HIGH
4.3	Ensure unnecessary packages are not installed in the container (Manual)	HIGH
4.5	Ensure Content trust for Docker is Enabled (Manual)	LOW
4.8	Ensure setuid and setgid permissions are removed in the images (Manual)	HIGH
4.11	Ensure only verified packages are installed (Manual)	MEDIUM
4.12	Ensure all signed artifacts are validated (Manual)	MEDIUM

Audit Legend:
Passed: Hardcoded configuration is correct.
Failed: Violation detected in image layers.
Manual: Host/Infrastructure level responsibility.

Scope: Java Runtime Environment (Distroless) | Guidance Ver: 1.0 | Profile: Container Hardening

Image Adherence --- 100%
Verified Configuration
Infrastructure Dependency --- 4
Cluster-Level Controls
Actionable Violations --- Zero
Direct Container Risks

Shared Responsibility Disclaimer

The NSA/CISA hardening guidance for Java Runtime Environment (Distroless) focuses on container-level security. * Image Scope: We enforce non-root users and file system integrity. * Cluster Scope: Infrastructure controls (e.g., NetworkPolicies, RBAC) must be applied by the Cluster Admin.

Control Matrix (Automated Checks)

ID	Hardening Control	Severity
1.0	Non-root containers	MEDIUM
1.1	Immutable container file systems	LOW
1.2	Preventing privileged containers	HIGH
1.3	Share containers process namespaces	HIGH
1.4	Share host process namespaces	HIGH
1.5	Use the host network	HIGH
1.6	Run with root privileges or with root group membership	LOW
1.7	Restricts escalation to root privileges	MEDIUM
1.8	Sets the SELinux context of the container	MEDIUM
1.9	Restrict a container's access to resources with AppArmor	MEDIUM
1.10	Sets the seccomp profile used to sandbox containers.	LOW
1.11	Protecting Pod service account tokens	MEDIUM
1.12	Namespace kube-system should not be used by users	MEDIUM
2.0	Pod and/or namespace Selectors usage	MEDIUM
4.0	Use ResourceQuota policies to limit resources	MEDIUM
4.1	Use LimitRange policies to limit resources	MEDIUM
5.1	Encrypt etcd communication	CRITICAL
6.1	Check that encryption resource has been set	CRITICAL
6.2	Check encryption provider	CRITICAL
7.0	Make sure anonymous-auth is unset	CRITICAL
7.1	Make sure -authorization-mode=RBAC	CRITICAL
8.1	Audit log path is configure	MEDIUM
8.2	Audit log aging	MEDIUM

Cluster Admin Responsibility (Manual)

ID	Hardening Control	Severity
3.0	Use CNI plugin that supports NetworkPolicy API (Manual)	CRITICAL
5.0	Control plan disable insecure port (Manual)	CRITICAL
6.0	Ensure kube config file permission (Manual)	CRITICAL
8.0	Audit policy is configure (Manual)	HIGH

Hardening Principles Applied: 1. Non-Root Execution: Container runs as a non-privileged user to limit exploit impact. 2. Verified Toolchain: All system components are sourced from the hardened Wolfi ecosystem. 3. SBOM Transparency: Full CycloneDX SBOM is provided for all included dependencies.

Enforcement Level: Restricted | Scope: Build Environment Isolation | K8s Ver: v1.24+

Policy Status
READY
SDK is Restricted-Capable
- Rules Satisfied
  17 / 17
  Baseline + Restricted Policies
Blocking Violations
0
Must Resolve in Dockerfile

Secure Pipeline Ready

The variant satisfies all Static PSS Checks. It is safe to use as a CI/CD build agent in hardened, multi-tenant Kubernetes clusters.

Policy Enforcement Matrix

ID	Restriction Rule	Severity
`1`	HostProcess	HIGH
`2`	Host Namespaces	HIGH
`3`	Privileged Containers	HIGH
`4`	Capabilities	MEDIUM
`5`	HostPath Volumes	MEDIUM
`6`	host ports	HIGH
`7`	AppArmor	HIGH
`8`	SELinux	MEDIUM
`9`	/proc Mount Type	MEDIUM
`10`	Seccomp	MEDIUM
`11`	Sysctls	MEDIUM
`12`	Volume Types	LOW
`13`	Privilege Escalation	MEDIUM
`14`	Running as Non-root	MEDIUM
`15`	Running as Non-root user	LOW
`16`	Seccomp	LOW
`17`	Capabilities	LOW

Why This Matters:
1. Isolation: Prevents access to host network or sensitive kernel namespaces.
2. Least Privilege: Ensuring build agents run as non-root prevents "Escape-to-Host" attacks.
3. Consistency: Matches the security posture of the production Distroless image.

FIPS 140-3 Validation Tests

FIPS COMPLIANT Module BC-FJA is active and enforcing Approved Mode.

Total Tests --- 32
Passed --- 32
Failed --- 0
Time --- 62.43s

Our high-assurance validation lifecycle ensures every artifact meets uncompromising FIPS 140-3 standards. We compile our security suite using a trusted JDK before mounting it into a hardened, isolated JRE runtime. Within this boundary, Bouncy Castle FIPS is strictly injected and set to "Approved Only" mode to block legacy primitives. The engine then executes rigorous positive and negative assertions to verify cryptographic enforcement in real-time. This continuous auditing provides a zero-trust foundation for your mission-critical Java workloads.

Cryptographic Testing Workflow

graph LR
    subgraph "Compilation Stage"
    A[Java Test Suite] -->|JDK javac| B(Validated Bytecode)
    end

    subgraph "Execution Boundary"
    B -->|Mount| C[Target JRE Image]
    D[BCFIPS Provider] -->|Inject| C
    E[Strict Policy] -->|approved_only=true| C
    end

    subgraph "Analysis"
    C -->|Run| F{Assert Security}
    F -->|Success| G[FIPS Verified]
    F -->|Violation| H[Security Breach]
    end

    style G fill:#00c853,color:#fff
    style H fill:#d50000,color:#fff
    style C stroke-width:4px

Diagnostics Log

Verify SHA-1 Signature Generation is rejected 1.914s

Confirms that SHA-1 based digital signatures are rejected for creation. FIPS policy prohibits SHA-1 for digital signature generation due to collision risks.

Verify RSA 2048-bit Key Generation is allowed 1.964s

Validates the generation of 2048-bit RSA key pairs. This confirms the provider can create asymmetric keys that meet the minimum security strength requirements defined by FIPS 140-3.

Verify PBKDF2 with short salt (<128 bits) is rejected 1.634s

Validates that PBKDF2 operations require a minimum salt length. FIPS standards enforce sufficient entropy in key derivation to protect against pre-computed dictionary attacks.

Verify 1024-bit DSA Key Generation is rejected 1.625s

Ensures that 1024-bit DSA keys are rejected. FIPS compliance mandates higher security strengths, effectively blocking legacy DSA parameters that do not meet the 112-bit security threshold.

Verify Anonymous Cipher Suites (DH_anon) are rejected 2.32s

Ensures that anonymous Diffie-Hellman cipher suites are disabled. These suites fail to provide server authentication and are explicitly forbidden in FIPS mode to prevent man-in-the-middle attacks.

Verify TLS 1.3 Handshake using BCFIPS Provider 2.263s

Validates successful TLS 1.3 handshake using the Bouncy Castle JSSE provider. This confirms that modern, secure protocol standards are operational within the FIPS cryptographic boundary and utilize approved cipher suites.

Verify RC4 Cipher Suites are strictly rejected 2.241s

Verifies that RC4-based cipher suites are rejected at the JSSE level. RC4 is a broken stream cipher and is strictly prohibited in FIPS environments to maintain data confidentiality.

Verify PBKDF2WithHmacSHA256 is allowed 1.633s

Ensures that PBKDF2 (Password-Based Key Derivation Function 2) is available. It verifies that secure cryptographic keys can be derived from passwords using FIPS-approved iteration and hashing methods.

Verify 1024-bit RSA is rejected 1.621s

Validates the enforcement of minimum key lengths for RSA. FIPS 140-3 requires a minimum of 2048 bits; attempts to use 1024-bit or smaller keys must be blocked.

Verify MD5 is strictly rejected 1.601s

Verifies that the MD5 message digest algorithm is strictly prohibited. As a non-approved hash function in FIPS 140-3, any attempt to instantiate MD5 must result in a security exception.

Verify NULL Encryption Cipher Suites are rejected 2.318s

Confirms the total rejection of NULL cipher suites. Any attempt to establish a network connection without encryption is a severe security violation and is blocked by the FIPS boundary.

Verify HMAC-SHA256 is allowed 1.64s

No description provided

Verify EC P-256 Key Generation is allowed 1.648s

Confirms successful generation of Elliptic Curve keys using the NIST P-256 curve. This curve is an approved standard for secure and efficient asymmetric cryptography in FIPS environments.

Verify SHA-256 is allowed by BCFIPS 1.597s

Ensures the SHA-256 hash algorithm is functioning correctly. SHA-256 is a core FIPS-approved primitive used for secure message digesting and integrity verification.

Verify BCFKS Keystore is allowed and functional 1.609s

Verifies that the Bouncy Castle FIPS KeyStore (BCFKS) is fully supported and operational. BCFKS is the mandated storage format for keys and certificates within a FIPS 140-3 environment to ensure the protection of sensitive security parameters using approved algorithms.

Verify JVM starts strictly in FIPS Approved Mode 7.849s

Ensures the JVM is operating in a strict FIPS-approved state by verifying the 'org.bouncycastle.fips.approved_only' system property. This enforcement guarantees that any attempt to use non-FIPS compliant algorithms will be rejected at runtime.

Verify SecureRandom uses FIPS-Approved DRBG 1.668s

Confirms that the default SecureRandom implementation utilizes the Bouncy Castle FIPS-approved DRBG (Deterministic Random Bit Generator). This ensures all entropy and random value generation within the JVM meets the strict NIST SP 800-90A security requirements.

Verify Default KeyStore type is BCFKS for TLS 0.872s

Ensures that BCFKS is mandated as the default KeyStore type for JSSE operations. This prevents the accidental use of non-compliant storage formats like JKS or PKCS12 for managing trusted certificates.

Verify JKS Keystore is strictly rejected in FIPS Mode 1.653s

Ensures that legacy Java KeyStore (JKS) files are strictly rejected at runtime. Blocking non-compliant keystore formats is a mandatory security control to prevent the accidental use of weak integrity checks and non-approved cryptographic primitives.

Verify AES-CBC with PKCS7 Padding 1.641s

Verifies that AES in Cipher Block Chaining (CBC) mode is available. CBC remains a FIPS-approved encryption mode for various legacy and standard interoperability requirements.

Verify Triple-DES Encryption is rejected 1.703s

Verifies that Triple-DES (TDEA) encryption is prohibited. Following recent NIST guidance, 3DES is no longer an approved encryption algorithm due to its vulnerability to Sweet32 attacks.

Verify ECDH Key Agreement using P-256 1.775s

Validates the Elliptic Curve Diffie-Hellman (ECDH) key agreement protocol. This confirms that the environment can securely establish shared secrets using approved elliptic curve primitives.

Verify RSA PKCS#1 v1.5 Encryption is rejected 1.777s

Verifies rejection of RSA PKCS#1 v1.5 padding for encryption. Under strict FIPS enforcement, modern and secure padding schemes like OAEP are required, and legacy schemes are disabled.

Verify TLS 1.0/1.1 are strictly rejected in FIPS Mode 2.091s

Ensures that legacy protocols such as TLS 1.0 and TLS 1.1 are strictly prohibited. These versions are no longer compliant with FIPS 140-3 standards due to known cryptographic weaknesses and vulnerabilities.

Verify DES is strictly rejected 1.583s

Ensures that the legacy DES (Data Encryption Standard) algorithm is rejected. FIPS mode prohibits weak block ciphers with 56-bit keys to prevent brute-force vulnerabilities.

Verify BCJSSE is the mandated SSLContext provider 2.126s

Validates that the default SSLContext is using the Bouncy Castle JSSE provider. This configuration ensures that all JVM-wide network operations utilize the FIPS-validated cryptographic module.

Verify SHA1PRNG is rejected by BCFIPS 1.643s

Ensures that the legacy SHA1PRNG algorithm is strictly prohibited and inaccessible through the BCFIPS provider. FIPS 140-3 standards mandate the use of stronger, approved DRBG mechanisms and forbid the use of non-compliant RNG algorithms.

Verify BouncyCastle FIPS is the primary security provider 1.743s

Checks the security provider chain to confirm that 'BCFIPS' is positioned at the highest priority. This configuration is critical to ensure the JVM uses the FIPS-validated cryptographic module for all operations and prevents accidental fallback to standard, non-certified providers.

Verify AES-GCM is allowed by BCFIPS 1.701s

Verifies that AES in Galois/Counter Mode (GCM) is available and operational. AES-GCM is a FIPS-approved authenticated encryption algorithm that provides both confidentiality and data integrity.

Verify Non-NIST Curve (secp160r1) is rejected 1.698s

Ensures that only NIST-approved Elliptic Curves (e.g., P-256, P-384) are allowed. Attempts to use non-standard or custom curves must be rejected by the provider.

Verify Short HMAC Key is rejected 1.616s

Checks that HMAC operations reject keys that are shorter than the minimum required length. This ensures the integrity of the message authentication code meets FIPS security strength requirements.

Verify MD4 is strictly rejected 1.66s

Confirms that the MD4 hash algorithm is completely disabled. MD4 is cryptographically broken and strictly forbidden in any FIPS-validated environment.