{"id":49332645,"url":"https://github.com/patbaumgartner/distroless-buildpack-builder","last_synced_at":"2026-04-26T23:03:51.141Z","repository":{"id":349198289,"uuid":"1195894321","full_name":"patbaumgartner/distroless-buildpack-builder","owner":"patbaumgartner","description":"A Cloud Native Buildpacks builder that produces minimal, secure application images using Google Distroless ","archived":false,"fork":false,"pushed_at":"2026-04-13T11:09:50.000Z","size":86,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T13:14:55.139Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://github.com/patbaumgartner/distroless-buildpack-builder","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patbaumgartner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-30T07:02:03.000Z","updated_at":"2026-04-13T11:09:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/patbaumgartner/distroless-buildpack-builder","commit_stats":null,"previous_names":["patbaumgartner/distroless-buildpack-builder"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/patbaumgartner/distroless-buildpack-builder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patbaumgartner","download_url":"https://codeload.github.com/patbaumgartner/distroless-buildpack-builder/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder/sbom","scorecard":{"id":1245617,"data":{"date":"2026-04-04T20:31:50Z","repo":{"name":"github.com/patbaumgartner/distroless-buildpack-builder","commit":"f19ecdc54029fe2f40a42b0bddde12be46336aa7"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":6.4,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1","Info: detected update tool: RenovateBot: renovate.json5:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/1 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"SAST","score":10,"reason":"SAST tool detected","details":["Info: SAST configuration detected: Hadolint","Info: SAST configuration detected: Hadolint","Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/patbaumgartner/distroless-buildpack-builder/benchmark.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:345: update your workflow using https://app.stepsecurity.io/secureworkflow/patbaumgartner/distroless-buildpack-builder/benchmark.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:481: update your workflow using https://app.stepsecurity.io/secureworkflow/patbaumgartner/distroless-buildpack-builder/benchmark.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-policy-review.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/patbaumgartner/distroless-buildpack-builder/dependency-policy-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/openrewrite.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/patbaumgartner/distroless-buildpack-builder/openrewrite.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/openrewrite.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/patbaumgartner/distroless-buildpack-builder/openrewrite.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/quality-gates.yml:54","Warn: pipCommand not pinned by hash: .github/workflows/quality-gates.yml:93","Warn: pipCommand not pinned by hash: .github/workflows/quality-gates.yml:94","Info:  38 out of  43 GitHub-owned GitHubAction dependencies pinned","Info:  40 out of  41 third-party GitHubAction dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned","Info:   5 out of   5 containerImage dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-and-push.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-and-push.yml:99","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-and-push.yml:232","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/openrewrite.yml:81","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/release.yml:25","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:24","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:30","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:150","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:74","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:106","Info: topLevel 'contents' permission set to 'read': .github/workflows/benchmark.yml:27","Info: topLevel 'packages' permission set to 'read': .github/workflows/benchmark.yml:28","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-and-push.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-policy-review.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/openrewrite.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/quality-gates.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:20","Info: topLevel 'packages' permission set to 'read': .github/workflows/security-scan.yml:21","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:18","Info: topLevel 'packages' permission set to 'read': .github/workflows/test.yml:19"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build-and-push.yml:23"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-2m67-wjpj-xhg9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-04-04T21:24:18.676Z","repository_id":349198289,"created_at":"2026-04-04T21:24:18.676Z","updated_at":"2026-04-04T21:24:18.676Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32315714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T21:09:39.134Z","status":"ssl_error","status_checked_at":"2026-04-26T21:09:21.240Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-26T23:03:50.335Z","updated_at":"2026-04-26T23:03:51.131Z","avatar_url":"https://github.com/patbaumgartner.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# distroless-buildpack-builder\n\n[![Build and Push](https://github.com/patbaumgartner/distroless-buildpack-builder/actions/workflows/build-and-push.yml/badge.svg)](https://github.com/patbaumgartner/distroless-buildpack-builder/actions/workflows/build-and-push.yml)\n[![Integration Tests](https://github.com/patbaumgartner/distroless-buildpack-builder/actions/workflows/test.yml/badge.svg)](https://github.com/patbaumgartner/distroless-buildpack-builder/actions/workflows/test.yml)\n[![Security Scan](https://github.com/patbaumgartner/distroless-buildpack-builder/actions/workflows/security-scan.yml/badge.svg)](https://github.com/patbaumgartner/distroless-buildpack-builder/actions/workflows/security-scan.yml)\n\nA [Cloud Native Buildpacks](https://buildpacks.io) builder that produces minimal, secure application images using [Google Distroless](https://github.com/GoogleContainerTools/distroless) as the runtime base, while supporting all major [Paketo Buildpacks](https://paketo.io) languages.\n\n| Component | Base image | Purpose |\n|-----------|-----------|---------|\n| **Build stack** | `ubuntu:24.04` | Full toolchain for compiling apps |\n| **Run stack** | `gcr.io/distroless/cc:nonroot` | Minimal, shell-free runtime |\n| **Builder** | CNB lifecycle + Paketo Buildpacks | Orchestrates builds |\n\nThe run image has **no shell, no package manager, no debug tools** — drastically reducing the attack surface of every application container built with this builder.\n\n## Supported Languages\n\n| Language | Buildpack |\n|----------|-----------|\n| Java / Spring Boot | `paketo-buildpacks/java` |\n| Java Native Image (GraalVM) | `paketo-buildpacks/java-native-image` |\n| Go | `paketo-buildpacks/go` |\n| Node.js | `paketo-buildpacks/nodejs` |\n| Python | `paketo-buildpacks/python` |\n| Ruby | `paketo-buildpacks/ruby` |\n| PHP | `paketo-buildpacks/php` |\n| .NET Core | `paketo-buildpacks/dotnet-core` |\n| Procfile | `paketo-buildpacks/procfile` |\n\n## Quick Start\n\n**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) ≥ 20.10, [pack CLI](https://buildpacks.io/docs/tools/pack/) ≥ 0.33\n\n```bash\npack build my-app \\\n  --builder ghcr.io/patbaumgartner/distroless-buildpack-builder:latest \\\n  --path ./my-app\n```\n\n### Set as default builder\n\n```bash\npack config default-builder ghcr.io/patbaumgartner/distroless-buildpack-builder:latest\npack build my-app\n```\n\n### Spring Boot with Maven\n\nConfigure once in `pom.xml`:\n\n```xml\n\u003cplugin\u003e\n  \u003cgroupId\u003eorg.springframework.boot\u003c/groupId\u003e\n  \u003cartifactId\u003espring-boot-maven-plugin\u003c/artifactId\u003e\n  \u003cconfiguration\u003e\n    \u003cimage\u003e\n      \u003cbuilder\u003eghcr.io/patbaumgartner/distroless-buildpack-builder:latest\u003c/builder\u003e\n      \u003cpullPolicy\u003eIF_NOT_PRESENT\u003c/pullPolicy\u003e\n    \u003c/image\u003e\n  \u003c/configuration\u003e\n\u003c/plugin\u003e\n```\n\nThen build:\n\n```bash\nmvn spring-boot:build-image\n\n# or override the builder without changing pom.xml:\nmvn spring-boot:build-image \\\n  -Dspring-boot.build-image.builder=ghcr.io/patbaumgartner/distroless-buildpack-builder:latest\n```\n\n## Images\n\nImages are published to **GHCR** on pushes to `main`, on version tags, and during scheduled refresh runs in CI. Pull requests execute build validation but do not publish images. Images include [SLSA](https://slsa.dev/) provenance attestations.\n\nOCI-attached SBOM/provenance manifests are disabled during stack-image `docker buildx` publish steps due to a known CNB manifest-selection compatibility issue in `pack`; however, SBOM artifacts are still generated separately with Syft in CI.\n\n| Image | Registry |\n|-------|----------|\n| `ghcr.io/patbaumgartner/distroless-buildpack-builder` | GHCR |\n| `ghcr.io/patbaumgartner/distroless-buildpack-builder/build` | GHCR |\n| `ghcr.io/patbaumgartner/distroless-buildpack-builder/run` | GHCR |\n\n## Building Locally\n\n**Prerequisites:** Docker with buildx, pack CLI, `make`\n\n```bash\nmake build-stack    # Build + push multi-arch stack images (amd64, arm64)\nmake build-builder  # Assemble the CNB builder image\nmake test           # Run smoke + integration tests\nmake test-smoke     # Run smoke tests only (fast)\nmake test-integration # Run integration tests only\n```\n\nTo include Java samples in integration tests:\n\n```bash\nINCLUDE_JAVA=1 make test-integration\n```\n\n\u003e **Note:** `make build-stack` uses `docker buildx build --push` to produce multi-arch images (`linux/amd64` + `linux/arm64`). It pushes directly to the registry — local loading of multi-platform images is not supported by Docker. Set `PLATFORMS=linux/amd64` to restrict to a single architecture.\n\n## Sample Applications\n\nAll samples in `samples/` expose `/` and `/health` on port `8080`.\n\n| Sample | Language |\n|--------|----------|\n| `samples/nodejs` | Node.js (Express 5) |\n| `samples/go` | Go |\n| `samples/python` | Python (Flask) |\n| `samples/ruby` | Ruby (Sinatra) |\n| `samples/dotnet-core` | .NET (ASP.NET Core) |\n| `samples/php` | PHP |\n| `samples/web-servers` | Static (Nginx) |\n| `samples/java` | Java 25 / Spring Boot |\n| `samples/java-native-image` | Java 25 / GraalVM Native Image |\n\nBuild any sample:\n\n```bash\npack build my-app \\\n  --path ./samples/nodejs \\\n  --builder ghcr.io/patbaumgartner/distroless-buildpack-builder:latest\n```\n\n## Repository Structure\n\n```text\n├── builder.toml              # CNB builder configuration\n├── Makefile                  # Local build automation\n├── CODE_OF_CONDUCT.md        # Community behavior expectations\n├── SUPPORT.md                # Support and triage guidance\n├── benchmarks/\n│   └── budgets.json           # Build/runtime SLO budgets\n├── openrewrite/\n│   └── rewrite.yml            # Curated OpenRewrite recipe packs\n├── stack/\n│   ├── build/Dockerfile      # Build stack image (Ubuntu 24.04)\n│   └── run/Dockerfile        # Run stack image (Google Distroless)\n├── samples/                  # Ready-to-build sample apps per language\n├── tests/\n│   ├── integration/          # End-to-end builder tests\n│   └── smoke/                # Fast label + config validation\n└── .github/\n    ├── ISSUE_TEMPLATE/       # Bug report and feature request templates\n    ├── dependabot.yml        # Automated dependency updates\n    └── workflows/\n        ├── build-and-push.yml  # Build + push to GHCR\n        ├── test.yml            # Smoke + integration tests\n        ├── security-scan.yml   # Trivy CVE scan + Hadolint lint\n        ├── scorecard.yml       # OSSF Scorecard (weekly)\n        ├── benchmark.yml       # Build-time + runtime/startup/memory benchmarks\n        ├── quality-gates.yml   # Linting, static analysis, and Checkstyle\n        ├── openrewrite.yml     # OpenRewrite dry-run + scheduled modernization PRs\n        ├── dependency-policy-review.yml # Quarterly dependency policy review issue\n        └── release.yml         # GitHub releases on version tags\n```\n\n## CI/CD\n\n| Workflow | Trigger | Description |\n|----------|---------|-------------|\n| **Build and Push** | push to `main`, pull_request, version tags, daily | Build/validate stack images + builder; publish on non-PR events |\n| **Integration Tests** | push, pull_request | Smoke tests → integration tests (pack + mvn) |\n| **Security Scan** | push, pull_request, weekly | Trivy CVE scan (filesystem + stack images) + Hadolint Dockerfile lint |\n| **OSSF Scorecard** | push to `main`, weekly | Supply-chain security posture analysis |\n| **Benchmark** | after Build and Push, weekly | Build times + startup + memory + run image size SLOs |\n| **Quality Gates** | push, pull_request | Linting (ShellCheck, actionlint, markdownlint), sample static analysis, and Checkstyle |\n| **OpenRewrite** | push, pull_request, monthly | Java dry-run recipe checks + scheduled modernization PR |\n| **Dependency Policy Review** | quarterly | Opens governance checklist issue for dependency strategy review |\n| **Release** | version tags (`v*`) | GitHub Release with pull instructions |\n\n## Cost and Resource Efficiency\n\nTo detect when workloads become more expensive to run, CI enforces explicit budgets in `benchmarks/budgets.json`:\n\n- Build-time SLO per sample (seconds)\n- Runtime startup SLO per sample (seconds)\n- Runtime memory SLO per sample (MiB)\n- Maximum distroless run image size (MB)\n\nThe benchmark workflow persists machine-readable metric artifacts for each run, which enables trend analysis over time and early detection of resource-cost regressions.\n\n## Security\n\nThe run image (`gcr.io/distroless/cc:nonroot`) provides:\n\n- No shell — attackers cannot execute shell commands\n- No package manager — nothing installable at runtime\n- Non-root user (uid 1002) by default\n- C++ runtime (`libstdc++`, `libgcc`) included for Node.js and other C++ runtimes\n\nAutomated scanning on every push:\n\n- **Trivy** — CVE scanning of repository filesystem plus local build/run stack images\n- **Hadolint** — Dockerfile best-practice linting (blocking)\n- **Quality Gates** — blocking static-analysis checks across scripts, workflows, docs, and sample applications\n- **OSSF Scorecard** — Supply-chain security posture (weekly)\n\nSARIF reports are published to the [Security tab](https://github.com/patbaumgartner/distroless-buildpack-builder/security/code-scanning).\n\nSee [SECURITY.md](SECURITY.md) for the vulnerability disclosure policy.\n\n## In-Depth Engineering Review\n\nSee [docs/repository-review.md](docs/repository-review.md) for a full software-crafter review of architecture, quality gates, risk areas, and a prioritized technical improvement backlog.\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n\n## License\n\nApache 2.0 — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatbaumgartner%2Fdistroless-buildpack-builder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatbaumgartner%2Fdistroless-buildpack-builder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatbaumgartner%2Fdistroless-buildpack-builder/lists"}