{"id":49332387,"url":"https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny","last_synced_at":"2026-04-26T23:02:37.238Z","repository":{"id":348119000,"uuid":"1196575660","full_name":"patbaumgartner/distroless-buildpack-builder-java-tiny","owner":"patbaumgartner","description":"A Cloud Native Buildpacks builder using Google Distroless run images, optimised for Java (JVM and Native Image)","archived":false,"fork":false,"pushed_at":"2026-04-13T02:48:30.000Z","size":65,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T04:25:25.411Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patbaumgartner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-30T20:41:55.000Z","updated_at":"2026-04-13T02:48:27.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny","commit_stats":null,"previous_names":["patbaumgartner/distroless-buildpack-builder-java-tiny"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/patbaumgartner/distroless-buildpack-builder-java-tiny","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder-java-tiny","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder-java-tiny/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder-java-tiny/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder-java-tiny/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patbaumgartner","download_url":"https://codeload.github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patbaumgartner%2Fdistroless-buildpack-builder-java-tiny/sbom","scorecard":{"id":1245968,"data":{"date":"2026-04-13T02:48:34Z","repo":{"name":"github.com/patbaumgartner/distroless-buildpack-builder-java-tiny","commit":"4674b3ad5e6b6a7ba6e018728c47cad90bf61416"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":7,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/4 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1","Info: detected update tool: RenovateBot: renovate.json5:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-and-push.yml:99","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-and-push.yml:232","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-and-push.yml:28","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/openrewrite.yml:81","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:19","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/release.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:30","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:74","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:106","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:150","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yml:61","Info: topLevel 'contents' permission set to 'read': .github/workflows/benchmark.yml:27","Info: topLevel 'packages' permission set to 'read': .github/workflows/benchmark.yml:28","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-and-push.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/openrewrite.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/quality-gates.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/security-scan.yml:20","Info: topLevel 'packages' permission set to 'read': .github/workflows/security-scan.yml:21","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:13","Info: topLevel 'packages' permission set to 'read': .github/workflows/test.yml:14"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: downloadThenRun not pinned by hash: .github/workflows/quality-gates.yml:36","Info:  42 out of  42 GitHub-owned GitHubAction dependencies pinned","Info:  42 out of  42 third-party GitHubAction dependencies pinned","Info:   4 out of   4 containerImage dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"SAST","score":10,"reason":"SAST tool detected","details":["Info: SAST configuration detected: Hadolint","Info: SAST configuration detected: Hadolint","Info: all commits (10) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build-and-push.yml:23"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Contributors","score":10,"reason":"project has 3 contributing companies or organizations -- score normalized to 10","details":["Info: found contributions from: 42talents, 42talents gmbh, socrates-ch"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"5 out of 5 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Vulnerabilities","score":5,"reason":"5 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-24j9-x2wg-9qv6","Warn: Project is vulnerable to: GHSA-69r9-qgr7-g2wj","Warn: Project is vulnerable to: GHSA-rv64-5gf8-9qq8","Warn: Project is vulnerable to: GHSA-x4m4-345f-5h5g","Warn: Project is vulnerable to: GHSA-2m67-wjpj-xhg9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-04-13T04:26:13.143Z","repository_id":348119000,"created_at":"2026-04-13T04:26:13.144Z","updated_at":"2026-04-13T04:26:13.144Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32315712,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T21:09:39.134Z","status":"ssl_error","status_checked_at":"2026-04-26T21:09:21.240Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-26T23:02:36.400Z","updated_at":"2026-04-26T23:02:37.220Z","avatar_url":"https://github.com/patbaumgartner.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# distroless-buildpack-builder-java-tiny\n\n[![Build and Push](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/actions/workflows/build-and-push.yml/badge.svg)](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/actions/workflows/build-and-push.yml)\n[![Integration Tests](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/actions/workflows/test.yml/badge.svg)](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/actions/workflows/test.yml)\n[![Quality Gates](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/actions/workflows/quality-gates.yml/badge.svg)](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/actions/workflows/quality-gates.yml)\n[![Security Scan](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/actions/workflows/security-scan.yml/badge.svg)](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/actions/workflows/security-scan.yml)\n\nA [Cloud Native Buildpacks](https://buildpacks.io) builder optimised for **Java** (JVM and GraalVM Native Image) that produces minimal, secure application images using [Google Distroless](https://github.com/GoogleContainerTools/distroless) as the runtime base.\n\nInspired by the `paketo-buildpacks/builder-jammy-tiny` philosophy: only the dependencies that Java actually needs, nothing more.\n\n| Component | Base image | Purpose |\n|-----------|-----------|---------|\n| **Build stack** | `ubuntu:24.04` | Full toolchain for compiling Java apps |\n| **Run stack** | `gcr.io/distroless/cc:nonroot` | Minimal, shell-free Java runtime |\n| **Builder** | CNB lifecycle + Paketo Java Buildpacks | Orchestrates builds |\n\nThe run image has **no shell, no package manager, no debug tools** — drastically reducing the attack surface of every Java container built with this builder.\n\n## Supported Languages\n\n| Language | Buildpack |\n|----------|-----------|\n| Java / Spring Boot | `paketo-buildpacks/java` |\n| Java Native Image (GraalVM) | `paketo-buildpacks/java-native-image` |\n\n## Quick Start\n\n**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) ≥ 20.10, [pack CLI](https://buildpacks.io/docs/tools/pack/) ≥ 0.33\n\n```bash\npack build my-java-app \\\n  --builder ghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny:latest \\\n  --path ./my-java-app\n```\n\n### Set as default builder\n\n```bash\npack config default-builder ghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny:latest\npack build my-java-app\n```\n\n### Spring Boot with Maven\n\nConfigure once in `pom.xml`:\n\n```xml\n\u003cplugin\u003e\n  \u003cgroupId\u003eorg.springframework.boot\u003c/groupId\u003e\n  \u003cartifactId\u003espring-boot-maven-plugin\u003c/artifactId\u003e\n  \u003cconfiguration\u003e\n    \u003cimage\u003e\n      \u003cbuilder\u003eghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny:latest\u003c/builder\u003e\n      \u003cpullPolicy\u003eIF_NOT_PRESENT\u003c/pullPolicy\u003e\n      \u003cenv\u003e\n        \u003cBP_JVM_JLINK_ENABLED\u003etrue\u003c/BP_JVM_JLINK_ENABLED\u003e\n      \u003c/env\u003e\n    \u003c/image\u003e\n  \u003c/configuration\u003e\n\u003c/plugin\u003e\n```\n\nThen build:\n\n```bash\nmvn spring-boot:build-image\n\n# or override the builder without changing pom.xml:\nmvn spring-boot:build-image \\\n  -Dspring-boot.build-image.builder=ghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny:latest\n```\n\n## Images\n\nImages are published to **GHCR** on every push to `main` and on version tags. The run image is also rebuilt nightly to pick up base image security patches. GHCR images include [SLSA](https://slsa.dev/) build provenance attestations.\n\n| Image | Registry |\n|-------|----------|\n| `ghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny` | GHCR |\n| `ghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny/build` | GHCR |\n| `ghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny/run` | GHCR |\n\n## Building Locally\n\n**Prerequisites:** Docker with buildx, pack CLI, `make`\n\n```bash\nmake build-stack    # Build + push multi-arch stack images (amd64, arm64)\nmake build-builder  # Assemble the CNB builder image\nmake test           # Run smoke + integration tests\nmake test-smoke     # Run smoke tests only (fast)\n```\n\n\u003e **Note:** `make build-stack` uses `docker buildx build --push` to produce multi-arch images (`linux/amd64` + `linux/arm64`). It pushes directly to the registry — local loading of multi-platform images is not supported by Docker. Set `PLATFORMS=linux/amd64` to restrict to a single architecture.\n\n## Sample Applications\n\nAll samples in `samples/` expose `/` and `/health` on port `8080`.\n\n| Sample | Language |\n|--------|----------|\n| `samples/java` | Java 25 / Spring Boot |\n| `samples/java-native-image` | Java 25 / GraalVM Native Image |\n\nBuild a sample:\n\n```bash\npack build my-app \\\n  --path ./samples/java \\\n  --builder ghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny:latest\n```\n\n## Repository Structure\n\n```text\n├── builder.toml              # CNB builder configuration\n├── Makefile                  # Local build automation\n├── openrewrite/rewrite.yml   # Shared OpenRewrite recipes\n├── benchmarks/budgets.json   # Performance SLO budgets\n├── stack/\n│   ├── build/Dockerfile      # Build stack (Ubuntu 24.04)\n│   └── run/Dockerfile        # Run stack (Google Distroless)\n├── samples/\n│   ├── java/                 # Spring Boot (JVM)\n│   └── java-native-image/    # Spring Boot (GraalVM Native Image)\n├── tests/\n│   ├── integration/          # End-to-end builder tests\n│   └── smoke/                # Fast label + config validation\n└── .github/\n    ├── dependabot.yml\n    └── workflows/\n        ├── build-and-push.yml\n        ├── test.yml\n        ├── quality-gates.yml\n        ├── security-scan.yml\n        ├── scorecard.yml\n        ├── benchmark.yml\n        ├── openrewrite.yml\n        ├── dependency-policy-review.yml\n        └── release.yml\n```\n\n## CI/CD\n\n| Workflow | Trigger | Description |\n|----------|---------|-------------|\n| **Build and Push** | push to `main`, version tags | Build stack images + builder, push to GHCR |\n| **Integration Tests** | push, pull_request | Smoke tests → integration tests (pack + mvn) |\n| **Quality Gates** | push, pull_request | ShellCheck, actionlint, markdownlint, OpenRewrite, Checkstyle, tests |\n| **Security Scan** | push, pull_request, weekly | Hadolint, Trivy filesystem + image scans |\n| **OSSF Scorecard** | push to `main`, weekly | Supply-chain security posture analysis |\n| **Benchmark** | after Build and Push, weekly | Build times, image sizes, runtime metrics |\n| **OpenRewrite** | monthly, manual | Auto-apply code cleanup recipes, create PRs |\n| **Dependency Policy Review** | quarterly, manual | Governance audit checklist |\n| **Release** | version tags (`v*`) | GitHub Release with pull instructions |\n\n## Quality Contract\n\nEvery pull request must pass the checks below. Each check exists for a single, specific reason — there is no overlap.\n\n| Check | Workflow | What it proves |\n|-------|----------|----------------|\n| ShellCheck | Quality Gates | Shell scripts follow best practices and avoid common bugs |\n| actionlint | Quality Gates | GitHub Actions workflow syntax is valid |\n| markdownlint | Quality Gates | Documentation formatting is consistent |\n| OpenRewrite dry-run | Quality Gates | Code matches the shared cleanup recipe (no uncommitted rewrites) |\n| Checkstyle | Quality Gates | Java source follows Google style conventions |\n| Unit tests (`mvn test`) | Quality Gates | Sample endpoint contracts (`/` and `/health`) hold |\n| Hadolint | Security Scan | Dockerfiles follow best-practice lint rules |\n| Trivy (filesystem + image) | Security Scan | No known CVEs in dependencies or built images |\n| Smoke tests | Integration Tests | Stack image labels, UIDs, and `builder.toml` structure are correct |\n| Integration tests | Integration Tests | Builder produces a runnable container that responds on `/` |\n\nIf a check does not appear in this table, it should not be in CI. If a claim appears in documentation, it should map to one of these checks.\n\n## Security\n\nThe run image (`gcr.io/distroless/cc:nonroot`) provides:\n\n- No shell — attackers cannot execute shell commands\n- No package manager — nothing installable at runtime\n- Non-root user (uid 1002) by default\n- C++ runtime (`libstdc++`, `libgcc`) included for JVM and native binary support\n\nAutomated scanning on every push:\n\n- **Trivy** — CVE scanning of container images and filesystem\n- **Hadolint** — Dockerfile best-practice linting\n- **OSSF Scorecard** — Supply-chain security posture (weekly)\n\nSARIF reports are published to the [Security tab](https://github.com/patbaumgartner/distroless-buildpack-builder-java-tiny/security/code-scanning).\n\nSee [SECURITY.md](SECURITY.md) for the vulnerability disclosure policy.\n\n## Should I Use This Builder?\n\n| Scenario | Recommendation |\n|----------|---------------|\n| Spring Boot REST API / microservice | **Yes** — ideal workload, minimal footprint |\n| Spring Boot with GraalVM Native Image | **Yes** — fastest startup, smallest image |\n| App that needs outbound HTTPS/TLS calls via system SSL | **No** — the run image strips OpenSSL and CA certificates; the JVM's built-in TLS stack works, but Native Image binaries linking against system `libssl` will fail |\n| App that writes to the local filesystem at runtime | **Caution** — limited writable paths; design for stateless operation |\n| App that requires a shell for debugging or exec-ing into the container | **No** — the run image has no shell by design |\n| Non-Java workloads (Go, Rust, Node.js) | **No** — this builder only ships Java and Java Native Image buildpacks |\n\n### Workload Compatibility\n\nThe trimmed run image includes `glibc`, `libstdc++`, and `libgcc_s` — enough for the JVM and ahead-of-time compiled Native Image binaries. The following components are **intentionally removed** to minimise size and attack surface:\n\n- OpenSSL (`libssl3`, `libcrypto3`) and CA certificates\n- `libgomp`, `libitm`, `libatomic`\n- Full timezone database (only UTC is included; Java uses its own bundled TZDB)\n\nIf your workload depends on system-level TLS or these libraries, use the standard `paketobuildpacks/builder-jammy-tiny` builder instead, or open a feature request for a TLS-compatible run image variant.\n\n## Cost and Capacity\n\nOne key benefit of smaller, distroless images is **lower infrastructure cost**. Here's how to measure and act on it:\n\n### Key Metrics to Monitor\n\n| Metric | What to watch | Action threshold |\n|--------|--------------|-----------------|\n| **Image size** | Compressed pull size (check `docker manifest inspect`) | Alert if \u003e50% larger than baseline |\n| **Container RSS** | Resident Set Size via `docker stats` or Prometheus `container_memory_rss` | Alert if steady-state exceeds requested memory ×0.8 |\n| **JVM heap** | `-XX:MaxRAMPercentage` (default 25%) of container memory limit | Tune if GC pause time or OOM kills increase |\n| **Startup time** | Time from container start to first HTTP 200 on `/health` | JVM: \u003c10s, Native Image: \u003c1s |\n| **CPU throttling** | `container_cpu_cfs_throttled_seconds_total` in Prometheus | Increase CPU limit or optimise hot paths |\n| **Image pull time** | CI or Kubernetes pull duration | Smaller images = faster rollouts and autoscaling |\n\n### Sizing Guidance\n\n| Mode | Suggested starting limits | Expected image size |\n|------|--------------------------|-------------------|\n| JVM (jlink) | 512 Mi memory, 500m CPU | ~100–140 MB |\n| Native Image | 128 Mi memory, 250m CPU | ~80–120 MB |\n\n### When Your App Gets Expensive\n\nIf you notice resource consumption growing over time:\n\n1. **Check for memory leaks** — compare heap dumps across releases\n2. **Review dependency growth** — new libraries add startup time and memory; use `mvn dependency:tree` to audit\n3. **Profile GC behaviour** — switch to ZGC or Shenandoah if pause times matter\n4. **Consider Native Image** — for workloads where startup time and baseline memory dominate cost\n5. **Track image size in CI** — the Benchmark workflow already does this; set an alert threshold\n\n### Reproducing Benchmarks Locally\n\n```bash\n# Build-time benchmark (3 iterations)\nfor i in 1 2 3; do\n  time pack build bench-app \\\n    --path ./samples/java \\\n    --builder ghcr.io/patbaumgartner/distroless-buildpack-builder-java-tiny:latest \\\n    --clear-cache\ndone\n\n# Image size comparison\ndocker images --format '{{.Repository}}:{{.Tag}} {{.Size}}' | grep bench-app\n```\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n\n## Engineering Review\n\nAn in-depth software craftsmanship review of this repository is available at\n[docs/REPOSITORY_REVIEW.md](docs/REPOSITORY_REVIEW.md).\n\n## Code of Conduct\n\nSee [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).\n\n## Support\n\nSee [SUPPORT.md](SUPPORT.md).\n\n## License\n\nApache 2.0 — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatbaumgartner%2Fdistroless-buildpack-builder-java-tiny","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatbaumgartner%2Fdistroless-buildpack-builder-java-tiny","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatbaumgartner%2Fdistroless-buildpack-builder-java-tiny/lists"}