A suite of hardened, FIPS 140-3 compliant Java Container Images designed for mission-critical workloads. Built on the Wolfi OS (undistro) ecosystem and powered by Eclipse Temurin (Adoptium) binaries with Bouncy Castle FIPS integration.
This project implements a Hardened Cryptographic Boundary by overriding the default JVM security stack:
- Wolfi Base: Glibc-based zero-CVE foundation with minimal attack surface.
- Strict FIPS Enforcement: Bouncy Castle FIPS (BC-FJA) is injected as the primary security provider.
- Runtime Guardrails: System properties are locked at the JVM level (
approved_only=true) to explicitly reject non-approved algorithms (MD5, DES, RSA < 2048). - KeyStore Integrity: Automatic conversion of system
cacertsto BCFKS (Bouncy Castle FIPS KeyStore) format. - Supply Chain Security: SLSA Level 3 compliant pipeline with signed artifacts and full provenance.
We provide three tiers for every LTS version (8, 11, 17, 21, 25):
| Flavor | Description | Target Use-case |
|---|---|---|
jdk_standard |
Full SDK + Shell + Package Manager | CI/CD Build Stage |
jre_standard |
Optimized Runtime + Basic Shell | Production (Standard) |
jre_distroless |
No Shell / No APK / Non-Root | High-Security Production |
Every image version undergoes a rigorous automated test suite (32+ Assertions) covering:
- Positive Tests: TLS 1.3 connectivity, BCFKS loading, SHA-256/AES-GCM verification.
- Negative Tests: Verification that the boundary successfully blocks MD5, MD4, Triple-DES, and weak RSA keys.
Detailed compliance reports are available on our Security Dashboard.
# Example: Pulling Java 21 Hardened Runtime
docker pull ghcr.io/taha2samy/java:21-jre_distrolessThe ENTRYPOINT is pre-configured to /opt/java/bin/java. All security properties are injected via JAVA_TOOL_OPTIONS, requiring zero changes to your application code for FIPS enforcement.
- Documentation & Reports: https://taha2samy.github.io/openjdk/
- Registry: GitHub Container Registry