Releases: taha2samy/java_buildpack_wolfi
Release list
v1.0.1: Integrated Dynamic Memory Calculator & FIPS Hardening
We are excited to release v1.0.1, which introduces a major architectural upgrade: a native dynamic memory calculator running during the container startup phase via exec.d. This feature brings full parity with Paketo's memory calculation behavior while strictly preserving FIPS 140-3 cryptographic modules.
What's New in v1.0.1?
Integrated Dynamic Memory Calculator
- Developed and compiled a dedicated
java-memory-calculatorutility using PyInstaller. - Automatically executes during the CNB launch phase (
exec.d). - Dynamically reads the container's active
cgroupsmemory limits (such as-m 512mor-m 1024m). - Calculates and injects exact JVM heap values (
-Xmxand-Xms), eliminating the legacy-XX:MaxRAMPercentagefallback configs.
Full JDK Mode FIPS Hardening
- Ported BouncyCastle FIPS libraries, truststore conversions (
BCFKS), and security provider constraints to the JDK runtime mode (BP_JVM_TYPE=JDK). - Full parity of observability options (NMT, JMX, Debugging, JFR) across both JDK and JRE runtime phases.
Build Toolchain & System Fixes
- Resolved PyInstaller compilation issues inside the secure Wolfi builder image by installing
build-baseandposix-libc-utils(providinglddand GCC d
Hardened FIPS Java Buildpack v1.0.0
Hardened FIPS Java Buildpack v1.0.0
We are pleased to announce the first official release of the Hardened FIPS Java Buildpack (v1.0.0). This buildpack provides a highly secure Java Runtime Environment (JRE) designed for enterprise environments requiring strict FIPS 140-3 compliance, built on top of the hardened, minimal-vulnerability Wolfi OS (Distroless-style) base.
Key Features & Hardening
- FIPS 140-3 Compliance: Enforces BouncyCastle FIPS (
bc-fips,bcutil-fips,bctls-fips) as the primary security providers and disables non-approved cryptographic algorithms insidejava.security. - Minimal Attack Surface: Built on Chainguard's
wolfi-basewith zero known High/Critical vulnerabilities (CVEs) and stripped of shells (bash/sh) and development tools at runtime. - Non-Root Execution: Automatically configures container execution under a restricted, non-root user (
USER 1001). - Multi-Architecture Support: Fully compatible with both
linux/amd64andlinux/arm64platforms. - Enterprise Observability: Integrated support for Datadog, Azure Application Insights, Google Stackdriver, Java Memory Assistant, and Jattach.
Quick Start: Spring Boot Application Example
This example demonstrates how to package, compile, and run a Spring Boot 3.x web application using this custom FIPS builder.
1. Build the Spring Boot App
From your local terminal or CI/CD pipeline, run the pack command to build your application:
pack build my-fips-app \
--path ./3-sample-app \
--builder ghcr.io/taha2samy/java-fips-builder:latest \
--env BP_JVM_TYPE=JRE \
--env BP_JVM_VERSION=21💡 Pro-Tip (Java Version Detection):
The buildpack includes an automatic detection mechanism that reads your Java version directly from yourpom.xmlorbuild.gradleconfiguration. However, in complex, custom, or multi-module projects, this auto-detection can sometimes fail or fallback unexpectedly. For guaranteed stability, we highly recommend explicitly declaring your target Java version using the--env BP_JVM_VERSION=<version>flag (e.g.,21,17,11).
2. Run the Container
Start the containerized application. The JVM will automatically start in FIPS approved-only mode:
docker run -it --rm \
-p 8080:8080 \
-m 512m \
my-fips-app3. Verify FIPS Compliance
Our Spring Boot demo contains a security test endpoint (/test-fips) that attempts to generate an insecure 1024-bit RSA key (which is forbidden in FIPS Approved Mode).
Open your browser and navigate to:
http://localhost:8080/test-fips
Expected FIPS Enforcement Output:
SUCCESS: FIPS is strictly enforced. System blocked insecure RSA-1024 key generation. Error Type: FipsUnapprovedOperationError
If the JVM successfully blocks the weak key generation, your deployment is officially FIPS-secured.