Build images
Heavy CI build environments stripped to the minimum surface mvn / npm / etc actually need.
PodArmor's build images are the second-stage FROM line for your CI's multi-stage Dockerfiles. They're heavier than our deploy images because they include the compiler toolchain (Maven, Gradle, npm) — but every other unused package is purged.
How we strip the Debian base
The Debian trixie-slim base ships with apt, debconf, systemd libraries, util-linux, sqlite, ncurses, and a host of other packages that exist because Debian assumes you might want them. For a Maven build container, you don't:
apt+libapt-pkg7.0+debian-archive-keyring+sqv+gpgv— no installs in the final imagelibsystemd0+libudev1— no systemd integration in a containerutil-linux+mount+bsdutils+libblkid1+libmount1+libuuid1+libsmartcols1+liblastlog2-2+sysvinit-utils— no filesystem managementlibsqlite3-0— apt was the only thing using itncurses-bin— no interactive TTYlibdb5.3t64— Berkeley DB, apt-adjacent
What survives because Java/Maven exercises it:
libc6family (glibc)coreutils,findutils,sed,grep,tar,gzipdash,bash(mvn's wrapper script)ca-certificateslibgcc-s1(JVM runtime)
Net effect on a Maven 3.8.3 + Temurin 17 build image:
| Metric | Before purge | After purge | Reduction |
|---|---|---|---|
| Total CVEs (grype) | ~115 | 51 | 56% |
| Outstanding patches | 10 | 10 | (unchanged — these are Maven JAR transitives) |
| dpkg packages | 80 | 57 | 29% |
The remaining CVEs are mostly the glibc family (which can't be purged) plus the Maven JAR transitives shipped inside Maven 3.8.3's lib/ directory — those are addressable by either swapping the JARs in-place or bumping to a newer Maven minor.
When to add packages back
If your build genuinely needs git (e.g. for SCM-tagged Maven plugins) or another package, the right place is a customer overlay image that uses our build image as its FROM:
FROM <your-registry>/maven-jdk17:3.8.3-r1
USER root
RUN apt-get update && apt-get install -y --no-install-recommends git \
&& rm -rf /var/lib/apt/lists/*
USER 65532:65532(Note: this re-introduces apt + the package's transitive deps, which will show up in your overlay's CVE count. That's the cost; you've made an informed trade. The OS surface in our base image stays minimal so other customers who don't need git aren't carrying it.)
You can also file a feature request via the portal's "Send feedback / request" menu — if multiple customers need the same package, we'll ship it as a first-class catalog variant.