PodArmor docs
Image catalog

Build images

Heavy CI build environments stripped to the minimum surface mvn / npm / etc actually need.

PodArmor's build images are the second-stage FROM line for your CI's multi-stage Dockerfiles. They're heavier than our deploy images because they include the compiler toolchain (Maven, Gradle, npm) — but every other unused package is purged.

How we strip the Debian base

The Debian trixie-slim base ships with apt, debconf, systemd libraries, util-linux, sqlite, ncurses, and a host of other packages that exist because Debian assumes you might want them. For a Maven build container, you don't:

  • apt + libapt-pkg7.0 + debian-archive-keyring + sqv + gpgv — no installs in the final image
  • libsystemd0 + libudev1 — no systemd integration in a container
  • util-linux + mount + bsdutils + libblkid1 + libmount1 + libuuid1 + libsmartcols1 + liblastlog2-2 + sysvinit-utils — no filesystem management
  • libsqlite3-0 — apt was the only thing using it
  • ncurses-bin — no interactive TTY
  • libdb5.3t64 — Berkeley DB, apt-adjacent

What survives because Java/Maven exercises it:

  • libc6 family (glibc)
  • coreutils, findutils, sed, grep, tar, gzip
  • dash, bash (mvn's wrapper script)
  • ca-certificates
  • libgcc-s1 (JVM runtime)

Net effect on a Maven 3.8.3 + Temurin 17 build image:

MetricBefore purgeAfter purgeReduction
Total CVEs (grype)~1155156%
Outstanding patches1010(unchanged — these are Maven JAR transitives)
dpkg packages805729%

The remaining CVEs are mostly the glibc family (which can't be purged) plus the Maven JAR transitives shipped inside Maven 3.8.3's lib/ directory — those are addressable by either swapping the JARs in-place or bumping to a newer Maven minor.

When to add packages back

If your build genuinely needs git (e.g. for SCM-tagged Maven plugins) or another package, the right place is a customer overlay image that uses our build image as its FROM:

FROM <your-registry>/maven-jdk17:3.8.3-r1
USER root
RUN apt-get update && apt-get install -y --no-install-recommends git \
    && rm -rf /var/lib/apt/lists/*
USER 65532:65532

(Note: this re-introduces apt + the package's transitive deps, which will show up in your overlay's CVE count. That's the cost; you've made an informed trade. The OS surface in our base image stays minimal so other customers who don't need git aren't carrying it.)

You can also file a feature request via the portal's "Send feedback / request" menu — if multiple customers need the same package, we'll ship it as a first-class catalog variant.

On this page