Share feedback
Answers are generated based on the documentation.

Java

This example shows how to migrate a Java application to Docker Hardened Images.

The following examples show Dockerfiles before and after migration to Docker Hardened Images. Each example includes five variations:

  • Before (Ubuntu): A sample Dockerfile using Ubuntu-based images, before migrating to DHI
  • Before (Wolfi): A sample Dockerfile using Wolfi distribution images, before migrating to DHI
  • Before (DOI): A sample Dockerfile using Docker Official Images, before migrating to DHI
  • After (multi-stage): A sample Dockerfile after migrating to DHI with multi-stage builds (recommended for minimal, secure images)
  • After (single-stage): A sample Dockerfile after migrating to DHI with single-stage builds (simpler but results in a larger image with a broader attack surface)
Note

Multi-stage builds are recommended for most use cases. Single-stage builds are supported for simplicity, but come with tradeoffs in size and security.

You must authenticate to dhi.io before you can pull Docker Hardened Images. Use your Docker ID credentials (the same username and password you use for Docker Hub). If you don't have a Docker account, create one for free.

Run docker login dhi.io to authenticate.

#syntax=docker/dockerfile:1

FROM ubuntu:24.04 AS builder

WORKDIR /app
COPY . ./

RUN apt-get update && apt-get install -y default-jdk maven --no-install-recommends && rm -rf /var/lib/apt/lists/*

RUN mvn -B package -DskipTests

FROM ubuntu:24.04

RUN apt-get update && apt-get install -y default-jre --no-install-recommends && rm -rf /var/lib/apt/lists/*

WORKDIR /app
COPY --from=builder /app/target/app.jar /app/app.jar

ENTRYPOINT ["java", "-jar", "/app/app.jar"]
#syntax=docker/dockerfile:1

FROM cgr.dev/chainguard/maven:latest-dev AS builder

WORKDIR /app
COPY . ./

# Install any additional packages if needed using apk
# RUN apk add --no-cache git

RUN mvn -B package -DskipTests

FROM cgr.dev/chainguard/jre:latest

WORKDIR /app
COPY --from=builder /app/target/app.jar /app/app.jar

ENTRYPOINT ["java", "-jar", "/app/app.jar"]
#syntax=docker/dockerfile:1

FROM maven:3.9-eclipse-temurin-21 AS builder

WORKDIR /app
COPY . ./

# Install any additional packages if needed using apt
# RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*

RUN mvn -B package -DskipTests

FROM eclipse-temurin:21-jre

WORKDIR /app
COPY --from=builder /app/target/app.jar /app/app.jar

ENTRYPOINT ["java", "-jar", "/app/app.jar"]
#syntax=docker/dockerfile:1

# === Build stage: Compile and package the Java application with Maven ===
FROM dhi.io/maven:3-jdk21-alpine3.22-dev AS builder

WORKDIR /app
COPY . ./

# Install any additional packages if needed using apk
# RUN apk add --no-cache git

RUN mvn -B package -DskipTests

# === Final stage: Create minimal runtime image ===
FROM dhi.io/eclipse-temurin:21-alpine3.22

WORKDIR /app
COPY --from=builder /app/target/app.jar /app/app.jar

ENTRYPOINT ["java", "-jar", "/app/app.jar"]
#syntax=docker/dockerfile:1

FROM dhi.io/maven:3-jdk21-alpine3.22-dev

WORKDIR /app
COPY . ./

# Install any additional packages if needed using apk
# RUN apk add --no-cache git

RUN mvn -B package -DskipTests

ENTRYPOINT ["java", "-jar", "/app/target/app.jar"]