This repository maintains Organization’s Gold Standard Runtime Factory. It utilizes the Wolfi (Chainguard) ecosystem to dynamically compile, test, and cryptographically attest minimalist, high-performance runtimes for Java, Node.js, Python, and Go entirely from source.
| Runtime Factory | Build Status | Security Scan | Registry |
|---|---|---|---|
| Wolfi-Java (17/21/24/25) |  |
 |
Docker Hub |
| Wolfi-Node (20/22/24) |  |
|
Docker Hub |
| Wolfi-Python |  |
|
Docker Hub |
| Wolfi-Go |  |
|
Docker Hub |
| Wolfi-Go-runtime |  |
|
Docker Hub |
Audit Note: The Runtime Factory operates on a strictly pinned GitHub Actions pipeline engine. Every artifact generated undergoes a verifiable mathematical guarantee: Local
apkoBuild → Native Hardware Version Extraction → Trivy CVE Scan → Immutable Publish → Cosign Image Signing → SLSA Level 3 Provenance Attestation.
Unlike legacy standard images (e.g., openjdk:alpine or debian-slim), these images are engineered dynamically via infrastructure-as-code for a modern DevSecOps posture:
- Dynamic Version Discovery: Workflows natively fetch the upstream Wolfi package index daily and execute a dynamic build matrix (e.g., testing Java 17, 21, 24, and 25 matrix nodes automatically).
- Self-Healing Nightly Monitor: A central
nightly-monitorworkflow scans the live production containers. If an upstream CVE drops, it automatically triggers a repository dispatch to dynamically recompile and patch the affected runtime. - SLSA Provenance (L3): In addition to Cosign signing, every multi-arch Docker artifact gets an attached cryptographic build materials provenance mapping its origin directly back to the GitHub workflow
factory-engine.yamlSHA block. - Zero Known CVEs at build-time: Maintained via continuous rolling updates and apko compilation.
- Performance: Built with
glibcfor superior execution speed overmusl-based alpine containers, while maintaining a 70% smaller footprint.
To use these hardened runtimes in your application, you do NOT need root execution.
# --- Stage 1: Build (No Security Guarantees Needed) ---
FROM maven:3.9-eclipse-temurin-21-alpine AS build
WORKDIR /app
COPY . .
RUN mvn package -DskipTests
# --- Stage 2: Hardened Runtime ---
FROM kenzman/mpnt-wolfi-java:21
# Use home directory of pre-configured non-root 'appuser'
WORKDIR /home/appuser
# Copy the artifact from build stage
COPY --from=build /app/target/*.jar app.jar
# Application inherits the near 0-CVE OS and non-root execution context natively!
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]Every image compiled by the Runtime Factory is doubly attested. You can cryptographically verify the image on a local terminal before deployment using Sigstore's public good infrastructure.
cosign verify kenzman/mpnt-wolfi-java:21 \
--certificate-identity-regexp "(https://github.com/)[your-org]/[your-repo]/.github/workflows/.*" \
--certificate-oidc-issuer "(https://token.actions.githubusercontent.com)"gh attestation verify oci://index.docker.io/kenzman/mpnt-wolfi-java:21 -o Ekene95Validated on internal lab hardware:
| Metric | Result | Note |
|---|---|---|
| Idle Memory | 708 KiB | Ultra-lean footprint; minimal OS overhead |
| Startup (JIT Warmup) | <100ms | Verified with 50M parallel math operations |
| Disk Usage | 450 MB | Total uncompressed size (including JDK) |
| User Context | Non-Root | Verified execution as appuser (UID 1000) |