jre

Runtime · Runtime base · standard · v25

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened Java runtime (JRE) for running a built jar. Pair it with the jdk, maven, or gradle build image. LTS lines 17/21/25.

Version line

25 · latest 21 17

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/jre:25

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

87.1 MB

SBOM packages

Last rebuilt

2026-06-15

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/jre:25

Or pull it directly

docker pull ghcr.io/quenchworks/images/jre:25

Version line: 25
Latest line: 17, 21, 25
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: GPL-2.0-with-classpath-exception

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/jre:25 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/jre:25 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/jre:25 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Java app → Image source

Best-practice Dockerfile for 25

jre is a runtime base you copy a built jar onto, not something you compile in. Here the jar is packaged with the matching JDK in the build stage and the jre image is the final stage that runs it.

ghcr.io/quenchworks/images/jre:25 87.1 MB rebuilt today 37 SBOM pkgs

1
# Build stage: compile and package the jar with the full JDK.
2
FROM ghcr.io/quenchworks/images/jdk:25 AS build
3
USER root
4
WORKDIR /app
5
ENV MAVEN_OPTS=-Dmaven.repo.local=/tmp/.m2
6

7
COPY pom.xml ./
8
RUN ["./mvnw", "-B", "-Dmaven.repo.local=/tmp/.m2", "dependency:go-offline"]
9
COPY src ./src
10
RUN ["./mvnw", "-B", "-o", "-Dmaven.repo.local=/tmp/.m2", "package", "-DskipTests"]
11

12
# This image is the final runtime stage: run the jar, nonroot.
13
FROM ghcr.io/quenchworks/images/jre:25 AS runtime
14
WORKDIR /app
15
COPY --from=build /app/target/*.jar /app/app.jar
16
USER 1001
17
EXPOSE 8080
18
ENTRYPOINT ["java", "-Djava.io.tmpdir=/tmp", "-jar", "/app/app.jar"]

This Dockerfile is pinned to the 25 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Java app guide.

Upstream project: https://openjdk.org