maven

Runtime · Build tool · standard · v3.9

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

JDK base with Apache Maven. Use it as the build stage for Maven projects, then run the jar on jre. Line 3.9.

Image

ghcr.io/quenchworks/images/maven:3.9

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

115.4 MB

SBOM packages

Last rebuilt

2026-06-15

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/maven:3.9

Or pull it directly

docker pull ghcr.io/quenchworks/images/maven:3.9

Version line: 3.9
Latest line: 3.9
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: Apache-2.0

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/maven:3.9 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/maven:3.9 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/maven:3.9 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Java app → Image source

Best-practice Dockerfile for 3.9

Resolve dependencies and package the jar with the maven image (local repository cached under /tmp/.m2), then run it on the slim jre base. The build tool and the dependency cache never ship.

ghcr.io/quenchworks/images/maven:3.9 115.4 MB rebuilt today 96 SBOM pkgs

1
# Build stage: resolve dependencies, then package the jar.
2
FROM ghcr.io/quenchworks/images/maven:3.9 AS build
3
USER root
4
WORKDIR /app
5
ENV MAVEN_OPTS=-Dmaven.repo.local=/tmp/.m2
6

7
COPY pom.xml ./
8
RUN ["mvn", "-B", "-Dmaven.repo.local=/tmp/.m2", "dependency:go-offline"]
9
COPY src ./src
10
RUN ["mvn", "-B", "-o", "-Dmaven.repo.local=/tmp/.m2", "package", "-DskipTests"]
11

12
# Runtime stage: run the jar on the slim JRE base, nonroot.
13
FROM ghcr.io/quenchworks/images/jre:21 AS runtime
14
WORKDIR /app
15
COPY --from=build /app/target/*.jar /app/app.jar
16
USER 1001
17
EXPOSE 8080
18
ENTRYPOINT ["java", "-Djava.io.tmpdir=/tmp", "-jar", "/app/app.jar"]

This Dockerfile is pinned to the 3.9 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Java app guide.

Upstream project: https://maven.apache.org