DataDog · AlexeyKuznetsov-DD · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026 · Apr 1, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,10 +9,22 @@ on:
   schedule:
     - cron: '0 0 * * 0' 
   workflow_dispatch:
+    inputs:
+      run_amd64:
+        description: "Run the standard amd64 image build"
+        required: false
+        default: false
+        type: boolean
+      run_arm64:
+        description: "Run the experimental arm64 image build"
+        required: false
+        default: false
+        type: boolean
 
 jobs:
   build_push_check:
     name: Build docker image, publish it and run vuln scanner against it
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.run_amd64 == true }}
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
@@ -62,3 +74,54 @@ jobs:
         uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: 'trivy-results.sarif'
+
+  build_push_check_arm64:
+    name: Build arm64 docker image, publish it and run vuln scanner against it
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.run_arm64 == true }}
+    permissions:
+      contents: read
+      security-events: write
+      packages: write
+    runs-on: ubuntu-24.04-arm
+    environment:
+      name: ci-build
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - name: Set up Docker Buildx
+        id: buildx-arm64
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
+      - name: Login to ghcr.io
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # 4.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          docker-images: false
+      - name: Build arm64 image
+        id: build-arm64
+        run: bash ./build-arm64
+      - name: Test arm64 image
+        run: bash ./build-arm64 --test
+      - name: Describe arm64 image
+        run: bash ./build-arm64 --describe >> $GITHUB_STEP_SUMMARY
+      - name: Push arm64 image
+        run: bash ./build-arm64 --push
+      - name: Run Trivy vulnerability scanner on arm64 image
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          image-ref: '${{ steps.build-arm64.outputs.LATEST_IMAGE_TAG }}'
+          format: 'sarif'
+          output: 'trivy-results-arm64.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+      - name: Upload Trivy arm64 scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        with:
+          sarif_file: 'trivy-results-arm64.sarif'
diff --git a/Dockerfile.arm64 b/Dockerfile.arm64
@@ -0,0 +1,41 @@
+# syntax=docker/dockerfile:1.6
+
+FROM ubuntu:24.04 AS default-jdk
+
+COPY --from=eclipse-temurin:8-jdk-noble /opt/java/openjdk /usr/lib/jvm/8
+COPY --from=eclipse-temurin:11-jdk-noble /opt/java/openjdk /usr/lib/jvm/11
+COPY --from=eclipse-temurin:17-jdk-noble /opt/java/openjdk /usr/lib/jvm/17
+COPY --from=eclipse-temurin:21-jdk-noble /opt/java/openjdk /usr/lib/jvm/21
+COPY --from=eclipse-temurin:25-jdk-noble /opt/java/openjdk /usr/lib/jvm/25
+
+RUN <<-EOT
+	set -eux
+	rm -rf \
+		/usr/lib/jvm/*/lib/src.zip \
+		/usr/lib/jvm/*/demo \
+		/usr/lib/jvm/*/sample
+EOT
+
+FROM ubuntu:24.04 AS base
+LABEL org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends git lsof \
+ && git config --system --add safe.directory "*" \
+ && rm -rf /var/lib/apt/lists/*
+
+COPY --from=default-jdk /usr/lib/jvm /usr/lib/jvm
+
+RUN groupadd --gid 1001 non-root-group \
+ && useradd --uid 1001 --gid non-root-group --create-home --shell /bin/bash non-root-user
+
+ENV JAVA_8_HOME=/usr/lib/jvm/8
+ENV JAVA_11_HOME=/usr/lib/jvm/11
+ENV JAVA_17_HOME=/usr/lib/jvm/17
+ENV JAVA_21_HOME=/usr/lib/jvm/21
+ENV JAVA_25_HOME=/usr/lib/jvm/25
+
+ENV JAVA_HOME=${JAVA_8_HOME}
+ENV PATH=${JAVA_HOME}/bin:${PATH}
+USER non-root-user
+WORKDIR /home/non-root-user
diff --git a/build-arm64 b/build-arm64
@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+set -eu
+
+readonly IMAGE_NAME="ghcr.io/datadog/dd-trace-java-docker-build"
+
+function compute_metadata() {
+    GIT_BRANCH="${GITHUB_REF_NAME:-$(git branch --show-current)}"
+    readonly GIT_BRANCH="${GIT_BRANCH:-local}"
+    if [[ ${GIT_BRANCH} = master ]]; then
+        TAG_PREFIX=""
+    else
+        TAG_PREFIX="${GIT_BRANCH}-"
+        TAG_PREFIX="${TAG_PREFIX,,}"
+        TAG_PREFIX="${TAG_PREFIX//\//_}"
+    fi
+
+    BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+    GIT_HEAD_REF="$(git show-ref --head --hash ^HEAD)"
+}
+
+function image_name() {
+    echo -n "${IMAGE_NAME}:${TAG_PREFIX}arm64-base"
+}
+
+function docker_build() {
+    docker buildx build \
+        --platform linux/arm64 \
+        --label org.opencontainers.image.created="$BUILD_DATE" \
+        --label org.opencontainers.image.source=https://github.com/DataDog/dd-trace-java-docker-build \
+        --label org.opencontainers.image.revision="$GIT_HEAD_REF" \
+        --file Dockerfile.arm64 \
+        --target base \
+        --tag "$(image_name)" \
+        --load \
+        .
+}
+
+function do_build() {
+    compute_metadata
+    docker_build
+    if [ -n "${GITHUB_OUTPUT+unset}" ]; then
+        echo "LATEST_IMAGE_TAG=$(image_name)" >>"$GITHUB_OUTPUT"
+    fi
+}
+
+function do_test() {
+    local image
+    compute_metadata
+    image="$(image_name)"
+    docker run \
+        --platform linux/arm64 \
+        --rm \
+        "$image" \
+        bash -lc '
+            set -eux
+            "$JAVA_HOME/bin/java" -version
+            "$JAVA_8_HOME/bin/java" -version
+            "$JAVA_11_HOME/bin/java" -version
+            "$JAVA_17_HOME/bin/java" -version
+            "$JAVA_21_HOME/bin/java" -version
+            "$JAVA_25_HOME/bin/java" -version
+        '
+}
+
+function do_describe() {
+    local image
+    compute_metadata
+    image="$(image_name)"
+    docker run \
+        --platform linux/arm64 \
+        --rm \
+        "$image" \
+        bash -lc '
+            echo "# arm64 image"
+            echo
+            echo "## Operating System"
+            echo
+            . /etc/os-release
+            echo "* ${PRETTY_NAME}"
+            echo
+            echo "## Java Home"
+            echo
+            echo "* ${JAVA_HOME}"
+            echo
+            echo "## JDKs"
+            echo
+            for env_name in JAVA_8_HOME JAVA_11_HOME JAVA_17_HOME JAVA_21_HOME JAVA_25_HOME; do
+              echo "* ${env_name}"
+              printf '%s\n' '```'
+              "${!env_name}/bin/java" -version 2>&1
+              printf '%s\n' '```'
+              echo
+            done
+        '
+}
+
+function do_push() {
+    compute_metadata
+    docker push "$(image_name)"
+}
+
+if [[ -z ${1:-} ]]; then
+    do_build
+elif [[ ${1} = "--test" ]]; then
+    do_test
+elif [[ ${1} = "--describe" ]]; then
+    do_describe
+elif [[ ${1} = "--push" ]]; then
+    do_push
+else
+    echo "Unknown argument: ${1}" >&2
+    exit 1
+fi