diff --git a/jre/Dockerfile.22.04 b/jre/Dockerfile.22.04
index 04254c5..39d6aa5 100644
--- a/jre/Dockerfile.22.04
+++ b/jre/Dockerfile.22.04
@@ -18,6 +18,10 @@ RUN tar -xvf chisel.tar.gz -C /usr/bin/
 RUN apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install -y ca-certificates \
         ca-certificates-java \
+        zstd \
+        jq \
+        media-types \
+        openjdk-8-jre-headless \
     && apt-get clean -y \
     && rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /rootfs \
@@ -41,6 +45,11 @@ RUN install -d -m 0755 -o $UID -g $GID /rootfs/home/$USER \
     && echo -e "root:x:0:0:root:/root:/noshell\n$USER:x:$UID:$GID::/home/$USER:/noshell" >/rootfs/etc/passwd
 RUN cp /etc/ssl/certs/java/cacerts /rootfs/etc/ssl/certs/java/cacerts
 
+# Create security manifest
+COPY print-dpkg-query.awk /
+COPY create-manifest.sh /
+RUN /bin/bash /create-manifest.sh /rootfs ${TARGETARCH}
+
 FROM scratch
 ARG USER
 ARG UID
diff --git a/jre/create-manifest.sh b/jre/create-manifest.sh
new file mode 100755
index 0000000..4dca7e0
--- /dev/null
+++ b/jre/create-manifest.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -ex
+INSTALL=$1
+TARGETARCH=$2
+
+mkdir -p $INSTALL/usr/share/rocks/
+FIELDS=(
+    '${db:Status-Abbrev}'
+    '${binary:Package}'
+    '${Version}'
+    '${source:Package}'
+    '${Source:Version}\n'
+)
+zstd -d -f -q $INSTALL/var/lib/chisel/manifest.wall \
+-o /manifest
+
+# add openjdk-21 package
+(
+    IFS="," && \
+    echo "# os-release" && cat /etc/os-release && echo "# dpkg-query"
+) > $INSTALL/usr/share/rocks/dpkg.query
+# add rest of the packages
+jq -r 'select(.kind == "package") | "\(.name) \(.version)"' \
+    /manifest | \
+awk -v arch=${TARGETARCH} -F' ' -f print-dpkg-query.awk \
+    >> $INSTALL/usr/share/rocks/dpkg.query
diff --git a/jre/print-dpkg-query.awk b/jre/print-dpkg-query.awk
new file mode 100755
index 0000000..3c4f52c
--- /dev/null
+++ b/jre/print-dpkg-query.awk
@@ -0,0 +1,11 @@
+{
+    binary=$1
+    version=$2
+    cmd = "dpkg-query -W -f='${source:Package}\n' " binary "| head -n 1"
+    if ((cmd | getline source) > 0) {
+        print "ii,"binary":"arch","version","source","version
+    } else {
+        exit 1
+    }
+    close(cmd)
+}