Rohit Verma on the mailing list raised using a "more hardened base image like distroless".
I'll admit that I'm personally not a huge fan of "FROM bitnami/tomcat:7.0.94" myself! Any contributions you'd like to make on this front would be very very welcome, from my side.
https://github.com/GoogleContainerTools/distroless is a great alternative. (BTW https://access.redhat.com/containers/?tab=images#/registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift is a another great choice, if you're into something supported.)
Your mission, should you choose to accept it and work on this issue, would be to raise a PR modifying our Dockerfile, but then still have the related test at the end of .travis.yml pass - everything (container, Docker Compose, Kubernetes) should, obviously, still "work as is", even if you go for changing the base image. Makes sense and sounds fair?
PS: What we really should do at some point is move away from 1990s style WAR-in-Tomcat, and make java -jar fineract.war work instead (and then use that in the container)... people working on this could also contribute, before or after, to
FINERACT-730. (On a related front, there's also FINERACT-764, but both are probably independent enough from each other to be tackled separately.)