imagebuild
command to build container images using different build engines.--http-probe-concurrency
- new flag to control HTTP probe command execution concurrency--http-probe-fail-on-status-5xx
- new flag to treat 5xx (e.g., 500) response status codes as errors
--http-probe-full
is now enabled by default, so all specified custom HTTP probe commands are executed.- Improved global
--host
flag and Docker runtime client connection setup
- Podman runtime support for the
xray
command and the--runtime
flag to choose the runtime. - Podman runtime support for the
images
command --http-probe-client-timeout
and--http-probe-client-timeout-crawl
flags for theslim
/profile
commands--http-probe-exit-on-failure-count
flag for theslim
/profile
commands--http-probe-retry-off
flag for theslim
/profile
commands
- Created
app
command and moved theinstall
,update
,version
and other app management related operations there as sub-commands. --http-probe-retry-count
flag now can be used to disable probe retries by setting it to -1 (or use the--http-probe-retry-off
flag instead)
- User identity collection bugfix for the
xray
command. - HTTP probing completion logic bugfix to prevent early probing exit.
- The
--include-distro-info
flag for theslim
(akabuild
) command to keep the OS distro metadata in the minified image.
- Using full image IDs (without stripped hash prefix) when calling the "save image" Docker API to make Orbstack happy (more improvements)
- The
--obfuscate-app-package-names
flag for theslim
(akabuild
) command to select the obfuscation mode for the application package names (ignored unless the--obfuscate-metadata
flag is enabled). - The
--include-last-image-layers
flag for theslim
(akabuild
) command to keep all files from the last number of layers in the image
- Using full image IDs (without stripped hash prefix) when calling the "save image" Docker API to make Orbstack happy
- The
--http-probe-cmd-upload
flag for theslim
(akabuild
) andprofile
commands to upload files (and enhanced--http-probe-cmd-file
command schema to support uploads).
- Enhanced API spec probing auto-generating POST data (
--http-probe-apispec
and--http-probe-apispec-file
flags). - Pinned busybox debug image for the
debug
command.
- The
--command-params-file
flag now works for theslim
(akabuild
) andxray
commands ( thanks to @Billy-North ). - The
--shell-cmd
flag for thedebug
command allowing you to be more explicit about the intent to use a shell (alternative to--cmd
). - Basic DNS network probing.
- Renamed the
--auto-run-as-non-root
debug
command flag to--fallback-to-target-user
. - Improved non-root user handling for the
debug
command (to disable the automated user identity selection logic set--fallback-to-target-user
to false)
- Use the custom entrypoint and cmd when they are not empty for the
debug
command ( fixed by @sword-jin )
--include-healthcheck
flag for theslim
(akabuild
) command- Basic Redis network probing.
creport
data and format enhancements.debug
command doc updates.debug
command improvements forpodman
- ContainerD container runtime support for
debug
- Podman container runtime support for
debug
- Auto-select the container runtime in
debug
by specifyingauto
as the--runtime
flag value.
- Default Docker API version update.
- Report document type info in report documents.
- New
build
command flags (--include-dir-bins
and--include-ssh-client
). - Simple
images
command to list container images.
- OCI image format support in
xray
. - Improved
xray
command reports to include object type information.
- Fixes and dependency updates to support the new Docker Engine version (25.x).
- Sensor artifact (post-)processing bug fix for additional PT generated artifacts.
- Added command parameter information to process events in
mondel
. - Enhanced
mondel
event capture to prevent event data loss on sensor shutdown.
- New
vulnerability
command and theepss
subcommand to lookup EPSS scores for vulnerabilities. - Simple
registry server
command to have a local OCI registry (thank you Sarvesh Raj, @sarveshraj, for your contribution!). - Simple
registry push
command to push local images to a registry. - Simple
images
command to list container images. - RPM packaging for the apps (thank you Rohan Jamadagni, @Rohansjamadagni, for your contribution!)
- Enhanced
registry pull
command to pull images from authenticated registries. quiet
mode improvements (WIP) to hide the standard execution context output when it's enabled.quiet
mode for theimages
command.- Interactive prompt updates to include the
images
,registry
andvulnerability
commands and a couple of global flags. - Monitor Data Event Log (mondel) enhancement to improve the write path.
- Simple
registry image-index-create
command to create multi-architecture images. - Simple
images
command to list container images.
- Improved ptmon syscall handling.
- Enhanced
mondel
events with timestamps and sequence numbers. - Extra docker socket validation checks.
- Version info on exit/failure.
- Temp container cleanup improvements.
- ARM image build scripts for the containerized distribution.
- Websocket http probe bug fix.
- Various ptmod bug fixes.
- Sensor
control
commands to control sensor execution when running in the standalone mode (first command:stop-target-app
). xray
- detect system identities (users, groups) and their properties (--detect-identities
flag, enabled by default).build
- Keep the OS/libc zoneinfo data (--include-zoneinfo
flag, disabled by default).build
/profile
- Mon(itor) Data Event Log (akamondel
) - optional data event log for sensor monitors to log/stream monitor events (--enable-mondel
main app flag,--mondel
/-n
sensor flag(s)).
target-app-running
sensor lifecycle hook.build
/profile
:--env-file
to load env vars from a file.build
/profile
: basic input validation to ignore malformed env var data for the--env
flag.build
: Using internal output image builder by default (--image-build-engine
flag)- Renamed the reverse engineered Dockerfile from
Dockerfile.fat
toDockerfile.reversed
- Various bug fixes
- Auto-complete in the interactive
prompt
mode for the target, namespace, pod and session flags - Interactive
debug
command terminal that runs as if you are connected directly to the target image you are debugging (enabled by default) - Basic sessions for
debug
command - Ability to show logs for the existing
debug
command sessions - More
debug
command flags (see README) - README docs updates for the
debug
command
- Many
debug
command bug fixes
- Kubernetes runtime support for the
debug
command appbom
command in the main app and--appbom
flag in the sensormerge
command to merge two container images (optimized to merge two minified images).
- More
debug
command flags - README docs for the
debug
command - Ability to detect the Docker Desktop unix socket
- Code and logging cleanup
- Sensor volume fix for sensor symlinks (to address the Homebrew installed problems with sensor)
- Various dependency updates to get security fixes
- New experimental
build
command flag to prevent the vulnerability scanners from discovering the metadata they need to identify the vulnerabilities (--obfuscate-metadata
) inspired by theMalicious Compliance
KubeCon EU 2023 talk
- HEALTHCHECK instruction decoding enhancements to handle the data generated by buildah
- fsutil format string bug fix
- New include flags for the
build
command (--include-workdir
) - Debug/trace logging improvements
- todo: add info
- Base image metadata for xray
- Basic support for multiple image build engines (
--image-build-engine
,--image-build-arch
parameters)
- dockerfile reverse engineering updates
- buildkit dockerfile instruction support
- name change
- todo: add info
- Experimental 'debug' command
- JSON console output format
- refactored http-probe-exec and http-probe-exec-file to be host-exec and host-exec-file (breaking change)
- todo: add info
- Source image label in minified images
- Full image path enhancements for container entry info
- Traced application signal handling bugfix
- Healthcheck instruction parsing bugfix
- Experimental Node.js package include flag
- Experimental Next.js(React.js) app include flags
- Experimental Nuxt.js(Vue.js) app include flags
- Ability to disable the ptrace data source
- Container probe feature to use one of the compose services to test/probe the target container (
--container-probe-compose-svc
flag andcontainer.probe
continue-after mode) - Ability to override the container image name and/or tag when targetting a compose service (
--target-compose-svc-image
flag) - Ability to wait before executing the HTTP probes (
--http-probe-start-wait
flag) - Ability to wait before starting each compose service (
--compose-svc-start-wait
flag) - Basic FastCGI protocol support in HTTP probes (docs TBD)
- New
registry
command and a basicpull
subcommand --include-new
build flag to keep new files created by target during dynamic analysis- Supprot for stored global param in
slim.config.json
- Improved containerized CI/CD environments support (
sensor-ipc-mode
andsensor-ipc-endpoint
flags forbuild
andprofile
) - Docker host detection improvements
- Target container IP detection improvements
- Not minifying onbuild base images by default
- Not minifying already minified images
- Cleanup container resources on exit
include-cert-all
build flag enabled by default- Propagate logging flags to sensor
- Not using default http probe if custom probes are already defined
- Many compose related enhancements (volume lookup enhancements, compose image detection and error handling, etc)
- Various monitoring engine enhancements
- Migrate from urfave/cli/v1 to urfave/cli/v2
- Dockerfile reverse engineering enhancements (HEALTHCHECK instruction support, improved RUN instruction reversing when ARGs are also used)
- Install command / docker cli plugin install option (preview version)
- Container and compose link handling enhancements
- Volume mounting enhancements
- Static analysis improvements
- Symlink handling improvements for builds
- Collecting file check filesystem activity
- Entrypoint/cmd override handling improvements
- Volume mounting bug fixes for compose
- Ability to pull images from private registries (
--registry-account
,--registry-secret
,--docker-config-path
flags)
- Additional flags for compose (
dep-include-target-compose-svc-deps
,compose-env-nohost
,compose-env-file
,compose-workdir
,compose-project-name
) - Variable substitution support in compose
- Detect duplicates by default in xray
- Resource cleanup when the build command exits
delete-generated-fat-image
flag to cleanup the non-optimized images whendocker-slim
builds images from source/Dockerfile- Improved
maintainer
info collection for xray
- Volume mounting bug fixes for compose
- Experimental docker-compose support for the build command
- Include cert flags to make it easier to keep certificate data in the optimized images
- Install script
--cro-host-config-file
,--cro-sysctl
and--cro-shm-size
flags.- M1 builds.
- xray and sensor volume detection bug fixes.
- Ability to detect additional shells.
- Saving command report to /tmp directory if it's not possible to save it in the current working directory.
- Printing tag information for build command.
- Default
continue-after
value handling fix (removeprobe
mode if http probing is disabled). - Sensor not exiting when it's trying to copy a directory it already copied.
- Ability to find duplicate files for xray (
--detect-duplicates
,--show-duplicates
). - Ability to find all utf8 encoded files for xray using the
--detect-utf8
flag (optionally dumping them to console, directory or tar file). - Ability to find the files with special permissions (
--show-special-perms
). - Ability to find all installed shells for xray.
- Container entry information for xray with file detection.
- Inherited image instructions (aka ONBUILD instructions) for xray.
- More image level stats for xray.
- Multiple tags for the build command.
--http-probe-off
flag for the build command to provide a shortcut to disable HTTP probing.- Flexible target image handling to use non-default tags if the
latest
tag doesn't exist and no explicit tag is provided.
change-match-layers-only
xray flag to print only the layers that contain the matches.
- xray enhancement: printing to console by default for pattern or data matches.
- Various xray command bug fixes.
- Ability to combine
probe
andexec
continue-after
modes
- Various xray command bug fixes
- Console color output (on by default; disable with
no-color
) - Loading http probe request data from separate files
- Ability to execute external probe commands (
--http-probe-exec
and--http-probe-exec-file
flags) - Ability to preserve original files in the target container discarding its test runtime data (
--preserve-path
and--preserve-path-file
) - Ability to pull container images if they don't exist locally yet (
--pull
and--show-plogs
) - File hashing for xray (
--hash-data
) - Additional flags to control the xray command executions (
--top-changes-max
,--reuse-saved-image
) - Ability to match by file path, file data and file hash for xray (
--change-path value
,--change-data value
,--change-data-hash value
)
- Lots of additional container build flags (
--tag-fat
,--cbo-add-host
,--cbo-build-arg
,--cbo-label
,--cbo-target
,--cbo-network
,--cbo-cache-from
). - Additional container runtime flags (
--cro-runtime
) sigint
should kill the running container (#186)
- Various xray image layer inspection bug fixes
- New
xray
flags to control what layer change data to include in the generated reports (layer-changes-max
,all-changes-max
,add-changes-max
,modify-changes-max
,delete-changes-max
)
host
network flag handling enhancements.- Returning non-zero exit codes on failures
- Additional image checks to catch missing ENTRYPOINT/CMD instructions
- Fixed container image listing bug that broke the
--target
value suggestions in the interactive prompt mode.
- Ability to interact with the temporary containers using the
--exec
and--exec-file
flags
npm
support enhancements (makes it possible to usenpm start
in Dockerfiles, which isn't recommended though)
- Various bug fixes.
- Mapping container ports to specific host ports analyzing image at runtime (
--publish-port
and--publish-exposed-ports
flags)
seccomp
security profile generation capability updates- User namespace handling improvements (thanks to
@solarnz
)
- Experimental HTTP probe command generation based on the API descriptions from the Swagger and OpenAPI specs (
--http-probe-apispec
and--http-probe-apispec-file
flags) - Image metadata editing capabilities to add, remove and update the LABEL, VOLUME, EXPOSE, ENV and WORKDIR instructions (
--new-workdir
,--new-expose
,--new-label
,--new-volume
,--remove-volume
,--remove-env
,--remove-label
,--remove-expose
and--image-overrides
combined with--expose
,--workdir
,--env
,--volume
,--label
,--env
)
- Layer change details available in the
xray
command reports when the--changes
flag is set. - System and engine information in the command reports to improve debugging
- Ability to enable crawling for the HTTP probes specified using the
--http-probe-cmd
flag - Improved HTTP probe crawler documentation
lint
command (initial Dockerfile linting capabilities with a basic set of checks)- HTTP probe crawler (automatically probes additional endpoints referenced in the processed targets; see the
--http-probe-crawl
and related flags)
- ARM64 support (need more people to test!)
--http-probe-exit-on-failure
flag to exit execution when all HTTP probe calls fail--include-bin-file
and--include-exe-file
flags to make it easier to specify multiple binaries and executables loading them from filesxray
command report enhancements
- Interactive CLI prompt
xray
command output improvements- Additional image data saved with the
xray
command reports (--add-image-manifest
and--add-image-config
flags)
- New
xray
parameters to control how much to show when it's printing the layer details (--changes value
and--layer value
) - Image history enhancements and more data saved in the xray command reports
xray
command enhancements to show the detailed container image information including its layers and their files and directories (initial version).
- The
--exclude-pattern
build
parameter to filter/exclude the artifacts in the optimized container.
- Option to set permissions, user and group information for the artifacts included with the
--include-*
parameters. - Option to overwrite the permissions and ownership info in the optimized image using the new
--path-perms
andpath-perms-file
parameters.
- Option to run the containerized application using user and group information from the USER instruction.
- Filter leftover PID files.
- UX enhancements for the containers created using Dockerfiles.
- Additional debugging information.
- Support for special install directories on Linux (to prevent failures when
docker-slim
is trying to save its state).
- Saving command execution report, by default (
slim.report.json
). - CLI output UX enhancements.
- Docker connect info checks.
- Version check fixes when running in containers.
- Run
docker-slim
in containers. - New distribution option (
dslim/docker-slim
image available in Docker Hub). - Archive
docker-slim
state into a separate Docker volume.
- Default to continuing
docker-slim
execution after the http probing step is done when http probing is enabled. - Improved IPC.
- Improved seccomp and metadata artifact copy option.
- Improved execution report.
- Build minified images from
source
using the new--from-dockerfile
build flag (seeREADME.md
for details).
- Custom HTTP POST probes support request bodies
- Enhanced build command reports with additional container image metadata (using the global
--report
flag) - Ability to update the minified image Dockerfile instructions (using the --new-cmd, --new-entrypoint, --new-expose, --new-workdir, --new-env and --image-overrides flags)
- Dockerfile volume support
- HTTP probes by default (you will have to disable HTTP probes if you don't need them)
- Various UX enhancements to provide better CLI feedback and to avoid generating minified images that might not work
- TTY bug fix caused by an external dependency (used to track update download progress)
- Experimental ARM32 support
- Easy way to keep a shell in your image (just pass
--include-shell
to thebuild
command) - Easy way to include additional executables (
--include-exe
flag) and binary objects (--include-bin
flag), which will also include their binary dependencies, so you don't have to explicitly include them all yourself update
command - now you can updatedocker-slim
fromdocker-slim
!- Current version checks to know if the installed release is out of date
- Improvements to handle complex
--entrypoint
and--cmd
parameters
- Better Mac OS X support - when you install
docker-slim
to /usr/local/bin or other special/non-shared directories docker-slim will detect it and use the /temp directory to save its artifacts and to mount its sensor - HTTP Probing enhancements and new flags to control the probing process
- Better Nginx support
- Support for non-default users
- Improved symlink handling
- Better failure monitoring and reporting
- The
--include-path-file
option to make it easier to load extra files you want to keep in your image - CentOS support
- Enhancements for ruby applications with extensions
- Save the docker-slim command results in a JSON file using the
--report
flag - Better support for applications with dynamic libraries (e.g., python compiled with
--enable-shared
) - Additional network related Docker parameters
- Extended version information
- Alpine image support
- Ability to override ENV variables analyzing target image
- Docker 1.12 support
- User selected location to store DockerSlim state (global
--state-path
parameter). - Auto-generated seccomp profiles for Docker 1.10.
- Python 3 support
- Docker connect options
- HTTP probe commands
- Include extra directories and files in minified images