- New experimental
build
command flag to prevent the vulnerability scanners from discovering the metadata they need to identify the vulnerabilities (--obfuscate-metadata
) inspired by theMalicious Compliance
KubeCon EU 2023 talk
- HEALTHCHECK instruction decoding enhancements to handle the data generated by buildah
- fsutil format string bug fix
- New include flags for the
build
command (--include-workdir
) - Debug/trace logging improvements
- todo: add info
- Base image metadata for xray
- Basic support for multiple image build engines (
--image-build-engine
,--image-build-arch
parameters)
- dockerfile reverse engineering updates
- buildkit dockerfile instruction support
- name change
- todo: add info
- Experimental 'debug' command
- JSON console output format
- refactored http-probe-exec and http-probe-exec-file to be host-exec and host-exec-file (breaking change)
- todo: add info
- Source image label in minified images
- Full image path enhancements for container entry info
- Traced application signal handling bugfix
- Healthcheck instruction parsing bugfix
- Experimental Node.js package include flag
- Experimental Next.js(React.js) app include flags
- Experimental Nuxt.js(Vue.js) app include flags
- Ability to disable the ptrace data source
- Container probe feature to use one of the compose services to test/probe the target container (
--container-probe-compose-svc
flag andcontainer.probe
continue-after mode) - Ability to override the container image name and/or tag when targetting a compose service (
--target-compose-svc-image
flag) - Ability to wait before executing the HTTP probes (
--http-probe-start-wait
flag) - Ability to wait before starting each compose service (
--compose-svc-start-wait
flag) - Basic FastCGI protocol support in HTTP probes (docs TBD)
- New
registry
command and a basicpull
subcommand --include-new
build flag to keep new files created by target during dynamic analysis- Supprot for stored global param in
slim.config.json
- Improved containerized CI/CD environments support (
sensor-ipc-mode
andsensor-ipc-endpoint
flags forbuild
andprofile
) - Docker host detection improvements
- Target container IP detection improvements
- Not minifying onbuild base images by default
- Not minifying already minified images
- Cleanup container resources on exit
include-cert-all
build flag enabled by default- Propagate logging flags to sensor
- Not using default http probe if custom probes are already defined
- Many compose related enhancements (volume lookup enhancements, compose image detection and error handling, etc)
- Various monitoring engine enhancements
- Migrate from urfave/cli/v1 to urfave/cli/v2
- Dockerfile reverse engineering enhancements (HEALTHCHECK instruction support, improved RUN instruction reversing when ARGs are also used)
- Install command / docker cli plugin install option (preview version)
- Container and compose link handling enhancements
- Volume mounting enhancements
- Static analysis improvements
- Symlink handling improvements for builds
- Collecting file check filesystem activity
- Entrypoint/cmd override handling improvements
- Volume mounting bug fixes for compose
- Ability to pull images from private registries (
--registry-account
,--registry-secret
,--docker-config-path
flags)
- Additional flags for compose (
dep-include-target-compose-svc-deps
,compose-env-nohost
,compose-env-file
,compose-workdir
,compose-project-name
) - Variable substitution support in compose
- Detect duplicates by default in xray
- Resource cleanup when the build command exits
delete-generated-fat-image
flag to cleanup the non-optimized images whendocker-slim
builds images from source/Dockerfile- Improved
maintainer
info collection for xray
- Volume mounting bug fixes for compose
- Experimental docker-compose support for the build command
- Include cert flags to make it easier to keep certificate data in the optimized images
- Install script
--cro-host-config-file
,--cro-sysctl
and--cro-shm-size
flags.- M1 builds.
- xray and sensor volume detection bug fixes.
- Ability to detect additional shells.
- Saving command report to /tmp directory if it's not possible to save it in the current working directory.
- Printing tag information for build command.
- Default
continue-after
value handling fix (removeprobe
mode if http probing is disabled). - Sensor not exiting when it's trying to copy a directory it already copied.
- Ability to find duplicate files for xray (
--detect-duplicates
,--show-duplicates
). - Ability to find all utf8 encoded files for xray using the
--detect-utf8
flag (optionally dumping them to console, directory or tar file). - Ability to find the files with special permissions (
--show-special-perms
). - Ability to find all installed shells for xray.
- Container entry information for xray with file detection.
- Inherited image instructions (aka ONBUILD instructions) for xray.
- More image level stats for xray.
- Multiple tags for the build command.
--http-probe-off
flag for the build command to provide a shortcut to disable HTTP probing.- Flexible target image handling to use non-default tags if the
latest
tag doesn't exist and no explicit tag is provided.
change-match-layers-only
xray flag to print only the layers that contain the matches.
- xray enhancement: printing to console by default for pattern or data matches.
- Various xray command bug fixes.
- Ability to combine
probe
andexec
continue-after
modes
- Various xray command bug fixes
- Console color output (on by default; disable with
no-color
) - Loading http probe request data from separate files
- Ability to execute external probe commands (
--http-probe-exec
and--http-probe-exec-file
flags) - Ability to preserve original files in the target container discarding its test runtime data (
--preserve-path
and--preserve-path-file
) - Ability to pull container images if they don't exist locally yet (
--pull
and--show-plogs
) - File hashing for xray (
--hash-data
) - Additional flags to control the xray command executions (
--top-changes-max
,--reuse-saved-image
) - Ability to match by file path, file data and file hash for xray (
--change-path value
,--change-data value
,--change-data-hash value
)
- Lots of additional container build flags (
--tag-fat
,--cbo-add-host
,--cbo-build-arg
,--cbo-label
,--cbo-target
,--cbo-network
,--cbo-cache-from
). - Additional container runtime flags (
--cro-runtime
) sigint
should kill the running container (#186)
- Various xray image layer inspection bug fixes
- New
xray
flags to control what layer change data to include in the generated reports (layer-changes-max
,all-changes-max
,add-changes-max
,modify-changes-max
,delete-changes-max
)
host
network flag handling enhancements.- Returning non-zero exit codes on failures
- Additional image checks to catch missing ENTRYPOINT/CMD instructions
- Fixed container image listing bug that broke the
--target
value suggestions in the interactive prompt mode.
- Ability to interact with the temporary containers using the
--exec
and--exec-file
flags
npm
support enhancements (makes it possible to usenpm start
in Dockerfiles, which isn't recommended though)
- Various bug fixes.
- Mapping container ports to specific host ports analyzing image at runtime (
--publish-port
and--publish-exposed-ports
flags)
seccomp
security profile generation capability updates- User namespace handling improvements (thanks to
@solarnz
)
- Experimental HTTP probe command generation based on the API descriptions from the Swagger and OpenAPI specs (
--http-probe-apispec
and--http-probe-apispec-file
flags) - Image metadata editing capabilities to add, remove and update the LABEL, VOLUME, EXPOSE, ENV and WORKDIR instructions (
--new-workdir
,--new-expose
,--new-label
,--new-volume
,--remove-volume
,--remove-env
,--remove-label
,--remove-expose
and--image-overrides
combined with--expose
,--workdir
,--env
,--volume
,--label
,--env
)
- Layer change details available in the
xray
command reports when the--changes
flag is set. - System and engine information in the command reports to improve debugging
- Ability to enable crawling for the HTTP probes specified using the
--http-probe-cmd
flag - Improved HTTP probe crawler documentation
lint
command (initial Dockerfile linting capabilities with a basic set of checks)- HTTP probe crawler (automatically probes additional endpoints referenced in the processed targets; see the
--http-probe-crawl
and related flags)
- ARM64 support (need more people to test!)
--http-probe-exit-on-failure
flag to exit execution when all HTTP probe calls fail--include-bin-file
and--include-exe-file
flags to make it easier to specify multiple binaries and executables loading them from filesxray
command report enhancements
- Interactive CLI prompt
xray
command output improvements- Additional image data saved with the
xray
command reports (--add-image-manifest
and--add-image-config
flags)
- New
xray
parameters to control how much to show when it's printing the layer details (--changes value
and--layer value
) - Image history enhancements and more data saved in the xray command reports
xray
command enhancements to show the detailed container image information including its layers and their files and directories (initial version).
- The
--exclude-pattern
build
parameter to filter/exclude the artifacts in the optimized container.
- Option to set permissions, user and group information for the artifacts included with the
--include-*
parameters. - Option to overwrite the permissions and ownership info in the optimized image using the new
--path-perms
andpath-perms-file
parameters.
- Option to run the containerized application using user and group information from the USER instruction.
- Filter leftover PID files.
- UX enhancements for the containers created using Dockerfiles.
- Additional debugging information.
- Support for special install directories on Linux (to prevent failures when
docker-slim
is trying to save its state).
- Saving command execution report, by default (
slim.report.json
). - CLI output UX enhancements.
- Docker connect info checks.
- Version check fixes when running in containers.
- Run
docker-slim
in containers. - New distribution option (
dslim/docker-slim
image available in Docker Hub). - Archive
docker-slim
state into a separate Docker volume.
- Default to continuing
docker-slim
execution after the http probing step is done when http probing is enabled. - Improved IPC.
- Improved seccomp and metadata artifact copy option.
- Improved execution report.
- Build minified images from
source
using the new--from-dockerfile
build flag (seeREADME.md
for details).
- Custom HTTP POST probes support request bodies
- Enhanced build command reports with additional container image metadata (using the global
--report
flag) - Ability to update the minified image Dockerfile instructions (using the --new-cmd, --new-entrypoint, --new-expose, --new-workdir, --new-env and --image-overrides flags)
- Dockerfile volume support
- HTTP probes by default (you will have to disable HTTP probes if you don't need them)
- Various UX enhancements to provide better CLI feedback and to avoid generating minified images that might not work
- TTY bug fix caused by an external dependency (used to track update download progress)
- Experimental ARM32 support
- Easy way to keep a shell in your image (just pass
--include-shell
to thebuild
command) - Easy way to include additional executables (
--include-exe
flag) and binary objects (--include-bin
flag), which will also include their binary dependencies, so you don't have to explicitly include them all yourself update
command - now you can updatedocker-slim
fromdocker-slim
!- Current version checks to know if the installed release is out of date
- Improvements to handle complex
--entrypoint
and--cmd
parameters
- Better Mac OS X support - when you install
docker-slim
to /usr/local/bin or other special/non-shared directories docker-slim will detect it and use the /temp directory to save its artifacts and to mount its sensor - HTTP Probing enhancements and new flags to control the probing process
- Better Nginx support
- Support for non-default users
- Improved symlink handling
- Better failure monitoring and reporting
- The
--include-path-file
option to make it easier to load extra files you want to keep in your image - CentOS support
- Enhancements for ruby applications with extensions
- Save the docker-slim command results in a JSON file using the
--report
flag - Better support for applications with dynamic libraries (e.g., python compiled with
--enable-shared
) - Additional network related Docker parameters
- Extended version information
- Alpine image support
- Ability to override ENV variables analyzing target image
- Docker 1.12 support
- User selected location to store DockerSlim state (global
--state-path
parameter). - Auto-generated seccomp profiles for Docker 1.10.
- Python 3 support
- Docker connect options
- HTTP probe commands
- Include extra directories and files in minified images