- New
buildcommand flags (--include-dir-binsand--include-ssh-client). - Simple
imagescommand to list container images.
- OCI image format support in
xray. - Improved
xraycommand reports to include object type information.
- Fixes and dependency updates to support the new Docker Engine version (25.x).
- Sensor artifact (post-)processing bug fix for additional PT generated artifacts.
- Added command parameter information to process events in
mondel. - Enhanced
mondelevent capture to prevent event data loss on sensor shutdown.
- New
vulnerabilitycommand and theepsssubcommand to lookup EPSS scores for vulnerabilities. - Simple
registry servercommand to have a local OCI registry (thank you Sarvesh Raj, @sarveshraj, for your contribution!). - Simple
registry pushcommand to push local images to a registry. - Simple
imagescommand to list container images. - RPM packaging for the apps (thank you Rohan Jamadagni, @Rohansjamadagni, for your contribution!)
- Enhanced
registry pullcommand to pull images from authenticated registries. quietmode improvements (WIP) to hide the standard execution context output when it's enabled.quietmode for theimagescommand.- Interactive prompt updates to include the
images,registryandvulnerabilitycommands and a couple of global flags. - Monitor Data Event Log (mondel) enhancement to improve the write path.
- Simple
registry image-index-createcommand to create multi-architecture images. - Simple
imagescommand to list container images.
- Improved ptmon syscall handling.
- Enhanced
mondelevents with timestamps and sequence numbers. - Extra docker socket validation checks.
- Version info on exit/failure.
- Temp container cleanup improvements.
- ARM image build scripts for the containerized distribution.
- Websocket http probe bug fix.
- Various ptmod bug fixes.
- Sensor
controlcommands to control sensor execution when running in the standalone mode (first command:stop-target-app). xray- detect system identities (users, groups) and their properties (--detect-identitiesflag, enabled by default).build- Keep the OS/libc zoneinfo data (--include-zoneinfoflag, disabled by default).build/profile- Mon(itor) Data Event Log (akamondel) - optional data event log for sensor monitors to log/stream monitor events (--enable-mondelmain app flag,--mondel/-nsensor flag(s)).
target-app-runningsensor lifecycle hook.build/profile:--env-fileto load env vars from a file.build/profile: basic input validation to ignore malformed env var data for the--envflag.build: Using internal output image builder by default (--image-build-engineflag)- Renamed the reverse engineered Dockerfile from
Dockerfile.fattoDockerfile.reversed
- Various bug fixes
- Auto-complete in the interactive
promptmode for the target, namespace, pod and session flags - Interactive
debugcommand terminal that runs as if you are connected directly to the target image you are debugging (enabled by default) - Basic sessions for
debugcommand - Ability to show logs for the existing
debugcommand sessions - More
debugcommand flags (see README) - README docs updates for the
debugcommand
- Many
debugcommand bug fixes
- Kubernetes runtime support for the
debugcommand appbomcommand in the main app and--appbomflag in the sensormergecommand to merge two container images (optimized to merge two minified images).
- More
debugcommand flags - README docs for the
debugcommand - Ability to detect the Docker Desktop unix socket
- Code and logging cleanup
- Sensor volume fix for sensor symlinks (to address the Homebrew installed problems with sensor)
- Various dependency updates to get security fixes
- New experimental
buildcommand flag to prevent the vulnerability scanners from discovering the metadata they need to identify the vulnerabilities (--obfuscate-metadata) inspired by theMalicious ComplianceKubeCon EU 2023 talk
- HEALTHCHECK instruction decoding enhancements to handle the data generated by buildah
- fsutil format string bug fix
- New include flags for the
buildcommand (--include-workdir) - Debug/trace logging improvements
- todo: add info
- Base image metadata for xray
- Basic support for multiple image build engines (
--image-build-engine,--image-build-archparameters)
- dockerfile reverse engineering updates
- buildkit dockerfile instruction support
- name change
- todo: add info
- Experimental 'debug' command
- JSON console output format
- refactored http-probe-exec and http-probe-exec-file to be host-exec and host-exec-file (breaking change)
- todo: add info
- Source image label in minified images
- Full image path enhancements for container entry info
- Traced application signal handling bugfix
- Healthcheck instruction parsing bugfix
- Experimental Node.js package include flag
- Experimental Next.js(React.js) app include flags
- Experimental Nuxt.js(Vue.js) app include flags
- Ability to disable the ptrace data source
- Container probe feature to use one of the compose services to test/probe the target container (
--container-probe-compose-svcflag andcontainer.probecontinue-after mode) - Ability to override the container image name and/or tag when targetting a compose service (
--target-compose-svc-imageflag) - Ability to wait before executing the HTTP probes (
--http-probe-start-waitflag) - Ability to wait before starting each compose service (
--compose-svc-start-waitflag) - Basic FastCGI protocol support in HTTP probes (docs TBD)
- New
registrycommand and a basicpullsubcommand --include-newbuild flag to keep new files created by target during dynamic analysis- Supprot for stored global param in
slim.config.json
- Improved containerized CI/CD environments support (
sensor-ipc-modeandsensor-ipc-endpointflags forbuildandprofile) - Docker host detection improvements
- Target container IP detection improvements
- Not minifying onbuild base images by default
- Not minifying already minified images
- Cleanup container resources on exit
include-cert-allbuild flag enabled by default- Propagate logging flags to sensor
- Not using default http probe if custom probes are already defined
- Many compose related enhancements (volume lookup enhancements, compose image detection and error handling, etc)
- Various monitoring engine enhancements
- Migrate from urfave/cli/v1 to urfave/cli/v2
- Dockerfile reverse engineering enhancements (HEALTHCHECK instruction support, improved RUN instruction reversing when ARGs are also used)
- Install command / docker cli plugin install option (preview version)
- Container and compose link handling enhancements
- Volume mounting enhancements
- Static analysis improvements
- Symlink handling improvements for builds
- Collecting file check filesystem activity
- Entrypoint/cmd override handling improvements
- Volume mounting bug fixes for compose
- Ability to pull images from private registries (
--registry-account,--registry-secret,--docker-config-pathflags)
- Additional flags for compose (
dep-include-target-compose-svc-deps,compose-env-nohost,compose-env-file,compose-workdir,compose-project-name) - Variable substitution support in compose
- Detect duplicates by default in xray
- Resource cleanup when the build command exits
delete-generated-fat-imageflag to cleanup the non-optimized images whendocker-slimbuilds images from source/Dockerfile- Improved
maintainerinfo collection for xray
- Volume mounting bug fixes for compose
- Experimental docker-compose support for the build command
- Include cert flags to make it easier to keep certificate data in the optimized images
- Install script
--cro-host-config-file,--cro-sysctland--cro-shm-sizeflags.- M1 builds.
- xray and sensor volume detection bug fixes.
- Ability to detect additional shells.
- Saving command report to /tmp directory if it's not possible to save it in the current working directory.
- Printing tag information for build command.
- Default
continue-aftervalue handling fix (removeprobemode if http probing is disabled). - Sensor not exiting when it's trying to copy a directory it already copied.
- Ability to find duplicate files for xray (
--detect-duplicates,--show-duplicates). - Ability to find all utf8 encoded files for xray using the
--detect-utf8flag (optionally dumping them to console, directory or tar file). - Ability to find the files with special permissions (
--show-special-perms). - Ability to find all installed shells for xray.
- Container entry information for xray with file detection.
- Inherited image instructions (aka ONBUILD instructions) for xray.
- More image level stats for xray.
- Multiple tags for the build command.
--http-probe-offflag for the build command to provide a shortcut to disable HTTP probing.- Flexible target image handling to use non-default tags if the
latesttag doesn't exist and no explicit tag is provided.
change-match-layers-onlyxray flag to print only the layers that contain the matches.
- xray enhancement: printing to console by default for pattern or data matches.
- Various xray command bug fixes.
- Ability to combine
probeandexeccontinue-aftermodes
- Various xray command bug fixes
- Console color output (on by default; disable with
no-color) - Loading http probe request data from separate files
- Ability to execute external probe commands (
--http-probe-execand--http-probe-exec-fileflags) - Ability to preserve original files in the target container discarding its test runtime data (
--preserve-pathand--preserve-path-file) - Ability to pull container images if they don't exist locally yet (
--pulland--show-plogs) - File hashing for xray (
--hash-data) - Additional flags to control the xray command executions (
--top-changes-max,--reuse-saved-image) - Ability to match by file path, file data and file hash for xray (
--change-path value,--change-data value,--change-data-hash value)
- Lots of additional container build flags (
--tag-fat,--cbo-add-host,--cbo-build-arg,--cbo-label,--cbo-target,--cbo-network,--cbo-cache-from). - Additional container runtime flags (
--cro-runtime) sigintshould kill the running container (#186)
- Various xray image layer inspection bug fixes
- New
xrayflags to control what layer change data to include in the generated reports (layer-changes-max,all-changes-max,add-changes-max,modify-changes-max,delete-changes-max)
hostnetwork flag handling enhancements.- Returning non-zero exit codes on failures
- Additional image checks to catch missing ENTRYPOINT/CMD instructions
- Fixed container image listing bug that broke the
--targetvalue suggestions in the interactive prompt mode.
- Ability to interact with the temporary containers using the
--execand--exec-fileflags
npmsupport enhancements (makes it possible to usenpm startin Dockerfiles, which isn't recommended though)
- Various bug fixes.
- Mapping container ports to specific host ports analyzing image at runtime (
--publish-portand--publish-exposed-portsflags)
seccompsecurity profile generation capability updates- User namespace handling improvements (thanks to
@solarnz)
- Experimental HTTP probe command generation based on the API descriptions from the Swagger and OpenAPI specs (
--http-probe-apispecand--http-probe-apispec-fileflags) - Image metadata editing capabilities to add, remove and update the LABEL, VOLUME, EXPOSE, ENV and WORKDIR instructions (
--new-workdir,--new-expose,--new-label,--new-volume,--remove-volume,--remove-env,--remove-label,--remove-exposeand--image-overridescombined with--expose,--workdir,--env,--volume,--label,--env)
- Layer change details available in the
xraycommand reports when the--changesflag is set. - System and engine information in the command reports to improve debugging
- Ability to enable crawling for the HTTP probes specified using the
--http-probe-cmdflag - Improved HTTP probe crawler documentation
lintcommand (initial Dockerfile linting capabilities with a basic set of checks)- HTTP probe crawler (automatically probes additional endpoints referenced in the processed targets; see the
--http-probe-crawland related flags)
- ARM64 support (need more people to test!)
--http-probe-exit-on-failureflag to exit execution when all HTTP probe calls fail--include-bin-fileand--include-exe-fileflags to make it easier to specify multiple binaries and executables loading them from filesxraycommand report enhancements
- Interactive CLI prompt
xraycommand output improvements- Additional image data saved with the
xraycommand reports (--add-image-manifestand--add-image-configflags)
- New
xrayparameters to control how much to show when it's printing the layer details (--changes valueand--layer value) - Image history enhancements and more data saved in the xray command reports
xraycommand enhancements to show the detailed container image information including its layers and their files and directories (initial version).
- The
--exclude-patternbuildparameter to filter/exclude the artifacts in the optimized container.
- Option to set permissions, user and group information for the artifacts included with the
--include-*parameters. - Option to overwrite the permissions and ownership info in the optimized image using the new
--path-permsandpath-perms-fileparameters.
- Option to run the containerized application using user and group information from the USER instruction.
- Filter leftover PID files.
- UX enhancements for the containers created using Dockerfiles.
- Additional debugging information.
- Support for special install directories on Linux (to prevent failures when
docker-slimis trying to save its state).
- Saving command execution report, by default (
slim.report.json). - CLI output UX enhancements.
- Docker connect info checks.
- Version check fixes when running in containers.
- Run
docker-slimin containers. - New distribution option (
dslim/docker-slimimage available in Docker Hub). - Archive
docker-slimstate into a separate Docker volume.
- Default to continuing
docker-slimexecution after the http probing step is done when http probing is enabled. - Improved IPC.
- Improved seccomp and metadata artifact copy option.
- Improved execution report.
- Build minified images from
sourceusing the new--from-dockerfilebuild flag (seeREADME.mdfor details).
- Custom HTTP POST probes support request bodies
- Enhanced build command reports with additional container image metadata (using the global
--reportflag) - Ability to update the minified image Dockerfile instructions (using the --new-cmd, --new-entrypoint, --new-expose, --new-workdir, --new-env and --image-overrides flags)
- Dockerfile volume support
- HTTP probes by default (you will have to disable HTTP probes if you don't need them)
- Various UX enhancements to provide better CLI feedback and to avoid generating minified images that might not work
- TTY bug fix caused by an external dependency (used to track update download progress)
- Experimental ARM32 support
- Easy way to keep a shell in your image (just pass
--include-shellto thebuildcommand) - Easy way to include additional executables (
--include-exeflag) and binary objects (--include-binflag), which will also include their binary dependencies, so you don't have to explicitly include them all yourself updatecommand - now you can updatedocker-slimfromdocker-slim!- Current version checks to know if the installed release is out of date
- Improvements to handle complex
--entrypointand--cmdparameters
- Better Mac OS X support - when you install
docker-slimto /usr/local/bin or other special/non-shared directories docker-slim will detect it and use the /temp directory to save its artifacts and to mount its sensor - HTTP Probing enhancements and new flags to control the probing process
- Better Nginx support
- Support for non-default users
- Improved symlink handling
- Better failure monitoring and reporting
- The
--include-path-fileoption to make it easier to load extra files you want to keep in your image - CentOS support
- Enhancements for ruby applications with extensions
- Save the docker-slim command results in a JSON file using the
--reportflag - Better support for applications with dynamic libraries (e.g., python compiled with
--enable-shared) - Additional network related Docker parameters
- Extended version information
- Alpine image support
- Ability to override ENV variables analyzing target image
- Docker 1.12 support
- User selected location to store DockerSlim state (global
--state-pathparameter). - Auto-generated seccomp profiles for Docker 1.10.
- Python 3 support
- Docker connect options
- HTTP probe commands
- Include extra directories and files in minified images