slimtoolkit
Unable to scan a slimmed image for bom and security issues
I'm building a minified ubuntu:20.04 based image with a few applications. I have to specify the applications to keep manually using several include statements as shown below.
docker run -it --rm
-v /var/run/docker.sock:/var/run/docker.sock
-v ${DOC_BUILD_ROOT}/docker-slim-state:/bin/.docker-slim-state
dslim/docker-slim build
--http-probe=false
--continue-after 1
--tag=${IMAGE}.slim:${VERSION}
\ # Restore dependencies listed below
--include-shell \
--include-path=/etc \
--include-bin=/bin/sh \
--include-bin=/bin/sleep \
--include-bin=/sbin/ip \
--include-bin=/usr/bin/python3 \
--include-path=/usr/bin/supervisorctl \
--include-bin=/usr/sbin/tcpdump \
--include-path=/lib/libgcc_s.so.1 \
--include-path=/lib/x86_64-linux-gnu/libgcc_s.so.1
--include-path=/usr/lib/python3 \
--include-path=/usr/lib/python3.8
--include-path=/usr/local/lib/python3.8 \
--include-path=/opt/ \
--include-path=/var/log
${IMAGE}:${VERSION}
Minifying an image appears to break scanning tools such as 'docker scan' and 'docker sbom'. These scanning tools are unable to properly scan/inventory my 'slim' image. Is there a way to specify a list of dpkg (dpkgdb) packages to keep, or some other way of preserving dpkgdb for the packages I want to keep?
it breaks these scanners as it removes dpkgdb and there is also no way for you to keep it with only these packages
Some scanners do better than others, but it's a common problem with scanners. DockerSlim ends up exposing their primitive and hacky design :-) Instead of trying to make the broken scanners work DockerSlim will produce its own component metadata.
