CLI Enhancements for Automated Container Hardening

Thomas Wood
← Slim Blog

We are excited to announce enhanced capabilities in the Slim CLI to more finely control the hardening process when producing a “slimmed” image.

Previously, as part of the hardening process, the Slim CLI would strictly produce a hardened container by removing any components that were not observed as running during the testing or exercising stage of an “instrumented” container. 

While this is effective in producing a maximum reduction in container size and attackable surface, it runs the risk of potentially breaking functionality in the underlying container unless a robust testing suite is in place to exercise the container.

The CLI can now take several prescribed parameters from the user in advance of producing the instrumented container. This puts more control in the hands of developers and DevSecOps teams when hardening their containers, and can reduce the chance of breakage. 

For teams using the Slim process to harden their containers in CI/CD this means faster time to a lower CVE count, reduced attackable surface and a higher overall confidence in the final result.

What’s new?

  • Selective hardening by layer
  • Vulnerability scanning from CLI with local output
  • Improved error handling

Selective Hardening by Layer

Suppose you want to focus the scope of your software supply chain security improvements on just the packages shipped as part of the base OS layers. You know from inspecting your container that it has five layers. You can instruct Slim (via Slim CLI) to scan the entire image but only harden specific layers—–in this case the first two layers of the image. To instruct Slim to only apply hardening to the first two layers of the container, the command would be:  from a command line invoke 

slim instrument --include-last-image-layers 3 myorg/myimg:latest

Read more from our Slim CLI docs

Local Vulnerability Scans

Slim now offers the ability to use the Slim CLI to scan any container in any connected registry directly from a command line or Slim-enhanced pipeline without use of the web portal. To have the Slim CLI write your vulnerability scanning output to a JSON file in the current path, run the command:

slim vscan scan -report-file value myorg/myimg:latest  

Note: there are several additional commands that are exposed to enable scan comparison. For more details, run this command:

slim vscan scan --help

Improved Error Handling

When invoking the Slim CLI to harden an image, we now provide more descriptive output and error handling to inform users when no container behavior reports have been received by the platform for the instrumented container with which they are working.

[instrument] looking for instrumented workflow
[instrument] start hardening using all the already finished runs

There is not enough instrumentation data to harden the image.

This could be because the instrumented run (docker run / kubectl apply)failed, was not terminated gracefully, or simply could not upload data.

If you have instrumented run data available, you can attempt to upload it. Otherwise, please retry your instrumented run and then try to harden again.

How do I get access to the new features?

Update your Slim CLI version to at least v0.0.17. You can update your CLI to the latest version using command

curl | sh.

Alternatively, you may access the download link within your SlimAI Portal, in the top right corner after logging as seen below, or directly from

Additional Documentation & Resources

We can’t wait to hear your feedback on this new functionality. Please do not hesitate to contact us in our Slack channel or send your feedback to me via

Make security collaboration easier today

Join the waitlist to try out Slim's shared workspace for communicating and coordinating vulnerability fixes with your software vendors.
Responsive HubSpot Form

Join our Beta

Take the complexity and frustration out of coordinating vulnerability fixes with your vendors.

  • Communicate directly in the platform to assign owners, due dates and negotiate fixes
  • Get a view into the status of each vulnerability
  • Receive notifications the moment vulnerabilities are fixed

Additionally, our Beta users get access to:

  • Multiple vulnerability scanners
  • SBOM generation
  • Reachability analysis
  • Enhanced container intelligence software
  • Dedicated Support

Join our Beta

Take the frustration out of vulnerability fixes with software vendors directly on our platform.

  • Assign owners, set due dates, track vulnerability statuses, and get instant fix notifications.
  • Beta users gain access to multiple scanners, SBOM generation, reachability analysis, enhanced container intelligence, and dedicated support.