We are excited to announce enhanced capabilities in the Slim CLI to more finely control the hardening process when producing a “slimmed” image.
Previously, as part of the hardening process, the Slim CLI would strictly produce a hardened container by removing any components that were not observed as running during the testing or exercising stage of an “instrumented” container.
While this is effective in producing a maximum reduction in container size and attackable surface, it runs the risk of potentially breaking functionality in the underlying container unless a robust testing suite is in place to exercise the container.
The CLI can now take several prescribed parameters from the user in advance of producing the instrumented container. This puts more control in the hands of developers and DevSecOps teams when hardening their containers, and can reduce the chance of breakage.
For teams using the Slim process to harden their containers in CI/CD this means faster time to a lower CVE count, reduced attackable surface and a higher overall confidence in the final result.
Suppose you want to focus the scope of your software supply chain security improvements on just the packages shipped as part of the base OS layers. You know from inspecting your container that it has five layers. You can instruct Slim (via Slim CLI) to scan the entire image but only harden specific layers—–in this case the first two layers of the image. To instruct Slim to only apply hardening to the first two layers of the container, the command would be: from a command line invoke
slim instrument --include-last-image-layers 3 myorg/myimg:latest
Slim now offers the ability to use the Slim CLI to scan any container in any connected registry directly from a command line or Slim-enhanced pipeline without use of the web portal. To have the Slim CLI write your vulnerability scanning output to a JSON file in the current path, run the command:
slim vscan scan -report-file value myorg/myimg:latest
Note: there are several additional commands that are exposed to enable scan comparison. For more details, run this command:
slim vscan scan --help
When invoking the Slim CLI to harden an image, we now provide more descriptive output and error handling to inform users when no container behavior reports have been received by the platform for the instrumented container with which they are working.
[instrument] looking for instrumented workflow [instrument] start hardening using all the already finished runs There is not enough instrumentation data to harden the image. This could be because the instrumented run (docker run / kubectl apply)failed, was not terminated gracefully, or simply could not upload data. If you have instrumented run data available, you can attempt to upload it. Otherwise, please retry your instrumented run and then try to harden again.
Update your Slim CLI version to at least v0.0.17. You can update your CLI to the latest version using command
curl https://platform.slim.dev/.service/releases/slim/latest | sh.
Additional Documentation & Resources
We can’t wait to hear your feedback on this new functionality. Please do not hesitate to contact us in our Slack channel or send your feedback to me via email@example.com.