We are excited to announce enhanced capabilities in the Slim CLI to more finely control the hardening process when producing a “slimmed” image.
Previously, as part of the hardening process, the Slim CLI would strictly produce a hardened container by removing any components that were not observed as running during the testing or exercising stage of an “instrumented” container.
While this is effective in producing a maximum reduction in container size and attackable surface, it runs the risk of potentially breaking functionality in the underlying container unless a robust testing suite is in place to exercise the container.
The CLI can now take several prescribed parameters from the user in advance of producing the instrumented container. This puts more control in the hands of developers and DevSecOps teams when hardening their containers, and can reduce the chance of breakage.
For teams using the Slim process to harden their containers in CI/CD this means faster time to a lower CVE count, reduced attackable surface and a higher overall confidence in the final result.
Suppose you want to focus the scope of your software supply chain security improvements on just the packages shipped as part of the base OS layers. You know from inspecting your container that it has five layers. You can instruct Slim (via Slim CLI) to scan the entire image but only harden specific layers—–in this case the first two layers of the image. To instruct Slim to only apply hardening to the first two layers of the container, the command would be: from a command line invoke
slim instrument --include-last-image-layers 3 myorg/myimg:latest
Read more from our Slim CLI docs
Slim now offers the ability to use the Slim CLI to scan any container in any connected registry directly from a command line or Slim-enhanced pipeline without use of the web portal. To have the Slim CLI write your vulnerability scanning output to a JSON file in the current path, run the command:
slim vscan scan -report-file value myorg/myimg:latest
Note: there are several additional commands that are exposed to enable scan comparison. For more details, run this command:
slim vscan scan --help
When invoking the Slim CLI to harden an image, we now provide more descriptive output and error handling to inform users when no container behavior reports have been received by the platform for the instrumented container with which they are working.
[instrument] looking for instrumented workflow [instrument] start hardening using all the already finished runs There is not enough instrumentation data to harden the image. This could be because the instrumented run (docker run / kubectl apply)failed, was not terminated gracefully, or simply could not upload data. If you have instrumented run data available, you can attempt to upload it. Otherwise, please retry your instrumented run and then try to harden again.
Update your Slim CLI version to at least v0.0.17. You can update your CLI to the latest version using command
curl https://platform.slim.dev/.service/releases/slim/latest | sh.
Alternatively, you may access the download link within your SlimAI Portal, in the top right corner after logging as seen below, or directly from https://portal.slim.dev/cli.
Additional Documentation & Resources
We can’t wait to hear your feedback on this new functionality. Please do not hesitate to contact us in our Slack channel or send your feedback to me via [email protected].
We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.
When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.
This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.
We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.
When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.
This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.
