On the Slim platform, you can get detailed analysis of both public and private container images using our suite of container development tools.
Before deep diving into your container internals, you'll find a profile screen that lists basic metadata about the repository, available versions of that container image (i.e., latest and stable), and lists any documentation found in the image repo.
The available versions screen provides you with information and options for each tag in an image repository. As a reminder, an image tag is synonymous with a "version tag" and notes, most commonly, an updated or alternate version of the image.
View Version - This option scans the image and brings you to the Version Detail page. Generally, clicking anywhere on the row/card will bring you to this view.
Compare Versions - This option allows you to choose two versions of the same image and compare them using our Diff feature. If available, you may find the Alpine Linux version or any maintainer supported “slim” versions that have already been optimized by the maintainers. These images may be more appropriate to your use case, but keep in mind that starting with a bare-bones image may cause headaches later in development.
Choosing to view a version of the image will run the Slim scanning tools on that image. This process may take a short time as we build and assess the container image. Results from the scan are found in the overview, vulnerabilities tab, packages, file explorer, and the Dockerfile.
In the Overview section, you find more advanced metadata about the image—including when it was last updated, which user it runs as, and what the Base OS is—along with variables and configurations that represent the image's attack surface.
Here, you can find the metadata relating to the image, including pull commands, OS version, recent updates, entry points, executables, and image size. At the top left corner, you have access to the same features that were available at the image level: comparing versions, viewing versions, copying the image into your container registry (if it isn't already there), and hardening the container image.
Shells - A common pain point in container development is knowing which shell (or shells) are available in your container. This section lists available shells along with their versions and paths for easy interaction. You can also click the Diff icon to diff the currently viewed version with the version listed in that row.
Files with Special Permissions - Nefarious attacks often exploit file permissions to gain access to container files or processes. This section shows which files are granted special permissions and may present security concerns.
Certs - This information shows whether a container has any security certs installed and where those keys live.
Environmental Variables - A common mistake among newer container devs is to store sensitive information in a container's environment variables. Knowing what environmental defaults are set in variables is also useful in debugging.
In the case that there are no critical or high vulnerabilities in a container image, which can sometimes happen after the hardening process, the overview will display that the image is in good condition in the Vulnerability history chart.
In the Packages view, you can view packages in your image and identify where those files are located, which package manager it belongs to, and its version. This enables you to quickly see what software is contained on the container and ensures that you are not shipping anything unexpected to production.
In this view, you can download the packages in the Cyclone DX format. This is a format of a Software Bill of Materials for software supply chain security and can be important for compliance. This generates “an accurate inventory of all components [that] enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.”
Expect additional format types to be made available for download in future platform feature releases.
In the Explorer tab, you can see the order in which files are created when building a container from the image. Expanding one of the layer nodes gives you a view of the files generated during the build of that image. Files can be filtered by Layer or Type.
Knowing which files are created in each layer gives you a basic understanding of how efficiently the image is built. Efficient containers will usually have their operating systems and core libraries installed in the early stages, with application code, which is more likely to change, coming in later stages.
Layers are listed in pills across the top of the tab, allowing you to quickly see large image layers and the order in which files and instructions are created in the image.
Instruction panel provides a view of the container build process that shows which instructions in the Dockerfile created which layers and files. This is useful for understanding which commands created which layers when debugging a Dockerfile.
The panel also containers the container startup files (often entrypoints or commands for the container) that indicate what executes when the container is started. These are useful for knowing how to interact with the container.
Clicking a file will open metadata about that file. For text files, you can also click the File Contents tab to see the plain text contents of any file in your container.
For more on Layers, Files, and Instructions, check out this YouTube video below on the SlimToolkit x-ray feature.
The Slim Developer Platform will provide you with a generated Dockerfile. This generated Dockerfile is provided to for context only. In most cases, it cannot be used to create a valid profile image. It can, however, help you better understand how the image is constructed by showing various INSTRUCTIONS that determine how layers are created.