Skip to content

GitHub Action to minify container image by up to 30x (and for compiled languages even more) making it secure too!

License

Notifications You must be signed in to change notification settings

kitabisa/docker-slim-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

21 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Docker Slim GitHub Action tests

This GitHub Action helps you to minify your container image, making it smaller and more secure. With this Action, you can reduce the size of your container image by up to 30x (and even more for compiled languages) without compromising its functionality.

What does this Action do?

This GitHub Action uses slimtoolkit/slim to minimize your container image. slim is an open-source tool that removes unnecessary files and libraries from your image, resulting in a smaller and more secure container.

Slim uses static and dynamic analysis techniques to identify the components of your image that are not needed at runtime. It also removes debug symbols, unused files, and libraries that are not required by your application, reducing the size of your image.

See their README for more information about how Slim works.

Setup

To use this GitHub Action, you will need to have the docker/login-action or docker/build-push-action set up in your workflow as well. These actions will allow you to execute Docker commands needed for this action to run successfully.

Usage

Example

Create a workflow file in your repository and add these steps to your job:

      # Build the Docker image first
      - uses: docker/build-push-action@v4
        with:
          push: false
          tags: ${{ github.repository }}:latest

      # Slim it!
      - uses: kitabisa/docker-slim-action@v1
        env:
          DSLIM_HTTP_PROBE: false
        with:
          target: ${{ github.repository }}:latest
          tag: "slim"

      # Push to the registry
      - run: docker image push "${{ github.repository }}" --all-tags

In this example, it will minify ${{ github.repository }}:latest as target and will create a slimmed version of the target image with the slim tag from the input (${{ github.repository }}:slim) then push the images to the registry.

Inputs

The following input actions are supported:

Name Description Required? Type Default
overwrite Overwrite target container image with slimmed version (only if target is not ID) πŸ”΄ boolean false
tag Specify a tag for slimmed target container image 🟒 string slim
target Target container image (name or ID) 🟒 string
version Define Slim version πŸ”΄ string

Caution

Enabling the overwrite option will result in the replacement of the target image (original) with its slimmed version, regardless of the tag input.

You can also control the behavior of the Slim build command by setting the following environment variables:
Environment Description
DSLIM_PULL Try pulling target if it's not available locally (default: false)
DSLIM_DOCKER_CONFIG_PATH Docker config path (used to fetch registry credentials)
DSLIM_REGISTRY_ACCOUNT Target registry account used when pulling images from private registries
DSLIM_REGISTRY_SECRET Target registry secret used when pulling images from private registries
DSLIM_PLOG Show image pull logs (default: false)
DSLIM_COMPOSE_FILE Load container info from selected compose file(s)
DSLIM_TARGET_COMPOSE_SVC Target service from compose file
DSLIM_TARGET_COMPOSE_SVC_IMAGE Override the container image name and/or tag when targetting a compose service using the target-compose-svc parameter (format: tag_name or image_name:tag_name)
DSLIM_COMPOSE_SVC_START_WAIT Number of seconds to wait before starting each compose service (default: 0)
DSLIM_COMPOSE_SVC_NO_PORTS Do not publish ports for target service from compose file (default: false)
DSLIM_DEP_INCLUDE_COMPOSE_SVC_ALL Do not start any compose services as target dependencies (default: false)
DSLIM_DEP_INCLUDE_COMPOSE_SVC Include specific compose service as a target dependency (only selected services will be started)
DSLIM_DEP_EXCLUDE_COMPOSE_SVC Exclude specific service from the compose services that will be started as target dependencies
DSLIM_DEP_INCLUDE_COMPOSE_SVC_DEPS Include all dependencies for the selected compose service (excluding the service itself) as target dependencies
DSLIM_DEP_INCLUDE_TARGET_COMPOSE_SVC_DEPS Include all dependencies for the target compose service (excluding the service itself) as target dependencies (default: false)
DSLIM_COMPOSE_NET Attach target to the selected compose network(s) otherwise all networks will be attached
DSLIM_COMPOSE_ENV_NOHOST Don't include the env vars from the host to compose (default: false)
DSLIM_COMPOSE_ENV_FILE Load compose env vars from file (host env vars override the values loaded from this file)
DSLIM_COMPOSE_PROJECT_NAME Use custom project name for compose
DSLIM_COMPOSE_WORKDIR Set custom work directory for compose
DSLIM_CONTAINER_PROBE_COMPOSE_SVC Container test/probe service from compose file
DSLIM_HOST_EXEC Host commands to execute (aka host commands probes)
DSLIM_HOST_EXEC_FILE Host commands to execute loaded from file (aka host commands probes)
DSLIM_TARGET_KUBE_WORKLOAD [Experimental] Target Kubernetes workload from the manifests (if is provided) or in the default kubeconfig cluster (format: /, e.g., deployments/foobar)
DSLIM_TARGET_KUBE_WORKLOAD_NAMESPACE [Experimental] Target Kubernetes workload namespace (if not set, the value from the manifest is used if provided, otherwise - "default")
DSLIM_TARGET_KUBE_WORKLOAD_CONTAINER [Experimental] Target container in the Kubernetes workload's pod template spec
DSLIM_TARGET_KUBE_WORKLOAD_IMAGE [Experimental] Override the container image name and/or tag when targetting a Kubernetes workload (format: tag_name or image_name:tag_name)
DSLIM_KUBE_MANIFEST_FILE [Experimental] Kubernetes manifest(s) to apply before run
DSLIM_KUBE_KUBECONFIG_FILE, $KUBECONFIG [Experimental] Path to the kubeconfig file (default: "/home/dw1/.kube/config")
DSLIM_PUBLISH_PORT Map container port to host port (format => port
DSLIM_PUBLISH_EXPOSED Map all exposed ports to the same host ports (default: false)
DSLIM_RUN_TAS_USER Run target app as USER (default: true)
DSLIM_SHOW_CLOGS Show container logs (default: false)
DSLIM_SHOW_BLOGS Show image build logs (default: false)
DSLIM_CP_META_ARTIFACTS copy metadata artifacts to the selected location when command is done
DSLIM_RM_FILE_ARTIFACTS remove file artifacts when command is done (default: false)
DSLIM_RC_EXE A shell script snippet to run via Docker exec
DSLIM_RC_EXE_FILE A shell script file to run via Docker exec
DSLIM_TARGET_TAG Custom tags for the generated image
DSLIM_TARGET_OVERRIDES Save runtime overrides in generated image (values is 'all' or a comma delimited list of override types: 'entrypoint', 'cmd', 'workdir', 'env', 'expose', 'volume', 'label')
DSLIM_CRO_RUNTIME Runtime to use with the created containers
DSLIM_CRO_HOST_CONFIG_FILE Base Docker host configuration file (JSON format) to use when running the container
DSLIM_CRO_SYSCTL Set namespaced kernel parameters in the created container
DSLIM_CRO_SHM_SIZE Shared memory size for /dev/shm in the created container (default: -1)
DSLIM_RC_USER Override USER analyzing image at runtime
DSLIM_RC_ENTRYPOINT Override ENTRYPOINT analyzing image at runtime. To persist ENTRYPOINT changes in the output image, pass the --image-overrides=entrypoint or --image-overrides=all flag as well.
DSLIM_RC_CMD Override CMD analyzing image at runtime. To persist CMD changes in the output image, pass the --image-overrides=cmd or --image-overrides=all flag as well.
DSLIM_RC_WORKDIR Override WORKDIR analyzing image at runtime. To persist WORKDIR changes in the output image, pass the --image-overrides=workdir or --image-overrides=all flag as well.
DSLIM_RC_ENV Override or add ENV only during runtime. To persist ENV additions or changes in the output image, pass the --image-overrides=env or --image-overrides=all flag as well.
DSLIM_RC_LABEL Override or add LABEL analyzing image at runtime. To persist LABEL additions or changes in the output image, pass the --image-overrides=label or --image-overrides=all flag as well.
DSLIM_RC_VOLUME Add VOLUME analyzing image at runtime. To persist VOLUME additions in the output image, pass the --image-overrides=volume or --image-overrides=all flag as well.
DSLIM_RC_LINK Add link to another container analyzing image at runtime
DSLIM_RC_ETC_HOSTS_MAP Add a host to IP mapping to /etc/hosts analyzing image at runtime
DSLIM_RC_DNS Add a dns server analyzing image at runtime
DSLIM_RC_DNS_SEARCH Add a dns search domain for unqualified hostnames analyzing image at runtime
DSLIM_RC_NET Override default container network settings analyzing image at runtime
DSLIM_RC_HOSTNAME Override default container hostname analyzing image at runtime
DSLIM_RC_EXPOSE Use additional EXPOSE instructions analyzing image at runtime. To persist EXPOSE additions in the output image, pass the --image-overrides=expose or --image-overrides=all flag as well.
DSLIM_MOUNT Mount volume analyzing image
DSLIM_IMAGE_BUILD_ENG Select image build engine: internal
DSLIM_IMAGE_BUILD_ARCH Select output image build architecture
DSLIM_BUILD_DOCKERFILE The source Dockerfile name to build the fat image before it's optimized
DSLIM_BUILD_DOCKERFILE_CTX The build context directory when building source Dockerfile
DSLIM_TARGET_TAG_FAT Custom tag for the fat image built from Dockerfile
DSLIM_CBO_ADD_HOST Add an extra host-to-IP mapping in /etc/hosts to use when building an image
DSLIM_CBO_BUILD_ARG Add a build-time variable
DSLIM_CBO_CACHE_FROM Add an image to the build cache
DSLIM_CBO_LABEL Add a label when building from Dockerfiles
DSLIM_CBO_TARGET Target stage to build for multi-stage Dockerfiles
DSLIM_CBO_NETWORK Networking mode to use for the RUN instructions at build-time
DSLIM_DELETE_FAT Delete generated fat image requires flag (default: false)
DSLIM_NEW_ENTRYPOINT New ENTRYPOINT instruction for the optimized image
DSLIM_NEW_CMD New CMD instruction for the optimized image
DSLIM_NEW_EXPOSE New EXPOSE instructions for the optimized image
DSLIM_NEW_WORKDIR New WORKDIR instruction for the optimized image
DSLIM_NEW_ENV New ENV instructions for the optimized image
DSLIM_NEW_VOLUME New VOLUME instructions for the optimized image
DSLIM_NEW_LABEL New LABEL instructions for the optimized image
DSLIM_RM_EXPOSE Remove EXPOSE instructions for the optimized image
DSLIM_RM_ENV Remove ENV instructions for the optimized image
DSLIM_RM_LABEL Remove LABEL instructions for the optimized image
DSLIM_RM_VOLUME Remove VOLUME instructions for the optimized image
DSLIM_EXCLUDE_MOUNTS Exclude mounted volumes from image (default: true)
DSLIM_EXCLUDE_PATTERN Exclude path pattern (Glob/Match in Go and **) from image
DSLIM_PRESERVE_PATH Keep path from orignal image in its initial state (changes to the selected container image files when it runs will be discarded)
DSLIM_PRESERVE_PATH_FILE File with paths to keep from original image in their original state (changes to the selected container image files when it runs will be discarded)
DSLIM_INCLUDE_PATH Keep path from original image
DSLIM_INCLUDE_PATH_FILE File with paths to keep from original image
DSLIM_INCLUDE_BIN Keep binary from original image (executable or shared object using its absolute path)
DSLIM_INCLUDE_BIN_FILE File with shared binary file names to include from image
DSLIM_INCLUDE_EXE_FILE File with executable file names to include from image
DSLIM_INCLUDE_EXE Keep executable from original image (by executable name)
DSLIM_INCLUDE_SHELL Keep basic shell functionality (default: false)
DSLIM_INCLUDE_PATHS_CREPORT_FILE Keep files from the referenced creport
DSLIM_INCLUDE_OSLIBS_NET Keep the common networking OS libraries (default: true)
DSLIM_INCLUDE_CERT_ALL Keep all discovered cert files (default: true)
DSLIM_INCLUDE_CERT_BUNDLES Keep only cert bundles (default: false)
DSLIM_INCLUDE_CERT_DIRS Keep known cert directories and all files in them (default: false)
DSLIM_INCLUDE_CERT_PK_ALL Keep all discovered cert private keys (default: false)
DSLIM_INCLUDE_CERT_PK_DIRS Keep known cert private key directories and all files in them (default: false)
DSLIM_INCLUDE_NEW Keep new files created by target during dynamic analysis (default: true)
DSLIM_KEEP_TMP_ARTIFACTS Keep temporary artifacts when command is done (default: false)
DSLIM_INCLUDE_APP_NUXT_DIR Keep the root Nuxt.js app directory (default: false)
DSLIM_INCLUDE_APP_NUXT_BUILD_DIR Keep the build Nuxt.js app directory (default: false)
DSLIM_INCLUDE_APP_NUXT_DIST_DIR Keep the dist Nuxt.js app directory (default: false)
DSLIM_INCLUDE_APP_NUXT_STATIC_DIR Keep the static asset directory for Nuxt.js apps (default: false)
DSLIM_INCLUDE_APP_NUXT_NM_DIR Keep the node modules directory for Nuxt.js apps (default: false)
DSLIM_INCLUDE_APP_NEXT_DIR Keep the root Next.js app directory (default: false)
DSLIM_INCLUDE_APP_NEXT_BUILD_DIR Keep the build directory for Next.js app (default: false)
DSLIM_INCLUDE_APP_NEXT_DIST_DIR Keep the static SPA directory for Next.js apps (default: false)
DSLIM_INCLUDE_APP_NEXT_STATIC_DIR Keep the static public asset directory for Next.js apps (default: false)
DSLIM_INCLUDE_APP_NEXT_NM_DIR Keep the node modules directory for Next.js apps (default: false)
DSLIM_INCLUDE_NODE_PKG Keep node.js package by name
DSLIM_KEEP_PERMS Keep artifact permissions as-is (default: true)
DSLIM_PATH_PERMS Set path permissions in optimized image
DSLIM_PATH_PERMS_FILE File with path permissions to set
DSLIM_CONTINUE_AFTER Select continue mode: enter
DSLIM_USE_LOCAL_MOUNTS Mount local paths for target container artifact input and output (default: false)
DSLIM_USE_SENSOR_VOLUME Sensor volume name to use
DSLIM_RTA_ONBUILD_BI Enable runtime analysis for onbuild base images (default: false)
DSLIM_RTA_SRC_PT Enable PTRACE runtime analysis source (default: true)
DSLIM_SENSOR_IPC_ENDPOINT Override sensor IPC endpoint
DSLIM_SENSOR_IPC_MODE Select sensor IPC mode: proxy
DSLIM_HTTP_PROBE_OFF Alternative way to disable HTTP probing (default: false)
DSLIM_HTTP_PROBE Enable or disable HTTP probing (default: true)
DSLIM_HTTP_PROBE_CMD User defined HTTP probes
DSLIM_HTTP_PROBE_CMD_FILE File with user defined HTTP probes
DSLIM_HTTP_PROBE_START_WAIT Number of seconds to wait before starting HTTP probing (default: 0)
DSLIM_HTTP_PROBE_RETRY_COUNT Number of retries for each HTTP probe (default: 5)
DSLIM_HTTP_PROBE_RETRY_WAIT Number of seconds to wait before retrying HTTP probe (doubles when target is not ready) (default: 8)
DSLIM_HTTP_PROBE_PORTS Explicit list of ports to probe (in the order you want them to be probed)
DSLIM_HTTP_PROBE_FULL Do full HTTP probe for all selected ports (if false, finish after first successful scan) (default: false)
DSLIM_HTTP_PROBE_EXIT_ON_FAILURE Exit when all HTTP probe commands fail (default: true)
DSLIM_HTTP_PROBE_CRAWL http-probe-crawl (default: true)
DSLIM_HTTP_CRAWL_MAX_DEPTH Max depth to use for the HTTP probe crawler (default: 3)
DSLIM_HTTP_CRAWL_MAX_PAGE_COUNT Max number of pages to visit for the HTTP probe crawler (default: 1000)
DSLIM_HTTP_CRAWL_CONCURRENCY Number of concurrent workers when crawling an HTTP target (default: 10)
DSLIM_HTTP_MAX_CONCURRENT_CRAWLERS Number of concurrent crawlers in the HTTP probe (default: 1)
DSLIM_HTTP_PROBE_API_SPEC Run HTTP probes for API spec
DSLIM_HTTP_PROBE_API_SPEC_FILE Run HTTP probes for API spec from file

Important

Please note that when you disable HTTP probing (either by setting DSLIM_HTTP_PROBE_OFF to true or DSLIM_HTTP_PROBE to false), it will effectively modify the behavior of the continue mode (if the DSLIM_CONTINUE_AFTER value is undefined) by imposing a timeout of 1 second. This adjustment occurs because, by default, when HTTP probes are disabled, the Slim's behavior will switch to 'enter' mode β€” and there is no way to interact with the temporary container created by Slim within the GitHub Action runner.

Outputs

To view the report results generated by the Slim build command, you can access the report property (Object) of the steps outputs context. Here's an example of how to access it: ${{ steps.<id>.outputs.report }}.

      # Slim it!
      - uses: kitabisa/docker-slim-action@v1
        id: slim
        env:
          DSLIM_HTTP_PROBE: false
        with:
          target: ${{ github.repository }}:latest

      # Dump the report
      - run: echo "${REPORT}"
        env:
          REPORT: ${{ steps.slim.outputs.report }}

License

The associated scripts and documentation in this project are released under the MIT License.

Binary used in this project include third party materials.