Slim.AI, a startup specializing in software supply chain security, helps businesses optimize and secure their software containers, today announced the launch of its automated container hardening feature at the CNCF’s KubeCon/CloudNativeCon Europe. With this, Slim can now automatically scan a company’s containers for vulnerabilities and remove unnecessary files, libraries and other attack surfaces.
Built into existing CI/CD pipelines, Slim’s new automated container hardening service runs containers, which a developer has previously instrumented, through the company’s existing test suite, analyzes them and automatically removes unnecessary files, resulting in significantly smaller — and more secure — containers. With fewer files in a container, this also means that developers can then focus on the vulnerability alerts that actually matter, because they relate to libraries that are actually being used.
Slim.AI was born out of an open-source project, the Slim Toolkit (which was previously called DockerSlim). This project is now seven years old and has seen over a million downloads. And while it does some rudimentary hardening and container security analysis, the team formed a company to build on their learnings from the Slim Toolkit and expand upon them.
As Slim.AI co-founder and CEO John Amaral told me, when the company launched back in 2020, its focus was more on providing users with what Amaral called an “MRI machine for containers” that would tell users exactly what was in their containers and where there were potential security issues.
“One piece of feedback we got from the users of our open-source technology was that they really needed to understand what’s inside these containers as a complement to any kind of automated remediation,” Amaral said. “The developers still need to be able to support these modified containers and if they don’t have a clear picture of what’s there, then how will they be able to interact with the remaining components? We spent a lot of time building better tooling for them.”
As with any automated process, things don’t always work as planned and occasionally, the system may generate a container that misses a necessary file. For those cases, Slim.AI gives developers and security teams not only a lot of data about what it does to every container, but also the manual controls to repeat tests or exclude certain files.
“As engineering teams are increasingly tasked with the responsibilities of building and releasing secure software—while many organizations also look to developer velocity to drive business results—the right tooling becomes all that more essential,” said Kelly Fitzpatrick, senior industry analyst at RedMonk. “By integrating container vulnerability reduction and mitigation into the CI/CD processes that teams already use, Slim.AI’s automated container hardening is designed to solve this need.”
The new service is available for free to users of Slim.AI’s developer platform, though teams that plan to use the service at scale will probably want to reach out to the company about its design partner program.