Slim — Optimize Docker Containers with Automatic Minification

Introduction

Slim (formerly DockerSlim) is an open-source tool that automatically shrinks container images by analyzing what your application actually needs at runtime. Instead of manually crafting multi-stage builds or stripping packages by hand, Slim instruments your container, observes which files and libraries are accessed, and produces a minimal image with only those components. The result is dramatically smaller, faster, and more secure images.

What Slim Does

• Analyzes container images using static analysis and dynamic probing to identify used files
• Produces minified images that are 5-30x smaller than the originals
• Removes unused packages, shell utilities, and OS files that expand attack surface
• Generates AppArmor and Seccomp security profiles automatically
• Supports Dockerfile-less optimization of any existing image from any registry

Architecture Overview

Slim works by launching your container in an instrumented sandbox that monitors file system access, network calls, and process execution using kernel-level sensors (ptrace, seccomp-bpf, fanotify). After the probing phase completes, Slim builds a dependency graph of every file and library your application touched. It then constructs a new minimal image containing only those artifacts, preserving the original entrypoint and environment configuration.

Self-Hosting & Configuration

• Install the slim binary on your CI runner or developer machine via the install script
• Run slim build to produce an optimized variant tagged with .slim suffix
• Use --http-probe=true to automatically probe HTTP endpoints during analysis
• Add --include-path to manually include extra files or directories the probe might miss
• Integrate into CI/CD pipelines by running slim after docker build for automatic optimization

Key Features

• Zero-config optimization that works on most Docker images without modification
• Built-in HTTP probing that exercises web applications during the analysis phase
• Automatic security profile generation (AppArmor and Seccomp) for hardened containers
• Image xray command provides a detailed breakdown of layers, files, and wasted space
• Works with any container runtime and registry including Docker Hub, ECR, GCR, and GHCR

Comparison with Similar Tools

• Multi-stage Docker builds — require manual effort to select and copy only needed artifacts
• Distroless images (Google) — provide minimal base images but require rebuilding your app on top
• Alpine Linux — smaller base but still includes unused packages and needs manual pruning
• Dive — excellent for inspecting image layers but does not actually optimize or shrink them
• crane — manipulates image layers efficiently but has no runtime analysis or auto-minification

FAQ

Q: Will Slim break my application by removing needed files? A: Slim uses runtime probing to detect dependencies. For most apps the defaults work. If a file is missed, use --include-path to add it and rebuild.

Q: Does Slim work with non-HTTP applications? A: Yes. You can use --exec to run custom commands during the probing phase, or provide a probe script for databases, CLIs, or background workers.

Q: How does Slim compare to just using scratch or distroless base images? A: Scratch and distroless require you to manually build a static binary. Slim works on any existing image including those based on Ubuntu or Debian.

Q: Can I use Slim in CI/CD? A: Absolutely. Run slim build as a post-build step in GitHub Actions, GitLab CI, or Jenkins to automatically optimize every image before pushing to a registry.

Sources

• https://github.com/slimtoolkit/slim
• https://slimtoolkit.org/docs