Support images minified with DockerSlim

[endrec]

DockerSlim minifies docker images by removing unused packages and files.
It would be nice to support images created using DockerSlim, similarly to distroless images.

Currently trivy fails with an Unknown OS error (tested with 0.3.1).

[rcomanne]

Is there any status update on this issue?
I would love for this to work.

[knqyf263]

I've implemented that Trivy handled images minified with DockerSlim gracefully. Note that it means Trivy can detect vulnerabilities of libraries used by a programming language, but can't detect vulnerabilities of OS packages in the image. Trivy uses a status file like /lib/apk/db/installed and /var/lib/dpkg/status. If they don't exist in the image, Trivy can't know the versions of installed packages. If you want to scan OS packages, you need to include those files. They are small, so I think it doesn't increase the image size.

This is a case of debian.

$ docker-slim build --include-path "/etc/debian_version" --include-path "/var/lib/dpkg/status" nginx

alpine:

$ docker-slim build --include-path "/etc/alpine-release" --include-path "/lib/apk/db/installed" nginx:alpine