30 open-source projects similar to docker-slim/docker-slim, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Docker Slim alternative.
Slim is a comprehensive suite for container lifecycle management, providing tools for image inspection, optimization, security hardening, and service troubleshooting. It functions as a platform for analyzing containerized applications through both static metadata review and dynamic behavioral probing, enabling users to understand image composition and runtime dependencies. The project distinguishes itself by automating the creation of minimal, production-ready container images. It achieves this by removing unnecessary files and components, flattening image layers, and synthesizing restrictive
Dive is a command-line tool designed for the analysis and optimization of container images. It functions as a layered storage inspector, allowing users to decompose image manifests to examine individual filesystem layers and identify opportunities to reduce total image size. The tool features a filesystem diffing engine that calculates net changes between sequential layers to highlight redundant data and storage inefficiencies. Users interact with this data through a terminal-based dashboard that provides keyboard-driven navigation of complex file structures and layer metadata. By abstracting
This project is a Docker educational resource and a collection of practical examples designed for learning containerization technologies. It serves as a guide for understanding container fundamentals, including the creation and management of custom images and the use of registries. The repository provides specialized references for container security hardening, such as managing kernel privileges and implementing supply chain security. It also includes tutorials for multi-container orchestration and a DevOps guide focused on CI/CD automation and image optimization. The material covers a broad
Clair is a container vulnerability scanner that performs static analysis of container images to identify known security vulnerabilities. It functions as an analyzer for OCI and Docker images, indexing their contents to detect security risks and outdated packages without requiring the containers to be running. The tool identifies vulnerabilities by matching indexed container components against security databases to find common vulnerabilities and exposures. This process involves analyzing filesystem layers to track the provenance and versioning of packages across the image hierarchy. The proj
Skopeo is an OCI container image manager and registry client designed for inspecting, copying, and signing container images across different registries and storage backends. It enables the manipulation of container images using direct API calls to registries, operating independently of a local container daemon or runtime. The tool provides specialized capabilities for container image mirroring and synchronization, specifically supporting the mirroring of external repositories to internal registries for air-gapped environments. It also functions as a container image signing tool, allowing for
dockerlabs is a collection of educational labs and technical tutorials designed to teach the fundamentals of containerization and microservice architecture. It provides instructional material and hands-on exercises covering image optimization, security training, infrastructure setup, and cluster orchestration. The project features specific courses and guides focused on reducing image size through multi-stage builds, securing workloads via vulnerability scanning and encrypted networks, and deploying multi-node clusters with high availability using Swarm orchestration. The materials cover a br
Distroless provides a collection of security-hardened, minimal base container images designed to reduce attack surfaces by excluding non-essential system utilities, package managers, and shells. These images are constructed to contain only an application and its specific runtime dependencies, enforcing the principle of least privilege by configuring environments for non-root execution. The project distinguishes itself through a focus on supply chain integrity and reproducible builds. It utilizes declarative build configurations to track package versions and validates container image integrity
This project provides a collection of official base images for building and running .NET applications across various operating systems and hardware architectures. It includes standardized runtime environments, containerized development kits, and specialized images designed for isolated application execution. The collection is distinguished by its focus on image optimization and security hardening. It offers distroless images that remove shells and package managers to reduce the attack surface, as well as composite layering and ahead-of-time compilation to improve startup performance and lower
Hadolint is a static analysis tool designed to validate container build configurations. It functions as a security scanner and configuration auditor, parsing build instructions into a structured format to identify deviations from security and efficiency standards. The tool distinguishes itself by performing deep inspection of embedded shell commands. By tokenizing and analyzing these scripts, it detects common scripting errors and security vulnerabilities that might otherwise persist within a container image. It integrates external analysis tools to provide specialized validation for these in
Hadolint is a Dockerfile linter and Haskell-based static analysis tool. It analyzes container image configuration files against a set of rules to ensure valid syntax and adherence to best practices. The tool functions as a wrapper for shell checkers to inspect inline shell commands and scripts within build instructions, identifying scripting errors and bugs. It also includes security auditing capabilities to warn when images are pulled from registries not explicitly listed as trusted. The analysis engine covers quality assurance through label schema validation, syntax pattern verification, a
Clair is a container image vulnerability scanner and security analyzer. It performs static analysis of container images by matching package contents against vulnerability databases to identify security risks across different package formats and architectures. The project functions as both an image indexer and a vulnerability database manager. It processes container layers into intermediate representations to enable fast security lookups and synchronizes security metadata from multiple external sources to maintain a local registry. Capability areas include continuous security monitoring, whic
img is a daemon-less tool for building Open Container Initiative compliant images without requiring root privileges. It functions as a standalone builder and registry client that creates container images from build files without the need for a background process or elevated system permissions. The project provides a multi-platform image generator capable of targeting different operating systems and hardware architectures. It includes an OCI registry client for authenticating with remote registries to push, pull, and manage image artifacts. The toolset covers image construction and artifact m
Skopeo is a command line utility for inspecting, copying, and managing OCI and Docker container images across registries and local storage. It functions as a container image tool and registry manager that performs these operations without requiring a background daemon to be running on the host. The tool specializes in daemonless image manipulation, allowing users to retrieve metadata, manifests, and tags from remote registries without pulling the full image locally. It provides capabilities for mirroring external repositories to internal registries for air-gapped deployments and manages the t
Program to reverse Docker images into Dockerfiles
ctop is a terminal-based dashboard utility designed for monitoring and managing containerized applications. It provides a real-time interface for tracking the operational status and resource utilization of multiple containers simultaneously, offering a centralized view of system health directly within a terminal emulator. The tool distinguishes itself by integrating directly with the container runtime to provide both high-level infrastructure overviews and deep inspection capabilities. Users can organize their dashboard through persistent filtering and sorting preferences, ensuring that perfo
Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola
This project is a comprehensive, community-driven directory that serves as a centralized discovery hub for the container ecosystem. It functions as a structured knowledge base, aggregating a wide array of software tools, educational materials, and technical resources designed to assist developers and operators in mastering containerization technologies. The repository distinguishes itself through a meticulously organized taxonomy that maps the entire container lifecycle, from initial development and image building to orchestration, security, and infrastructure operations. By curating disparat
This repository provides a Docker base image built on Alpine Linux, designed to produce containers under 5 MB. It is a minimal Linux container image that uses the apk package manager for installing software from the Alpine Linux repository. The image is constructed with a musl-based C library and a BusyBox-based userland, replacing GNU coreutils with a single compact binary. It structures the filesystem as a single root filesystem layer to minimize storage and transfer overhead, and is compatible with multi-stage Docker builds to keep final images lean. The project covers building smaller an
Container-diff is a command-line utility designed to inspect and compare the internal composition of container images. It functions as an auditor for containerized environments, providing visibility into the filesystem structure, installed software packages, and configuration metadata of individual images or differences between two distinct builds. The tool distinguishes itself through its ability to perform granular analysis across container layers, allowing users to trace build history and identify specific configuration drift. By supporting registry-agnostic image fetching and modular anal
This project is an administrative reference for Docker, providing guides and command references for system maintenance, image building, network configuration, and security hardening. It serves as a comprehensive manual for managing the container lifecycle and performing general system administration. The reference covers the construction and optimization of images through build files, layering strategies, and registry integration. It also provides instructions for configuring isolated virtual networks, mapping ports, and implementing security hardening using Linux capabilities and read-only f
osv-scanner is a software composition analysis tool and vulnerability scanner that checks project dependencies and container images against the Open Source Vulnerabilities database. It functions as a dependency remediation tool and can be integrated into custom Go applications as a programmable security library. The project distinguishes itself through a remediation workflow that includes an interactive terminal user interface and automated scripting for upgrading vulnerable packages in lockfiles and manifests. It employs call-graph reachability analysis to determine if vulnerable code is act
Distroless provides a set of OCI-compliant minimal base images and hardening tools designed to create secure, language-specific execution environments. These images are stripped of non-essential system binaries, shells, and package managers to reduce the container attack surface. The project utilizes upstream-tracked automated patching to monitor operating system releases and generate updated images when security vulnerabilities are addressed. It ensures supply chain integrity through image provenance verification using ephemeral-key digital signatures. The system supports the generation of
Syft is a software bill of materials generator, container image scanner, and software dependency catalog. It analyzes container images and filesystems to produce comprehensive inventories of installed packages and dependencies in standard formats. Additionally, it serves as a software attestation tool and an SBOM format converter. The project distinguishes itself through the ability to create cryptographically signed attestations for software inventories to ensure provenance and integrity. It also provides the capability to transform software bills of materials between different industry sche
This project is a collection of techniques and configurations for reducing the disk footprint of compiled Rust executables. It serves as a guide and toolset for binary size optimization, providing strategies to minimize the final executable size through compiler flags and configuration. The project focuses on aggressive size reduction strategies, including recompiling the standard library from source to prune unused functions and implementing no-standard-library modes for memory-constrained environments. It details how to eliminate runtime overhead by removing standard library entry points an
Kubectl-debug is a diagnostic utility for Kubernetes that enables deep inspection of running containerized applications. It functions by dynamically injecting ephemeral sidecar containers into existing pods, allowing users to troubleshoot processes and filesystems without modifying original production images. The tool manages the lifecycle of these diagnostic agents, ensuring they are created on demand and cleaned up automatically after an investigation session concludes. The project distinguishes itself by enabling shared namespace access, which allows diagnostic tools to join the process an
Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security. The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sourc
DevOps-Bash-tools is a collection of shell scripts and aliases designed to automate cloud infrastructure, container orchestration, and CI/CD pipelines. It provides a comprehensive toolset for managing operational workflows through the command line. The project specializes in automating tasks across multiple platforms, including managing namespaces and secrets in Kubernetes, auditing resources in AWS and GCP, and triggering builds or managing environment variables in GitHub Actions, GitLab CI, and CircleCI. It also includes a toolkit for interacting with container registries to query manifests
Harness is an end-to-end developer platform and DevOps orchestration tool designed to automate software build, test, and deployment pipelines. It functions as a CI/CD platform and a source code management system for hosting and managing version-controlled repositories. The platform provides a remote development environment that launches ephemeral, cloud-based coding spaces to ensure standardized setups. It also includes a centralized artifact registry for storing and managing versioned binary packages and container images used in delivery pipelines. The system covers broad capability areas i
Soketi is a high-performance WebSocket server and real-time event broker that implements the Pusher protocol. It functions as a multi-tenant WebSocket gateway, allowing multiple isolated applications to manage persistent client connections and broadcast events across public, private, and presence channels. The project is distinguished by its distributed architecture, using pub-sub state synchronization via Redis or NATS to scale horizontally across multiple server instances. It features symmetric payload encryption for private channels, ensuring the server acts as a relay without accessing pl
dpanel is a web-based Docker management interface and remote server manager. It serves as a container lifecycle tool and orchestrator for deploying multi-container applications using Docker Compose configuration files and application stores. The project distinguishes itself as a central management console capable of controlling containers across multiple remote servers via API or SSH connections. It includes an integrated host filesystem browser for accessing files and folders on remote machines via SSH and SFTP. The platform covers container image workflows, including building custom images