Their FAQ doesn't answer what it is that they are removing. Can someone shed light on that? As others have said, it seems to watch your application running and then remove anything it doesn't see your application using. Seems like a very high-risk + high-reward method.
At this point in time the tool is mostly relying on dynamic analysis though there's a bit of static analysis too when you want to include extra artifacts. The dynamic analysis part is done using a couple of different monitors that look at what files are accessed in the container and what system calls are made. Yes, there's a potential risk that something is missing, but you can mitigate this risk in a number of ways. First, you can run your own container test to ensure better coverage. Second, you can include additional artifacts by explicitly telling docker-slim what you want to keep regardless of what it sees.
Different application runtimes have interesting hidden behaviors. With Python, for example, the runtime will generate cache files from your .py files and then it'll use it instead of those .py file. However, it still checks if the original source code is still there. If it's not there the runtime will refuse to use the cache files.
The main catch is that it targets application container images and not generic base images. This is the most common gotcha many people encounter. There has to be an app/service in the container that does something specific.
And, of course, it is possible that not all artifacts will be identified. There are a couple of ways to mitigate this. First, you can create custom probes for your app/service to make sure the app container can be analyzed much better. Second, you can explicitly tell docker-slim what you want to keep in your container image (you can specify files or executables)
One of the monitors leverages FANOTIFY in Linux to determine what files your application is using. This is the same thing many AV tools use to detect malware :-)
The future version will get more different runtime monitors and it will do much more with static analysis too. Right now its static analysis is limited to LDD-like dynamic library inspection for extra artifacts you want to keep in your image. There's a lot more that can be done there...
