The original post: /r/cybersecurity by /u/Specialist_Square818 on 2025-02-23 00:30:41.
Hi everyone,
For the past couple of years, we have been looking at container security. Turns out that up to 97% of vulerabilities in acontainer can be just due to bloatware, code/files/features that you never use [1]. While there has been a few efforts to develop debloating tools, they failed with many containers when we tested them. So we went out and developed a container (file) debloating tool and released it with an MIT license.
Github link: https://github.com/negativa-ai/BLAFS
A full description here: https://arxiv.org/abs/2305.04641
TLDR; the tool uses the layered filesystem of containers to discover and remove unused files.
Here is a table with the results for 10 popular containers on dockerhub:
| Container | Original size (MB) | Debloated (MB) | Vulerabilities removed % |
|---|---|---|---|
| mysql:8.0.23 | 546.0 | 116.6 | 89 |
| redis:6.2.1 | 105.0 | 28.3 | 87 |
| ghost:3.42.5-alpine | 392 | 81 | 20 |
| registry:2.7.0 | 24.2 | 19.9 | 27 |
| golang:1.16.2 | 862 | 79 | 97 |
| python:3.9.3 | 885 | 26 | 20 |
| bert tf2:latest | 11338 | 3973 | 61 |
| nvidia mrcnn tf2:latest | 11538 | 4138 | 62 |
| merlin-pytorch-training:22.04 | 15396 | 4224 | 78 |
| merlin-tensorflow-training:22.04 | 14320 | 4195 | 75 |
Please try the tool and give us any feedback on what you think about it. A lot on the technical details are already in the shared arxiv link and in the README on github!