Unable to scan a slimmed image for bom and security issues

[matth65]

I'm building a minified ubuntu:20.04 based image with a few applications. I have to specify the applications to keep manually using several include statements as shown below.

docker run -it --rm
-v /var/run/docker.sock:/var/run/docker.sock
-v ${DOC_BUILD_ROOT}/docker-slim-state:/bin/.docker-slim-state
dslim/docker-slim build
--http-probe=false
--continue-after 1
--tag=${IMAGE}.slim:${VERSION}
\ # Restore dependencies listed below
--include-shell \
--include-path=/etc \
--include-bin=/bin/sh \
--include-bin=/bin/sleep \
--include-bin=/sbin/ip \
--include-bin=/usr/bin/python3 \
--include-path=/usr/bin/supervisorctl \
--include-bin=/usr/sbin/tcpdump \
--include-path=/lib/libgcc_s.so.1 \
--include-path=/lib/x86_64-linux-gnu/libgcc_s.so.1
--include-path=/usr/lib/python3 \
--include-path=/usr/lib/python3.8
--include-path=/usr/local/lib/python3.8 \
--include-path=/opt/ \
--include-path=/var/log

${IMAGE}:${VERSION}

Minifying an image appears to break scanning tools such as 'docker scan' and 'docker sbom'. These scanning tools are unable to properly scan/inventory my 'slim' image. Is there a way to specify a list of dpkg (dpkgdb) packages to keep, or some other way of preserving dpkgdb for the packages I want to keep?

[bigpod98]

it breaks these scanners as it removes dpkgdb and there is also no way for you to keep it with only these packages

[kcq]

Some scanners do better than others, but it's a common problem with scanners. DockerSlim ends up exposing their primitive and hacky design :-) Instead of trying to make the broken scanners work DockerSlim will produce its own component metadata.