Dykondo
Dykondo (DYnamic KONtainer Debloater/Optimizer): Debloating container images for reduced attack surface and optimized edge deployments.
Need
Container images often contain bloat – software, libraries, and other files not required for a given deployment. This creates unnecessary attack surfaces, spurious vulnerability reports from static container scanning tools, and overhead when transmitting, maintaining, and using images.
Current best practices recommend engineers refactor Dockerfiles to use slim base images and avoid installing bloat. This requires significant time and expertise, addresses only some sources of bloat, and increases maintenance burden.
Solution
Dykondo is an automated solution for container debloating. DYKONDO further removes bloat from within recognized types of applications and files. The debloated result is returned as a container image.
Benefits:
- Reduces image size, sometimes dramatically, without the need for fine-tuning complex Dockerfiles
- Lightens storage and bandwidth requirements for deployment to edge devices
- Reduces false positive vulnerabilities identified by static container scanning tools
- Impedes attackers by shrinking attack surface
System and Workflow
Dykondo debloats an application’s container image. In the scenario shown, it retains an application file and library it depends on but removes an unnecessary system file.
Dykondo in Practice C
Results from case studies on official container images from popular open-source projects:
-
PostgreSQL:
- postgres:16.1, 425 MB to 240 MB (44% reduction)
- postgres:16.1-alpine, 253 MB to 204 MB (19% reduction)
-
Grafana OnCall:
- grafana/oncall:1.3.94, 1.3 GB to 169 MB (87% reduction)
Dykondo for you
- Contact us about on-prem and SaaS DYKONDO solutions that fit your workflows and integrate in your DevSecOps pipelines.
DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited. Approved, DCN#0543-1847-24
© 2024 Grammatech, Inc.