{"id":16888375,"url":"https://github.com/imjasonh/chaff","last_synced_at":"2026-04-24T12:06:42.171Z","repository":{"id":39632568,"uuid":"503421843","full_name":"imjasonh/chaff","owner":"imjasonh","description":"Report on unnecessary files in container images","archived":false,"fork":false,"pushed_at":"2022-06-24T17:28:46.000Z","size":59,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-20T02:44:51.309Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/imjasonh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-14T15:41:47.000Z","updated_at":"2022-06-14T21:17:48.000Z","dependencies_parsed_at":"2022-09-20T07:12:01.735Z","dependency_job_id":null,"html_url":"https://github.com/imjasonh/chaff","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/imjasonh/chaff","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imjasonh%2Fchaff","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imjasonh%2Fchaff/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imjasonh%2Fchaff/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imjasonh%2Fchaff/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/imjasonh","download_url":"https://codeload.github.com/imjasonh/chaff/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imjasonh%2Fchaff/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32222523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T10:26:35.452Z","status":"ssl_error","status_checked_at":"2026-04-24T10:25:27.643Z","response_time":64,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T16:51:31.917Z","updated_at":"2026-04-24T12:06:42.138Z","avatar_url":"https://github.com/imjasonh.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# `chaff`\n\nThis tool reports on deleted files in container images.\n\nThese files can be included in your container image due to poor build hygiene, for example, by misusing Dockerfiles:\n\n```\nFROM base-image\nRUN download-large-file.sh \u003e large.zip\nRUN unzip large.zip\nRUN rm large.zip\n```\n\nThis Dockerfile will include `large.zip` in your container image layers, even though it won't be available when the image is run.\n\nLarge chaff files bloat image sizes, and can even include sensitive data such as secrets.\nConsider this example:\n\n```\nFROM base-image\nRUN download-secret.sh \u003e secret.key\nRUN download-artifact.sh --key=secret.key \u003e large.zip\nRUN rm secret.key\n```\n\nThe secret key is still present in the container image's layers!\n`chaff` can help you find them.\n\n# Installation\n\n```\ngo install github.com/imjasonh/chaff@latest\n```\n\n# Usage\n\n```\nchaff registry.biz/my/container/image:latest\n```\n\n# Example\n\nYou can build and publish a chaffy image from [`./example/`](./example):\n\n```\ndocker buildx build --push -t my-image -f example/Dockerfile.chaff example\n```\n\nThen run `chaff` on it to see a report about hidden/deleted files:\n\n```\n$ chaff my-image\n==== CHAFF REPORT ====\n- layers: 10\n- total chaff files: 219\n- total chaff size: 45 MB (9.81%)\n--- random.txt (26 MB)\n--- var/lib/apt/lists/deb.debian.org_debian_dists_bullseye_main_binary-arm64_Packages.lz4 (17 MB)\n--- var/cache/debconf/templates.dat-old (780 kB)\n--- var/cache/debconf/templates.dat (780 kB)\n--- var/lib/apt/lists/security.debian.org_debian-security_dists_bullseye-security_main_binary-arm64_Packages.lz4 (306 kB)\n--- random.txt (257 kB)\n--- var/lib/apt/lists/deb.debian.org_debian_dists_bullseye_InRelease (116 kB)\n--- var/lib/dpkg/status-old (83 kB)\n--- var/lib/dpkg/status (83 kB)\n--- var/lib/apt/lists/security.debian.org_debian-security_dists_bullseye-security_InRelease (44 kB)\n--- var/lib/apt/lists/deb.debian.org_debian_dists_bullseye-updates_InRelease (39 kB)\n--- etc/ld.so.cache (6.3 kB)\n--- var/lib/apt/extended_states (5.6 kB)\n--- var/cache/debconf/config.dat-old (4.8 kB)\n--- var/cache/debconf/config.dat (4.8 kB)\n--- var/log/apt/eipp.log.xz (4.7 kB)\n--- var/lib/apt/lists/deb.debian.org_debian_dists_bullseye-updates_main_binary-arm64_Packages.lz4 (3.9 kB)\n--- random.txt (3.6 kB)\n--- secret.key (82 B)\n```\n\nYou can then rebuild the images without the unnecessary deleted files:\n\n```\ndocker buildx build --push -t my-image:fixed -f example/Dockerfile.unchaffed example\n```\n\nAnd look for chaff:\n\n```\n$ chaff my-image:fixed\n==== CHAFF REPORT ====\n- layers: 2\n- total chaff files: 187\n- total chaff size: 1.8 MB (0.42%)\n--- var/cache/debconf/templates.dat (780 kB)\n--- var/cache/debconf/templates.dat-old (780 kB)\n--- var/lib/dpkg/status-old (83 kB)\n--- var/lib/dpkg/status (83 kB)\n--- etc/ld.so.cache (6.3 kB)\n--- var/lib/apt/extended_states (5.6 kB)\n--- var/cache/debconf/config.dat-old (4.8 kB)\n--- var/cache/debconf/config.dat (4.8 kB)\n--- var/log/apt/eipp.log.xz (4.7 kB)\n```\n\nThese are files from the `debian` base image that your later steps have deleted or overwritten.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimjasonh%2Fchaff","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimjasonh%2Fchaff","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimjasonh%2Fchaff/lists"}