dockershrink.

dockershrink is a CLI that inspects a Docker/OCI image and gives concrete, actionable recommendations for making it smaller, cleaner and safer. Every check is an isolated analyzer, so the report is specific and the fixes are obvious — instead of a vague total size you get the exact instruction that caused the bloat. Features:

• Flexible image sources: local Docker daemon, docker save tarball / OCI layout, or pull by tag or digest
• Per-layer and per-file size analysis attributing bloat to the exact RUN/COPY step
• Detection of leftover apt/apk/yum/pip/npm caches, duplicates, docs and temp junk
• Best-practice checks: multi-stage builds, build tools in runtime, unpinned/:latest tags, root user, missing HEALTHCHECK
• Supply-chain hygiene: OSV-backed CVE scan, outdated packages, baked-in secrets, SUID/SGID inventory
• Estimated savings per finding and a single bloat score
• Image-to-image diff and baseline comparison
• json/SARIF output and --fail-on mode for CI pipelines

And more on github.com/eltaline/dockershrink