 Welcome to theCUBE's DockerCon coverage. I'm John Furrier, host of theCUBE. We've got a great segment here with slim.ai, CEO, John Emerall, Stealth Mode SaaS company, start up in the DevOps space with tools today and open source around supply chain security with containers, closed beta with developers. John, thanks for coming on. Congratulations for being Platinum's sponsor here, DockerCon, thanks for coming on theCUBE. Thanks a lot, John, my pleasure. You know, container analysis, management, optimization. You know, that's super important, but security's at the center of all the action we're seeing with containers. We've been talking shift left on a lot of CUBE conversations. What that means, is it an outcome, is it a product, software supply chain, you see them as secureware, malware, all these things are part of now the new normal in cloud native. You guys are the center of this. The surface areas change. All these things are important. Take a minute to explain what you guys are doing as a tools and open source, some of the things you're doing. I know you got a Stealth Mode product you probably can't talk about, but you got to close beta. Can you give us a little bit of a teaser? What's Slim.ai about? Sure. So Slim.ai is about helping developers build secure containers fast. And that really plays to a few trends in the marketplace that are really apparent and important right now. There's been a federal mandate and a bunch of really highly publicized breaches that have all been caused by software supply chain risks and security and software supply chain security has become a really top of mind concept for people who secure things and people who develop software and run SaaS. So Slim.ai has built a bunch of capabilities and tools that allow software developers at their desks to better understand and build secure containers that really reduce software supply chain risk as you think about containers being run in production. And we do three things to help developers. One is we help them know everything about their software. It's a kind of a core concept of software supply chain security. Just know what software is in your containers. Two, another core concept is only shift to production what you need to run. That's all about risk surface and the ability for you to easily make a container small that has as much software reduction in it as possible. And three, it's remove as many vulnerabilities as possible the Slim tool set both our open source and our SaaS beta platform make that easy for developers to do. So basically have a nice clean secure environment. Know what's in there. Don't only put in production what's needed and make sure it's tight and it's trimmed down perfectly. So you're kind of teasing out this concept of Slimming which is in the name of the company but really just about surface area of attack around containers and super important as it becomes more and more prominent in the environment these days. What is container Slimming and why is it important for supply chain security? Sure. So in the realm of software supply chain security best practices, right? There are three core concepts. One is the idea of an S-bomb that you should know the inventory of all the software that runs in your world. Two, it's security posture, signing containers making sure that the authenticity of the software that you use and in production is well understood. And the third is well managing exactly what software you ship. The first two things I said are simply just inventory and basics about knowing what software you have but no one answers the question what software do I need? So I run a container and say it's a gig and it's got all these packages in it comes from the operating system from node, et cetera. It's got all this stuff in it. I know the parts that I write my code to but all that other stuff, what is it? Why is it there? What's the risk in it? And that Slimming part is all about managing the list of things you actually ship to the absolute minimum. And with confidence that you know that that code will actually work when it gets to production but be as small as possible. That's what Slimming is all about. And it really reduces supply chain risk by lowering the attack surface of your container but also trimming your supply chain to only the minimum pieces you need which really causes a lot of improvements in the operational overhead of having software supply chain security. It's interesting as you get more volume and velocity around containers and automation kicks in sometimes things are turning on and off you don't even know and shift left has been a great trend for getting in the CI CD pipeline for developer productivity. Really cool. What are some of the consequences that's going on with this? Because then you start to get into some of these areas like some stuff happens that the developers have to come shift back and can take care of stuff. So, you know, CTOs and CISOs are really worried about this container dynamic. What's the new thing that's causing the problems here? What's the issue around the management that CISOs and CTOs care about? Sure. And I'll talk about shift left implications as well for that exact point. So as you start to worry about software supply chain security and get a handle on all the software you shipped to prod. Well, part of that is your knowledge is power but it's also risk and work. As soon as I know about problems with my containers or the risk surface then I got to do something about it. So we're really getting into the age where everyone has to know about the software they ship. As soon as you know about that say there's a vulnerability or a package that's a little risky or some surface area you don't really understand. The only place that can be abated is by going back to the developers and asking them, what is that? How do I remove it? Please do that work. So the software supply chain security knowledge turns into developer security work. Now, the problem is that historically the knowledge was imperfect and the developer involvement in that was I'd say ad hoc meaning that developers had best practices that did the best they could but the scrutiny we have now on minimizing this kind of risk is really high. The beautiful part about containers is they're portable and it's an easily transferable piece of software. So you have a lot of producers and a lot of consumers of containers. Consumers of containers that care about supply chain risk are now starting to push back on producers saying take those vulnerabilities out move those packages, make this thing more secure lower the risk profile. This works its way all the way back to the developers who don't really have the tools, capabilities and automations to do the work I just described easily and that's an opportunity that slim is really addressing making it easy for developers to remove risk. And that's really the consequences of shifting left without having the slimming because what you're saying is you shift left and that's kind of nulled out because you got to go back and fix it. The work comes out. That's right. And yeah, and it's not an easy task for developer to understand the code that they didn't intentionally put in the container. It's like, okay, there's a package in that operating system. What does it do? I don't know. Do I even use it? I don't know. So there's like tons of analytic and I would say even optimization questions and work to be done that they're just not equipped to because the tooling for that is really immature slims on a mission to make that really easy for them and do it automatically. So they don't have to think about it. We just automatically remove stuff you don't use. And voila, you've got this like perfectly pre-optimized capability. You know, this software supply chain is huge. And I remember when open source started when I can remember when I was breaking into the business now it's such a height and such an escalation of new developers. This, it's a real issue that that's going to be resolved. It has to be because supply chain is part of open source. Right. As more code comes in, you got to verify it. You got to make sure it's slim and where it needs to be slim and optimize where it needs to be optimized. Huge trend. And so I just love this area. I think it's real innovative and needed. So congratulations on that. You know, one more question for you before we get into, to close out. You guys are part of the Docker extensions launch and you're a partner. That's right. Why is this important to participate in this program? And what do you guys hope it does for slim.ai? First of all, you know, Docker is a ubiquitous platform. Their hub has millions and millions of containers. We've got millions and millions of developers using Docker desktop to actually build and work on containers. It's like literally the sandbox for all local work for building containers. It's a fair statement. So inclusion in DockerCon and the relationship we're building with Docker is really important for developers in that we're bringing these capabilities to the place where developers work and live every day. It's where all the containers live in the world. So we want to have our technology be easy to use with Docker tools. We want to keep developers workflows and systems and tools of record be the same. We just want to help them use those tools better and optimize outputs from that. And we've worked since our inception to make our tools really, really friendly for Docker and Docker environments. Two, we are building a Docker extension. They have in this DockerCon, they're launching their Docker extensions program to the worldwide audience. We've been one of the lucky companies that's been selected to build one of the early Docker desktop plugins. It's derived from our capabilities in our SaaS platform and in our open source. And it's effectively an MRI machine, an awesome analytic tool that allows any developer to really understand the composition, security and profile of any container they work with. So it's giving the site to the blind, so to speak, that it's this new tool to make container analysis easy. Well, John, you guys got a great opportunity. Container analysis, management, optimization, key to security, enabling it and maintaining it and sustaining it. And it's changing. I know you guys, your co-founder also did Docker Slim. So you guys are deep in the open source site. Congratulations on that. We'll see you at KubeCon. For the remaining time we have, give a plug for the company. Obviously you're in stealth mode, product's going to come out later this year. You got a developer preview. What's the company all about? What's the most important story here at DockerCon? Sure, just to play it back. So we help developers do three important things. Know everything about the software and their containers. Two, only ship stuff to production that you need. And three, remove as many vulnerabilities as possible. That's really about me managing and understanding the risk surface. It ties right back to software supply chain security and any developer can use these tools today to emit and build containers that are more secure and better production grade containers. And it's easy to do. We have an open source project called Docker Slim. Go check it out. It's on GitHub, it's easy to find. If you go to www.slim.ai, you can find access to that. We have tens of thousands of developers, 500,000 plus downloads. We have developers everywhere using those tools today and open source to do the objectives I just said. You can also easily sign up for our data, for our SaaS platform. You can use the Docker extension, go ahead and do that and really get on your journey to make those outcomes a reality for you and really kind of make those sec ops people downstream, not have to shift anything left. It's super easy for you to be a great participant in software supply chain security. All right, John Amaral, CEO of slim.ai, Stealth Mode SaaS, thanks for coming on theCUBE. CUBE coverage of DockerCon. Thanks for watching. I'm John Furrier, host of theCUBE. Back to more DockerCon after this short break.