OCI image governance and optimization tool. Inspect container images, detect policy violations, compare versions, and get optimization recommendations.
- Inspect container images — layers, size, config, metadata
- Diff two image versions — what changed and why it grew
- Policy checks — root user, shell present, image too large, missing SBOM
- Optimization suggestions — multi-stage builds, slim base images, cache removal
- LLM summaries — human-readable explanations of findings (never fabricated)
go build ./cmd/layercheck/
# Inspect an image
./layercheck inspect alpine:latest
# Inspect a larger image
./layercheck inspect nginx:latest{
"reference": "alpine:latest",
"digest": "sha256:59855d3d...",
"size": 3862432,
"layers": [
{
"digest": "sha256:589002ba...",
"size": 3861821,
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip"
}
],
"cmd": ["/bin/sh"],
"env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
}go test ./... -vTests use an in-memory OCI registry — no Docker daemon or network required.
cmd/layercheck/ CLI entrypoint
internal/
report/ Shared types (ImageReport, Layer)
inspect/ Image inspection
diff/ Image comparison (coming soon)
policy/ Policy evaluation (coming soon)
optimize/ Optimization suggestions (coming soon)
mcp/ MCP server (coming soon)
llm/ LLM summarization (coming soon)
- Deterministic analysis first, LLM explanation second
- Simple structs, minimal dependencies
- Every feature supports a clear demo scenario