Skip to content

aborroy/scout-style-docker-image-comparison

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LICENSE
LICENSE
 
 
README.md
README.md
 
 
compare.sh
compare.sh
 
 

Repository files navigation

A Scout-style Docker Image Comparison

compare.sh is a Bash utility to compare two Docker images using Syft and Grype. It highlights package differences and vulnerabilities in a format similar to Docker Scout, but designed to work in BSD/GNU-friendly environments with minimal dependencies.

Features

  • Generates SBOMs for two images using Syft
  • Compares packages added, removed, or modified
  • Checks for vulnerabilities with Grype
  • Highlights differences in environment variables
  • Outputs a summary report with size changes, provenance, and more

Prerequisites

Make sure the following tools are installed and available in your PATH:

  • syft
  • grype
  • jq
  • docker

Install them via Homebrew:

brew install syft grype jq docker

Or follow the instructions from their respective GitHub pages.

Usage

./compare.sh <new-image> <old-image>

Example:

./compare.sh alfresco/alfresco-search-services:2.0.16 alfresco/alfresco-search-services:2.0.15

      Provenance: https://github.com/Alfresco/alfresco-docker-base-java
      Size: 712 MB (-14 MB)
      Packages: 209 (+0)

  ## Environment Variables


    + SOLR_ZIP=alfresco-search-services-2.0.16.zip
    - SOLR_ZIP=alfresco-search-services-2.0.15.zip

      DIST_DIR=/opt/alfresco-search-services
      JAVA_HOME=/etc/alternatives/jre
      LANG=C.UTF-8
      LC_ALL=C.UTF-8
      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      SOLR_DATA_DIR_ROOT=/opt/alfresco-search-services/data
      SOLR_SOLR_MODEL_DIR=/opt/alfresco-search-services/data/alfrescoModels

  ## Labels


    + org.label-schema.build-date=2025-05-19T02:50:27Z
    + org.opencontainers.image.created=2025-05-19T02:50:27Z
    + org.opencontainers.image.revision=356
    - org.label-schema.build-date=2025-02-17T02:37:20Z
    - org.opencontainers.image.created=2025-02-17T02:37:20Z
    - org.opencontainers.image.revision=338

      creator=Alfresco
      maintainer=Alfresco
      org.label-schema.name=Alfresco Base Java Image
      org.label-schema.schema-version=1.0
      org.label-schema.vendor=Alfresco
      org.opencontainers.image.source=https://github.com/Alfresco/alfresco-docker-base-java
      org.opencontainers.image.title=Alfresco Base Java Image
      org.opencontainers.image.vendor=Alfresco

  ## Packages and Vulnerabilities


    +   1 packages added
    -   1 packages removed
    ⎌  51 packages changed (↑ 51 upgraded, ↓ 0 downgraded)
      157 packages unchanged

     Package                                                              Version        Previous

  ↑  commons-fileupload/commons-fileupload                                  1.6.0          1.5
  ↑  jrt-fs/jrt-fs                                                          17.0.15        17.0.14
  ↑  org.alfresco/alfresco-search                                           2.0.16         2.0.15
  ↑  org.alfresco/alfresco-solrclient-lib                                   2.0.16         2.0.15
  ↑  org.apache.lucene/lucene-analyzers-common                              6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-analyzers-icu                                 6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-analyzers-kuromoji                            6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-analyzers-morfologik                          6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-analyzers-phonetic                            6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-analyzers-smartcn                             6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-analyzers-stempel                             6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-backward-codecs                               6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-classification                                6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-codecs                                        6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-core                                          6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-expressions                                   6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-grouping                                      6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-highlighter                                   6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-join                                          6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-memory                                        6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-misc                                          6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-queries                                       6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-queryparser                                   6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-sandbox                                       6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-spatial-extras                                6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.lucene/lucene-suggest                                       6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.solr/solr-analysis-extras                                   6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.solr/solr-clustering                                        6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.solr/solr-core                                              6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.solr/solr-langid                                            6.6.5-patched.21 6.6.5-patched.20
  ↑  org.apache.solr/solr-solrj                                             6.6.5-patched.21 6.6.5-patched.20
  ↑  org.eclipse.jetty.start/start                                          9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-continuation                                   9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-deploy                                         9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-http                                           9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-io                                             9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-jmx                                            9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-rewrite                                        9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-security                                       9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-server                                         9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-servlet                                        9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-servlets                                       9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-start                                          9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-util                                           9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-webapp                                         9.4.57.v20241219 9.4.56.v20240826
  ↑  org.eclipse.jetty/jetty-xml                                            9.4.57.v20241219 9.4.56.v20240826
  ↑  org.springframework/spring-beans                                       6.2.8          6.1.14
  ↑  org.springframework/spring-context                                     6.2.8          6.1.14
  ↑  org.springframework/spring-core                                        6.2.8          6.1.14
  ↑  org.springframework/spring-expression                                  6.2.8          6.1.14
  ↑  org.springframework/spring-tx                                          6.2.8          6.1.14
  +  com.sun.xml.bind/jaxb-xjc                                              4.0.3
  -  com.sun.xml.bind/jaxb-core                                             4.0.3

Output

  • Summary of size and package differences
  • List of new, removed, and modified packages
  • Vulnerability delta between the two images
  • ENV variable changes

The script creates a temporary directory for intermediate data, which is cleaned up automatically after execution.

Implementation Notes

  • SBOMs are generated in CycloneDX JSON format
  • Grype is run with a baseline to highlight new or fixed vulnerabilities
  • Package diffs are parsed from jq filters on CycloneDX data
  • The script is designed to work in both macOS and Linux environments

License

This script is provided under the MIT License, though it uses tools that may be under their own licenses (e.g., Syft, Grype).

About

Bash utility to compare two Docker images using Syft and Grype

Topics

shell-script docker-scout

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages