Base and Parent Images

A Docker or OCI image is composed of layers. Some of the layers are created during a build process such as following instructions in a Dockerfile. But many of the layers will come from previously built images. These images likely come from a container team at your organization, or maybe build directly on images from a Linux distribution vendor. In some cases this chain could be many images deep as various teams add standard software or configuration.

Docker uses the FROM clause to denote an image to use as a basis for building a new image. The image provided in this clause is known by Docker as the “Parent Image”, but is commonly referred to as the “Base Image”. This chain of images built from other images using the FROM clause is known as an Image’s ancestry.

Note Docker defines “Base Image” as an image with a FROM SCRATCH clause. Anchore does NOT follow this definition, instead following the more common usage where “Base Image” refers to the image that a given image was built from.

The following is an example of an image with multiple ancestors

A base distro image, for example debian:10

FROM scratch

A framework container image from that debian image, for example a node.js image let’s call mynode:latest

FROM debian:10

# Install nodejs

The application image itself built from the framework container, let’s call it myapp:v1

FROM mynode:latest
COPY ./app /

In this case, the parent image of myapp:v1 is mynode:latest, while the parent of mynode:latest is debian:10.

Anchore automatically calculates an image’s ancestry as images are scanned. This works by comparing the layer digests of each image to calculate the entire chain of images that produced a given image. The entire ancestry can be retrieved for an image through the GET /v2/images/{image_digest}/ancestors API. See the API docs for more information on the specifics

Some APIs in Anchore accept a base_digest parameter that is used to provide comparison data between two images. These APIs can be used in conjunction with the ancestry API to perform comparisons to the base image so that application developers can focus on results in their direct control.

Some places in Anchore must automatically calculate the comparison image, in these cases the closest ancestor, (the one with the most number of common layers) will be used.

Comparing an Image with its Base or Parent

Anchore Enterprise provides a mechanism to compare the policy checks and security vulnerabilities of an image with those of a base image. This allows clients to

  • filter out results that are inherited from a base image and focus on the results relevant to the application image
  • reverse the focus and examine the base image for policy check violations and vulnerabilities which could be a deciding factor in choosing the base image for the application

To read more about the base comparison features, jump to

Last modified June 3, 2024