Compare Against a Base Image

Anchore Enterprise can compare an image’s findings — both vulnerabilities and policy results — against those of its base image, so developers can focus on issues introduced by their own changes and filter out noise inherited from a platform team’s golden image.

Base-image comparison is image-scoped only — it operates on a pair of analyzed container images and tags each finding by whether the same issue is present in the base. App-version-scoped evaluations do not currently surface a base-image dimension; for the broader v6 evaluation surface, see Scans.

For an overview of how Anchore Enterprise identifies a candidate base image and applies its selection rules, see Base and Parent Images.

How It Works

Both the image policy-check and the image vulnerabilities API accept an optional base_digest query parameter. When supplied, each finding in the response carries an inherited_from_base field:

• true — the same finding exists in the base image.
• false — the finding is unique to the evaluated image.
• null — no comparison was performed (no base_digest was supplied).

base_digest=auto instructs Anchore Enterprise to select the base image automatically using the ancestry rules described in Base and Parent Images.

Compare Policy Checks

The policy-check endpoint evaluates both images against the same policy and tag, which keeps the comparison fair:

curl -X GET -u <username:password> \
  "http://<servername:port>/v2/images/sha256:xyz/check?tag=p/q:r&base_digest=sha256:abc"

Each finding object in the response carries "inherited_from_base": true|false. A dockerfile-instruction trigger that fires on both images will be marked inherited; a vulnerability-package trigger that fires only on the evaluated image will not. The full request and response schemas are in the API browser.

Compare Vulnerabilities

The image-vulnerabilities endpoint also accepts base_digest and tags each matched vulnerability with the same inherited_from_base field:

curl -X GET -u <username:password> \
  "http://<servername:port>/v2/images/sha256:xyz/vuln/all?base_digest=sha256:abc"

A CVE that affects the same package in both images is marked inherited_from_base: true; a CVE that affects a package present only in the evaluated image is false.

Where the Comparison Is Used

Beyond the direct API calls, base-image information shows up in several places:

• Policies. The Ancestry gate gates rules on the resolved base or ancestor digests. The vulnerabilities gate’s package trigger accepts an inherited_from_base parameter so you can write rules that fire only on findings unique to the evaluated image — see Vulnerabilities gate.
• Reports. Vulnerability reports include an Inherited From Base column populated from the same field.
• Anchore Enterprise GUI. The image detail page displays the resolved base image and uses it to flag inherited findings on the Vulnerabilities and Compliance tabs.

For the underlying matching pipeline that produces these findings before the comparison runs, see How It Works.