If you use Anchore to subscribe to tags to receive notifications when images are updated you will be familiar with these kinds of emails:

I have subscribed to receive notifications on this, and many other images, that I use as part of applications I deploy. The tag update notification is just one of the different subscriptions that are supported by Anchore Cloud.

The obvious next question you will ask is “well what changed?”

There are no easy ways to perform a “diff” on Docker container images to see what has changed between versions. While there is a docker diff command this command shows what files have changed in a running container but will not show changes between container images. You could also look at the Dockerfile, however, the same Dockerfile used at two different times will likely produce different images since the underlying operating system packages and application files may have been updated.

We just updated the Anchore Cloud to add a new tab to the image view that shows a changelog for the image.

At the top of the changelog, we show the changes in metadata between the current image (left) and the previous image (right). Here you can see that the image ID and Digest have changed however the image is still built using Debian 9 and is approximately the same size with the same number of layers.

For each of the content types that Anchore supports a subtab can be selected showing the detailed changes. Today Anchore supports scanning of operating system packages, Node.JS NPMs, Ruby Gems, Python modules, Java archives (JAR, EAR, WAR) and files.

On each tab, you can filter the view to show files that were added, changed or removed. The lines in the table are color-coded to show the nature of the change.

In the example below we can see that six packages were updated, for example, the postgresql-10 package was updated from 10.0-1.pgdg90+1 to 10.1-1.pgdg90+1.

You may be tempted to always pull a new image when an update is reported, however, we have seen that in many cases this isn’t always necessary. We saw a recent example of this when we received a notification that the official ubuntu:latest image had been updated. However, looking at the changelog we can see that there were no changes to files or packages in the image just metadata.

Some projects, who we will not name here, have the habit of rebuilding their images often even if there have been no changes to the underlying packages or configuration. In theory, the images should be identical, but in practice even though the binaries on the filesystem have not changed the package manager’s database will be different. So if you see that an image you use has been updated before you pull the image check out the changelog to see if anything of consequence has been updated before you go through the effort of rebuilding your images.

You can create a free account on the Anchore Cloud and view changelogs for public images and subscribe to receive updates when tags are updated. Paid subscribers have the ability to scan and inspect their private images stored on Docker Hub or Amazon EC2 Container registry as well as receiving updates for CVE and policy changes in addition to tag updates.