Docker Scout Compare Command: Description and Examples

| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive | | `--to` | `string` | | Image, directory, or archive to compare to | | `--to-env` | `string` | | Name of environment to compare to | | `--to-latest` | | | Latest image processed to compare to | | `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive. |  ## Description The `docker scout compare` command analyzes two images and displays a comparison. > This command is **experimental** and its behaviour might change in the future The intended use of this command is to compare two versions of the same image. For instance, when a new image is built and compared to the version running in production. If no image is specified, the most recently built image is used as a comparison target. The following artifact types are supported: - Images - OCI layout directories - Tarball archives, as created by `docker save` - Local directory or file By default, the tool expects an image reference, such as: - `redis` - `curlimages/curl:7.87.0` - `mcr.microsoft.com/dotnet/runtime:7.0` If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following: - `image://` (default) use a local image, or fall back to a registry lookup - `local://` use an image from the local image store (don't do a registry lookup) - `registry://` use an image from a registry (don't use a local image) - `oci-dir://` use an OCI layout directory - `archive://` use a tarball archive, as created by `docker save` - `fs://` use a local directory or file - `sbom://` SPDX file or in-toto attestation file with SPDX predicate or `syft` json SBOM file ## Examples ### Compare the most recently built image to the latest tag ```console $ docker scout compare --to namespace/repo:latest ``` ### Compare local build to the same tag from the registry ```console $ docker scout compare local://namespace/repo:latest --to registry://namespace/repo:latest ``` ### Ignore base images ```console $ docker scout compare --ignore-base --to namespace/repo:latest namespace/repo:v1.2.3-pre ``` ### Generate a markdown output ```console $ docker scout compare --format markdown --to namespace/repo:latest namespace/repo:v1.2.3-pre ``` ### Only compare maven packages and only display critical vulnerabilities for maven packages ```console $ docker scout compare --only-package-type maven --only-severity critical --to namespace/repo:latest namespace/repo:v1.2.3-pre ``` ### Show all policy results for both images ```console docker scout compare --to namespace/repo:latest namespace/repo:v1.2.3-pre ```

The `docker scout compare` command analyzes and compares two images. It supports various artifact types like images, OCI directories, and tarball archives. The command uses an image reference by default, but prefixes like `local://`, `registry://`, `oci-dir://`, `archive://`, and `fs://` can be used to specify the artifact source. Examples demonstrate comparing the most recently built image, local builds to registry images, ignoring base images, generating markdown outputs, filtering by package type and severity, and showing policy results for both images.