Vulnerabilities Diff

The Vulnerabilities Diff uses two best-in-class open source scanners, Grype and Trivy, to show a detailed comparison of container vulnerabilities by scanner and risk level. We use multiple scanners because it’s not uncommon for one scanner to pick up a vulnerability that another has missed. We compile the results of both to give you a more complete view, in case you don’t know which scanner your customers are using. Very soon we’ll begin allowing you to bring your own license for Snyk and others so you’ll be able to do multi-vulnerability scanning automatically as part of your CI workflow.

There are two use cases in which you’ll see the benefits of this powerful feature:

  • Comparing container versions: Using Vulnerabilities Diff to understand what changed from one container version to another, useful when updating versions or debugging a breaking change.
  • Post-optimization analysis: Using Vulnerabilities Diff to see removed security risks resulting from unused files and bloat and to assess any risks that still remain after optimizing your container.

We’ll walk you through both use cases in detail below.

Comparing Container Versions

You can compare versions by searching for any container. Click the ‘compare versions’ icon on the right to navigate to the selection drop-downs:

You can compare any two containers, with all available versions listed in the second drop-down.

When you hit the ‘Compare’ button, it runs an X-Ray first, generating the File System DiffImage Metadata DiffUnified Diff, and Dockerfile Diff while the vulnerability scan completes.

When the Vulnerabilities Diff generates, you’ll see a high-level comparison between the two container versions, followed by the hyper-detailed vulnerability in-line comparison. You can click into each vulnerability to reveal a summary card.

The Occurrences column alerts you to repeated instances of the vulnerability in your container. In the next two columns, you’ll be able to see if a fix is available, and get a direct link to the CVE page for more information. Next, you’ll see logos identifying which scanner(s) found the vulnerability, and finally, the equals (=) plus (+) and minus (-) signs indicating whether the vulnerability exists in both versions, is newly added, or has been removed in the newer version.

Post-Optimization Analysis

In this use case, the Vulnerabilities Diff generates with the results of your container optimization. You’ll first see the Vulnerabilities Direction and Comparison Summary:

Scrolling down to the detailed vulnerabilities in-line comparison, you’ll have filtering options for Fix AvailabilitySeverityScanner and Diff Status. In green, you’ll see those vulnerabilities that the optimization process removed from your container.

The vulnerabilities in-line comparison flags vulnerabilities that have an available fix, and gives direct links to the CVE pages where you can get all the details about each specific vulnerability.

Need more?

Vulnerabilities Diff is particularly useful for teams collaborating on vulnerability reduction and container hardening. If you're interested in using Vulnerabilities Diff at scale with your team, contact us at to learn more about our Design Partner program.