Docker Image CVE Diff

Security change intelligence for Docker upgrades

Compare CVEs between two Docker image versions before upgrading.

Stop guessing whether an image bump helps or hurts. Run a side-by-side vulnerability diff and see exactly which CVEs are fixed, introduced, or still present.

Open ScannerBuy Access

Current base image

python:3.11-bookworm

Candidate image

python:3.12-bookworm

Net risk change

-18 weighted points

23 CVEs fixed, 5 introduced, 41 unchanged

The problem

Teams upgrade base images for patches but often introduce different vulnerabilities without realizing it until after deployment.

The solution

Compare two exact tags and get a direct CVE diff with fixed vulnerabilities, new exposure, and unchanged risk.

Why it matters

Security and DevOps can approve upgrades faster because risk deltas are explicit, quantified, and review-friendly.

Pricing

Choose scan credits for occasional upgrades or unlimited mode for continuous hardening.

Single Scan

$12per scan

Perfect for one-off base image upgrades. Compare two tags, get a full fixed/new CVE diff, and export the evidence to your ticket.

  • 1 complete image-to-image diff
  • Severity-weighted risk delta
  • Package-level affected component mapping
Buy with Stripe

Unlimited

$29per month

For teams that upgrade often. Run unlimited comparisons while hardening CI pipelines and pre-merge upgrade checks.

  • Unlimited CVE diff scans
  • Use for release and patch cycles
  • Priority webhook processing
Buy with Stripe

FAQ

How is this different from a standard image scanner?

Most scanners show one image in isolation. This tool compares two specific tags and highlights what changed: vulnerabilities fixed, newly introduced, and the weighted risk delta.

Which container images are supported?

The scanner supports public Docker images based on Debian, Ubuntu, or Alpine package databases. That covers the majority of common base images used by DevOps teams.

How do I unlock access after checkout?

Configure your Stripe Payment Link success URL to include ?session_id={CHECKOUT_SESSION_ID}, then open /unlock and paste that session ID. The tool verifies webhook-backed payment state and sets secure access cookies.