30 open-source projects similar to googlecontainertools/container-diff, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Container Diff alternative.
Finch is a virtual machine-based container runtime and OCI container management CLI used for local container development. It operates by running container workloads inside a background virtual machine to isolate them from the host operating system. The project serves as an OCI image builder and a multi-container service orchestrator for simulating complex production environments on a workstation. The runtime functions as a cross-platform container engine, utilizing emulation layers to execute container images built for foreign CPU architectures. It distinguishes its image distribution through
Hadolint is a static analysis tool designed to validate container build configurations. It functions as a security scanner and configuration auditor, parsing build instructions into a structured format to identify deviations from security and efficiency standards. The tool distinguishes itself by performing deep inspection of embedded shell commands. By tokenizing and analyzing these scripts, it detects common scripting errors and security vulnerabilities that might otherwise persist within a container image. It integrates external analysis tools to provide specialized validation for these in
Slim is a comprehensive suite for container lifecycle management, providing tools for image inspection, optimization, security hardening, and service troubleshooting. It functions as a platform for analyzing containerized applications through both static metadata review and dynamic behavioral probing, enabling users to understand image composition and runtime dependencies. The project distinguishes itself by automating the creation of minimal, production-ready container images. It achieves this by removing unnecessary files and components, flattening image layers, and synthesizing restrictive
Clair is a container vulnerability scanner that performs static analysis of container images to identify known security vulnerabilities. It functions as an analyzer for OCI and Docker images, indexing their contents to detect security risks and outdated packages without requiring the containers to be running. The tool identifies vulnerabilities by matching indexed container components against security databases to find common vulnerabilities and exposures. This process involves analyzing filesystem layers to track the provenance and versioning of packages across the image hierarchy. The proj
This project is a suite of specialized tools for linting, minifying, analyzing, and managing container images and their associated registries. It provides a set of utilities including an image minifier to reduce image size, a security profiler to harden running containers, an image analyzer for static inspection, and a registry manager for organizing multi-architecture indices. The toolset distinguishes itself through behavior-based optimization and security. It uses dynamic analysis to track executed instructions and file access to remove unused binary data, and records kernel interactions t
Dive is a command-line tool designed for the analysis and optimization of container images. It functions as a layered storage inspector, allowing users to decompose image manifests to examine individual filesystem layers and identify opportunities to reduce total image size. The tool features a filesystem diffing engine that calculates net changes between sequential layers to highlight redundant data and storage inefficiencies. Users interact with this data through a terminal-based dashboard that provides keyboard-driven navigation of complex file structures and layer metadata. By abstracting
Skopeo is an OCI container image manager and registry client designed for inspecting, copying, and signing container images across different registries and storage backends. It enables the manipulation of container images using direct API calls to registries, operating independently of a local container daemon or runtime. The tool provides specialized capabilities for container image mirroring and synchronization, specifically supporting the mirroring of external repositories to internal registries for air-gapped environments. It also functions as a container image signing tool, allowing for
Dependency-Track is a software composition analysis tool and vulnerability management system designed to track dependencies and supply chain risk. It functions as a platform for ingesting and analyzing CycloneDX software bills of materials to identify known vulnerabilities and license compliance issues within third-party software components. The system distinguishes itself by mirroring external vulnerability databases locally to enable fast offline analysis and using VEX documents to differentiate between technical vulnerabilities and actual contextual risks. It also integrates with identity
This project provides a comprehensive guide for securing the software supply chain within Node.js and npm environments. It focuses on hardening the entire lifecycle of third-party dependencies and package publishing processes to protect applications from malicious code injection and unauthorized registry modifications. The guide distinguishes itself by emphasizing identity-based authentication and cryptographic provenance to verify the origin of distributed artifacts. It advocates for strict governance policies, such as enforcing minimum release ages for dependencies and disabling automatic l
This project is a comprehensive, curated directory of static analysis, linting, and security scanning utilities. It serves as a central resource for developers to discover, compare, and select tools based on specific programming languages, licensing models, and integration requirements. The directory distinguishes itself by providing deep metadata for each listed utility, including community-driven popularity rankings, maintenance status, and deployment methods. By aggregating these tools into a single searchable index, it enables teams to identify solutions for enforcing coding standards, ma
Renovate is a GitOps-driven dependency management engine designed to automate the maintenance of software projects. It functions as an automated update tool that scans repository files to identify outdated dependencies, fetches the latest compatible versions from external sources, and generates pull requests to apply those updates. By integrating directly with code hosting platforms, it synchronizes project dependencies through declarative configuration files, ensuring that software components remain current and secure. The project distinguishes itself through its platform-agnostic architectu
SkillSpector is a security scanner designed to detect vulnerabilities and malicious patterns in AI agent plugins and extensions before they are installed. It functions as a runtime guardrail that calculates numeric risk scores and assigns severity labels to provide installation recommendations or block risky external extensions. The project distinguishes itself by using language models to perform semantic code analysis, evaluating code intent and context to reduce false positives. It also employs fingerprint-based issue suppression to track and ignore previously accepted risks across repeated
The OCI Container Image Specification is a standardized format for container images that ensures interoperability between different build tools and runtimes. It serves as a distribution standard for structuring image blobs and manifests, providing a consistent way to transfer data between registries and clients. The specification employs a content-addressable storage standard that identifies image layers and manifests using cryptographic digests to ensure data integrity. It includes a JSON-based configuration schema for defining execution metadata, such as entrypoints and environment variable
SecurityAdvisories is a software composition analysis tool and PHP security advisory database used to audit project dependencies against known security flaws and CVEs. It functions as a vulnerability scanner for PHP projects to identify and manage risky third-party libraries. The project implements a system for detecting and blocking vulnerable dependencies during the software development lifecycle. It prevents the installation of software packages with known security flaws by maintaining an exclusion list of forbidden versions. The tool integrates with the PHP package manager to intercept d
This project is a GitHub Action that automates the building and pushing of Docker container images to OCI registries. It functions as a multi-platform container builder and publisher using the Buildx engine to create images compatible with multiple hardware architectures. The tool distinguishes itself through software supply chain security features, including the generation of software bills of materials and provenance attestations to verify image integrity. It optimizes construction speed via remote cache management and supports secure secret injection to prevent sensitive data from persisti
This project is a collection of curated and standardized Docker base images that serve as reliable starting points for building containerized applications. It functions as an OCI container image repository and a build template library, providing a central source of truth for images that adhere to Open Container Initiative standards for portability. The project utilizes an automated image lifecycle pipeline to build, tag, and push images, ensuring that dependencies remain current and security patches are applied. It specifically supports cross-platform distribution by providing a multi-archite
This project is a Docker educational resource and a collection of practical examples designed for learning containerization technologies. It serves as a guide for understanding container fundamentals, including the creation and management of custom images and the use of registries. The repository provides specialized references for container security hardening, such as managing kernel privileges and implementing supply chain security. It also includes tutorials for multi-container orchestration and a DevOps guide focused on CI/CD automation and image optimization. The material covers a broad
Docker-Proxy is a self-hosted container image caching and mirroring service. It functions as a registry-aware reverse proxy that intercepts requests to remote registries, storing image layers on local disks to accelerate retrieval speeds and reduce dependencies on external network stability. The service includes a web-based management interface for searching mirrored images and monitoring service status. It supports credential-based authentication to access private images and bypass anonymous pull rate limits imposed by remote providers. The proxy manages traffic through domain mapping and s
Zizmor is a security linter and static analysis tool designed to audit GitHub Actions workflow files. It functions as a CI/CD security scanner that identifies security vulnerabilities, misconfigurations, and software supply chain risks within automation pipelines. The project distinguishes itself by providing an automated workflow remediator that applies security fixes to identified vulnerabilities. It also implements a language server for integration with code editors and supports a variety of analysis personas to scale the sensitivity and volume of reported findings. The tool covers a broa
Flox is a Nix environment manager designed to create, share, and maintain reproducible software stacks. It uses declarative manifests to isolate project dependencies and toolchains, ensuring identical runtimes across different machines and operating systems. The platform distinguishes itself by enabling the deployment of imageless workloads to Kubernetes, allowing software to run in pods without traditional container images. It can also synthesize OCI-compliant container images and distroless artifacts directly from declarative environment definitions. The project covers broad capability are
This project is a web application security standard and vulnerability framework. It provides a comprehensive list of the most critical security risks facing web applications, paired with technical guidance and a structured methodology for identifying and mitigating these flaws. The framework functions as a secure coding guide and a risk assessment methodology, offering a standardized approach to prioritizing vulnerabilities based on their potential impact and likelihood of exploitation. It defines architectural patterns and technical recommendations to help developers implement defense in dep
Scorecard is an open source security scanner and software supply chain analysis tool that evaluates the security posture of projects by calculating risk metrics based on best practices. It functions as a security health dashboard, visualizing security gaps through scores and badges to help maintainers identify vulnerabilities. The project provides a system for monitoring repository security through a GitHub Action security auditor that alerts maintainers when security scores drop. It also offers a mechanism for vulnerability remediation guidance, mapping identified security gaps to prescripti
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
itpol is a framework for cryptographic key management, digital signature policies, and security hardening. It provides an IT policy template library and infrastructure access frameworks to establish organizational security guidelines and governance. The project focuses on cryptographic identity management through the use of PGP and SSH keys, alongside a security hardening guide for workstations. It defines standards for software supply chain security, specifically regarding the signing of code commits and software releases to ensure provenance. The system covers a broad range of security cap
Syft is a software bill of materials generator, container image scanner, and software dependency catalog. It analyzes container images and filesystems to produce comprehensive inventories of installed packages and dependencies in standard formats. Additionally, it serves as a software attestation tool and an SBOM format converter. The project distinguishes itself through the ability to create cryptographically signed attestations for software inventories to ensure provenance and integrity. It also provides the capability to transform software bills of materials between different industry sche
Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security. The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sourc
Semgrep is a static analysis security testing tool designed to identify vulnerabilities and logic errors by matching source code against declarative patterns. It functions as an automated scanner that integrates into development workflows to detect insecure code patterns and enforce coding standards before deployment. The engine utilizes a language-agnostic intermediate representation and a modular parser architecture to normalize diverse programming languages into a unified format. This allows for consistent rule execution across different codebases, enabling users to perform custom structur
Shannon is an integrated security platform designed for autonomous penetration testing, static and dynamic analysis, and automated vulnerability remediation within self-hosted, private infrastructure. It functions as a unified security suite that orchestrates the entire lifecycle of vulnerability management, from initial discovery and reachability prioritization to the generation and verification of code-level patches. The platform distinguishes itself through its agentic approach to security, deploying autonomous agents to execute both black-box and white-box exploits against running applica
Semantic-release is an automated release management tool that determines version increments, generates changelogs, and publishes software packages by analyzing commit history against standardized conventions. It functions as a plugin-based orchestrator that integrates directly into continuous integration pipelines to manage the entire release lifecycle, from verifying environment conditions to distributing artifacts. The project distinguishes itself through its commit-message-driven approach, which enforces consistent versioning standards and automates the creation of release notes based on t
This project provides a comprehensive framework for securing the software supply chain within the Node.js ecosystem. It focuses on mitigating risks associated with third-party dependencies by implementing technical controls and governance policies designed to prevent malicious code injection and ensure the integrity of the development environment. The guide distinguishes itself by offering specific hardening techniques for package management, such as disabling automatic execution of lifecycle scripts and enforcing strict registry-scoped dependency routing to prevent dependency confusion. It e