How to Compare Docker Files and Container Configs

Why Docker Config Comparison Matters

Docker configurations are infrastructure code. A changed base image tag, an added environment variable, or a modified volume mount can introduce security vulnerabilities, performance regressions, or application failures. Systematic comparison of Dockerfiles and compose files — between versions, between environments, and against known-good baselines — is essential for reliable containerized systems.

Comparing Dockerfiles

Dockerfiles are plain text, so standard diff works — but there are Docker-specific patterns to watch for:

# Compare two Dockerfile versions
diff -u Dockerfile.v1 Dockerfile.v2

# Key things to look for in the diff:
# - Changed FROM base image (security implications)
# - New RUN commands (added packages or configuration)
# - Changed COPY/ADD patterns (file permissions, secrets exposure)
# - ENV changes (config drift, leaked secrets)
# - EXPOSE changes (port exposure)

Base Image Security Comparison

When updating a base image, compare the security posture:

# Inspect image details
docker inspect node:18-alpine > node18.json
docker inspect node:20-alpine > node20.json

# Compare with jq normalization
jq -S '{Architecture, Os, RootFS, Config: {Env, ExposedPorts, Entrypoint}}' node18.json > node18-clean.json
jq -S '{Architecture, Os, RootFS, Config: {Env, ExposedPorts, Entrypoint}}' node20.json > node20-clean.json
diff -u node18-clean.json node20-clean.json

Docker Compose Comparison

When comparing docker-compose.yml files across environments:

# Normalize and compare (strip comments, normalize whitespace)
docker compose -f docker-compose.staging.yml config > staging-resolved.yml
docker compose -f docker-compose.prod.yml config > prod-resolved.yml

# The 'config' command resolves variables and anchors, giving you the canonical form
diff -u staging-resolved.yml prod-resolved.yml

Use DiffChecker Pro's YAML diff mode to paste both resolved compose files for a clear visual diff with key-normalized comparison.

Comparing Container Layer Diffs

The dive tool lets you inspect and compare what changed between Docker image layers:

# Install dive
brew install dive

# Analyze an image
dive my-app:v1.2.0

# Compare two images
docker save my-app:v1.1.0 | gzip > v1.1.0.tar.gz
docker save my-app:v1.2.0 | gzip > v1.2.0.tar.gz
# Then use dive to compare layer efficiency

Detecting Configuration Drift Between Environments

#!/bin/bash
# compare-container-configs.sh

for service in api worker scheduler; do
  echo "=== $service ==="

  # Get running container's env vars
  docker inspect "${service}_staging_1"     --format '{{json .Config.Env}}' | jq -S '.' > "${service}-staging-env.json"

  docker inspect "${service}_prod_1"     --format '{{json .Config.Env}}' | jq -S '.' > "${service}-prod-env.json"

  # Compare (excluding secrets)
  diff <(grep -v "SECRET|PASSWORD|KEY" "${service}-staging-env.json")        <(grep -v "SECRET|PASSWORD|KEY" "${service}-prod-env.json")
done

Security Scanning with Image Comparison

Use Trivy to scan both old and new images, then compare the vulnerability reports:

trivy image --format json my-app:v1.1.0 > vulns-v1.1.0.json
trivy image --format json my-app:v1.2.0 > vulns-v1.2.0.json

# Extract just the CVE IDs for comparison
jq '[.Results[].Vulnerabilities[]?.VulnerabilityID] | sort | unique' vulns-v1.1.0.json > cves-old.json
jq '[.Results[].Vulnerabilities[]?.VulnerabilityID] | sort | unique' vulns-v1.2.0.json > cves-new.json
diff cves-old.json cves-new.json

New CVEs added in the diff mean the new image introduced new vulnerabilities — address these before deploying.