The git diff for container images.
File-level diff · layer attribution · secrets & policy · CI-ready in six lines.
--summary collapses an entire diff into six lines: size delta, files added/removed/modified,
package upgrades, security findings, and a verdict. No scrolling, no noise.
The fastest way to answer "should I merge this base image bump?"
--layers groups every changed file by the Dockerfile instruction that created it.
Turns "312 file changes" into "7.5 MB came from the Node binary upgrade in Layer 1."
You stop guessing which RUN line bloated your image.
Flags SUID/SGID additions, world-writable files, permission escalations, new executables, and
leaked private keys, AWS access keys, and API tokens baked into layers.
Codify the rules in .rift.yml and gate CI with --policy
(max-size-growth, no-new-suid, no-world-writable,
max-new-executables).
Four output formats from one binary: terminal, JSON, Markdown (paste straight into
$GITHUB_STEP_SUMMARY), and SARIF (upload to GitHub Code Scanning).
Exit 2 on security, size, or policy violations — drop it in a workflow and forget about it.
$ curl -fsSL https://rift.ommmishra.in/install.sh | sh ==> detected darwin/arm64 ==> installing rift v1.2.0 ✓ checksum verified ✓ installed to /usr/local/bin/rift $ rift --summary node:18-alpine node:20-alpine Image: node:18-alpine → node:20-alpine Size: 42.8 MB → 46.1 MB (+3.3 MB) Files: 48 added, 11 removed, 312 modified Packages: alpine-baselayout 3.6.8-r1→3.7.1-r8, +14 more upgraded Security: 1 perm escalation, 3 new executable, 2 world-writable, 1 SUID Verdict: !! 7 security finding(s)
- name: Image diff gate uses: Ommanimesh2/rift@v1 with: image1: myapp:${{ github.event.pull_request.base.sha }} image2: myapp:${{ github.sha }} format: markdown fail-on-security: true size-threshold: 10MB # Exits 2 on security, size, or policy failures. # Markdown output streams into $GITHUB_STEP_SUMMARY.
go install github.com/Ommanimesh2/rift@latest rift update