# Base Image Detection and Recommendations

## Module
Scanner

## Status
IMPLEMENTED

## Description
Base image detection via layer diffID fingerprinting with PostgreSQL-backed fingerprint database, in-memory index, exact layer match and fuzzy matching, and bulk detection support. Interface `IBaseImageDetector` with full `BaseImageDetector` implementation.

## Implementation Details
- **Core Detection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/IBaseImageDetector.cs` - `IBaseImageDetector` interface
  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/BaseImageDetector.cs` - `BaseImageDetector` with exact layer match and fuzzy matching, bulk detection support
- **Layer Resolution**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/ILayerDigestResolver.cs` - Interface for resolving layer digests
  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/LayerDigestResolver.cs` - Resolves layer diffIDs for fingerprint matching
  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/LayerProvenance.cs` - Layer provenance tracking for base image attribution
- **Layer Reuse Detection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Reuse/ILayerReuseDetector.cs` - Interface for layer reuse detection
  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Reuse/LayerReuseDetector.cs` - Detects shared layers between images for base image identification
- **DI Registration**: `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/ManifestServiceCollectionExtensions.cs`

## E2E Test Plan
- [ ] Scan an image built on a known base image (e.g., `debian:bookworm`) and verify `IBaseImageDetector` identifies the correct base image
- [ ] Verify exact layer match identifies base images by diffID fingerprint comparison
- [ ] Test fuzzy matching with a slightly modified base image (e.g., additional layer) and verify partial match is returned with confidence score
- [ ] Test bulk detection by submitting multiple image references and verify all base images are identified in a single operation
- [ ] Verify base image detection results appear in the scan report and SBOM metadata
- [ ] Verify layer provenance tracking attributes vulnerability findings to base image vs application layers