Compare: Structured Drift Over Time

Purpose

What Compare does

Compare performs structured drift analysis between current observation and trusted reference state. It classifies additions, removals, and modifications and produces evidence suitable for review, escalation, and reporting.

Reference

Why baseline makes Compare meaningful

Without a baseline, compare results have weaker semantics. With Baseline Scan, Compare can explain drift against an accepted reference, not just generic file changes.

scan run                 -> capture observation
baseline set --scan-id <scan_id>  -> establish trusted reference
compare run              -> evaluate drift from trusted reference

Semantics

Time is essential to Compare

Output

How Compare should communicate drift over time

Compare output should always preserve clear temporal context and baseline lineage. Findings should be readable in both machine and human form.

• Reference baseline ID + baseline timestamp
• Current scan ID + scan timestamp
• Elapsed interval
• Drift classes (added/removed/modified)
• Severity and category where available

CLI

CLI examples

auditwalk compare run
auditwalk compare run --path /etc
auditwalk compare run --format json
auditwalk compare run --baseline-id <baseline_id>
auditwalk compare run --scan-id <scan_id_a> --against-scan <scan_id_b>
auditwalk baseline show
auditwalk doctor run

Workflow

Baseline-driven Compare workflow

auditwalk scan run --profile full
auditwalk baseline set --scan-id <scan_id>
auditwalk compare run --format json
# If drift requires interpretation
auditwalk doctor run

This keeps Compare deterministic while enabling controlled escalation into interpretation and repair planning.

Positioning

Public-facing copy

Compare gives AuditWalk structured drift over time. It explains what changed since an accepted baseline, across a clear time window, so operators can evaluate impact with context rather than guesswork.