I want to automatically rebuild my Docker containers when their base image changed. The idea is to compare the base image ID of the current tagged container to the ID of the base image in Docker Hub and run a new build if it differs.

Getting the latest base image ID seems to be quite straight forward:

$ docker pull debian:latest >/dev/null 2&>1; docker images debian:latest -q
sha256:a20fd0d59cf13f82535ccdda818d70b97ab043856e37a17029e32fc2252b8c56

docker inspect has an entry called "Parent" that seems to contain the ID of the image used in the FROM directive:

$ docker inspect -f '{{.Parent}}' dockertest-1
sha256:a20fd0d59cf13f82535ccdda818d70b97ab043856e37a17029e32fc2252b8c56

Since I can't really find any documentation about this I wonder if I should rely on this data to build my build pipeline.

The Parent reference does not point to the base image in the FROM line of your Dockerfile, it points to the next to last layer in your image. If your build only contains a single layer then this can be the FROM line, but adding a second line to your Dockerfile will break your scripts.

If you know the tag of your base image (this sort of meta information isn't stored in the image, so you'll need to track it externally, perhaps adding a label to your image), then you can search the docker history of the current image for your base image's current sha256. I'd use the following arguments to generate an ID list:

$ docker history --format '{{ .ID }}' --no-trunc $image_id