I think these are two topics:
- How to detect changes (bitrot) in local files?
- How to ensure that files modified by bitrot do not replace “good” files in the backup?
About the second question:
Note that typically you would backup using a parent snapshot. Now, with a parent snapshot present, there is a change detection algorithm which ensures that files that “have not changed” won’t be re-read, but instead the content of the parent snapshot is taken. This means, if you have a file changed by bitrot (i.e. no modification or other metadata change) and backup using a parent snapshot which has the file content in a pre-bitrot state, then your newly generated snapshot does not see the bitrot, but includes the file in its pre-bitrot state. Only if you backup without a parent (e.g, using --force), all content is re-read and the current state is included in the snapshot.
How to detect bitrot using the information in snapshots:
Note that restic does already save SHA256 for all chunks in a file and is therefore perfectly able to detect bitrot, in theory.
What you can do is run restic backup --force and then restic diff to compare the new snapshot with the last one. But note that this diff also shows files which do have “normal” changes, i.e. changes in content and metadata.
Note that restic currently does not support to diff between a snapshot and a local path. If you want to do that use rustic for it.