Skip to main content
Root Patches / Patch Stream is an enterprise capability that delivers patch artifacts as standalone packages your organization validates and implements independently. Where Root Image Catalog and Root Library Catalog deliver secured artifacts ready to use, Patch Stream delivers the patch itself — complete with build evidence — for integration into your own CI/CD pipeline.
Root Patches / Patch Stream is available through enterprise engagements. Contact your Root account representative or Root Sales to learn more.

What Patch Stream Delivers

Instead of a pre-patched image or package, Patch Stream delivers a complete patch package containing:
  • The fix itself — the source code changes or binary patch
  • Remediation intelligence — documentation of the vulnerability, the fix approach, and why it was chosen
  • Build artifacts — all evidence produced during the AVR build process
  • Test results — comprehensive testing documentation including exploit blocking confirmation
  • Merge instructions — guidance for implementing the patch in your own build pipeline

Why Patch Stream Exists

Patch Stream serves organizations with specific requirements that the standard RIC/RLC model doesn’t fully address: Non-upgradable critical systems. Large institutions with mission-critical systems that cannot be modified by an external party can receive Root’s patch work as a deliverable and apply it under their own change management process. Full supply chain control. Organizations that need to validate every artifact that enters their environment — and cannot allow an external system to write directly to their registries — can use Patch Stream to receive patches, review them, and implement them themselves. High-security and air-gapped environments. Patch Stream operates outside your perimeter. Root delivers; you validate and implement on your own schedule and through your own controls. Enterprise CI/CD integration. Organizations with established patch feed workflows in their CI/CD pipelines can integrate Patch Stream directly, consuming Root’s reproducible fix build streams as inputs to their existing processes.

How Patch Stream Works

Patch Stream uses the same AVR Factory that powers RIC and RLC:
  1. CVE detected → AVR Research begins
  2. Patching agents generate the fix for your specific version
  3. Testing validates the patch (exploit blocked, functionality preserved)
  4. Human validators review and approve
  5. Standalone patch artifacts are delivered as a patch feed
The result is a reproducible patch artifact with complete build evidence — not a pre-applied fix in a managed artifact, but the fix itself for you to implement.

Universal Coverage

Patch Stream supports:
  • Any OS — Alpine, Ubuntu, Debian, RHEL, and specialized distributions
  • Any package manager — all major ecosystems
  • Any version — current, legacy, and end-of-life versions that other providers won’t touch

Getting Access

Patch Stream is available through enterprise engagements. Reach out to: