Skip to main content
Root is offering a free, self-service trial with full product access in response to the Q1 2026 supply chain attacks that compromised widely used packages including Trivy, LiteLLM, and axios. Read the full background on our blog.

What’s included

The free trial gives you the same access as a paid Root organization:
CapabilityIncluded
Root Image Catalog (RIC) — cr.root.io
Root Library Catalog (RLC) — pkg.root.io
UI, API, and package registry access
Python, JavaScript, and Java package registries
SBOM, VEX, and provenance attestations
FIPS images
Jira SLA-backed support tickets
The free trial provides full product access without a service-level agreement (SLA). For SLA-backed support, contact us about a paid plan.

Trial duration

The free trial runs for 2 months, ending May 31, 2026 for all trial organizations. The trial period is based on a fixed end date, not the date you sign up — so the earlier you start, the more time you get.

Sign up

1

Create your account

Go to app.root.io and sign up. Your organization is automatically provisioned with full trial access — no approval process, no credit card.
2

Generate an API token

After creating your organization, generate an API token from the Root UI. You’ll need this to authenticate with Root’s registries.
3

Start pulling secure packages

Configure your package manager or Docker client to point at Root’s registries. See the guides below to get started.

What to expect

When you sign in for the first time, you’ll land in the Root platform where you can browse the Image Catalog and Library Catalog.

Container images

Replace your base image references with cr.root.io to pull pre-patched images with zero Critical/High CVEs: 
# Before
FROM python:3.12-slim

# After — same image, vulnerabilities removed
FROM cr.root.io/python:3.12-slim
See Getting Started with RIC for full setup instructions.

Application libraries

Point your package manager at pkg.root.io to install patched versions of Python, JavaScript, and Java packages — including packages compromised in the Q1 2026 supply chain campaigns: 
pip config set global.index-url https://pkg.root.io/pypi/simple
pip config set global.extra-index-url https://pypi.org/simple
See Getting Started with RLC for full setup instructions including CI/CD integration.

Packages secured in Q1 2026

Root has already produced secured versions for every package compromised in the Q1 2026 supply chain campaigns:
PackageSafe versionEcosystem
aquasec/trivy0.69.3Docker (RIC)
litellm1.82.6PyPI
axios1.14.0npm
telnyx4.87.0 / 4.88.1npm
@opengov/ppf-backend-types1.141.1 / 1.141.3npm
react-leaflet-heatmap-layer2.0.0npm
@emilgroup/insurance-sdk1.97.0 / 1.98.0npm
@opengov/form-builder0.12.2 / 0.13.0npm
@opengov/form-renderer0.2.19npm
@emilgroup/billing-sdk1.56.0 / 1.57.0npm
@emilgroup/customer-sdk1.54.0npm
These are the last known-good versions before each compromise. Root pins you to these versions and backports security fixes without requiring upgrades.

What happens after the trial

When the trial ends on May 31, 2026, your organization’s free_trial entitlement will be removed. To continue using Root:
  • Upgrade to a paid planContact us or book a demo to discuss pricing and SLA options.
  • Talk to a human — Use the chat on root.io to reach our team directly.
After May 31, 2026, trial organizations will lose access to Root’s registries. Make sure to plan your transition before the trial ends.

Getting help

During the trial, you can get support through the following channels:

Documentation

Full product docs, setup guides, and API reference.

Talk to us

Use the chat widget on root.io to reach the Root team.

Next steps

Quick Start

Get secure open source into your pipeline in minutes.

How Root Works

Understand pinning, backporting, and AVR.

Root Image Catalog

Explore pre-patched container images.

Root Library Catalog

Set up secure Python, JavaScript, and Java packages.