What is Root?
Root is a secure software supply platform that delivers container images and application packages with vulnerabilities already remediated. You pull from Root’s registries exactly as you do today. No migrations. No forced upgrades. No code changes. Root is powered by Agentic Vulnerability Remediation (AVR): a fleet of specialized AI agents that research, patch, test, and deliver fixes for vulnerable packages at a scale and speed no manual process can match. Every artifact ships with an updated SBOM, VEX statement, and provenance attestation — so you can verify exactly what was fixed and why the fix can be trusted.The CVE Treadmill
Without Root, your options for any given CVE are:- Wait weeks for a manual patch while systems stay exposed
- Upgrade to a newer version that breaks your application
- Rebuild from source and migrate to a new registry
- Accept the risk and move on
Two Products, One Platform
Root Image Catalog (RIC)
Secure container images at
cr.root.io. Drop-in replacements for Docker Hub images — same tags, same behavior, zero Critical/High CVEs.Root Library Catalog (RLC)
Secure application packages at
pkg.root.io. Works with pip, uv, Poetry, npm, pnpm, yarn, Maven, and Gradle.What Makes Root Unique
No migration required. Root works with your existing registries and infrastructure. There’s no new stack to adopt, no vendor lock-in, and no switching cost. Pinned versions, not forced upgrades. Root patches the versions you’re already running. You stay on the version you chose — Root just removes the vulnerabilities from it. Complete coverage. Root addresses base image OS packages, language runtimes, application libraries, and transitive dependencies — not just the top layer. Full transparency. Every artifact Root delivers includes an SBOM, a VEX statement, and provenance attestation. You can verify Root’s work, not just trust it.How Root Helps Your Team
AppSec Engineers
Eliminate the exposure window. CVE triage drops to zero. Every Root Patch is transparent — you can see what was changed, how it was tested, and why it can be trusted.
Platform & DevOps Engineers
Point your registries at Root. No pipeline changes, no image rebuilds, no ecosystem changes.
Developers
Keep using the open source you rely on, at the versions you declared. Root patches it — you don’t touch a line of code.
Security Leadership
Full SBOM, VEX, and provenance coverage across your supply chain. Audit-ready artifacts and a shrinking CVE backlog.
How Root Compares
Other approaches to container and package security require you to change your stack to become secure. Root patches what you already have.| Manual patching | Hardened image catalogs | Root | |
|---|---|---|---|
| Works with your existing images | ✅ | ❌ Requires migration | ✅ |
| Patches your pinned version | ✅ (if you do it) | ❌ Forces upgrades | ✅ |
| Remediation SLA | None | 7–14 days | Critical in 7 days, often faster |
| Breaking changes | Possible on upgrade | Possible | None |
| SBOM + VEX + Provenance | DIY | Partial | Every artifact |
| Ecosystem changes | None | Required | None |
The Shift Out Movement
Shift Left put remediation on Engineering teams that never signed up for it. AppSec owns the problem, Engineering owns the solution — and the exposure window stays open while tickets queue up. Root’s answer is Shift Out: open source arrives clean and secure by default. Root’s fleet of AI agents patches ALL open source — at the OS level and the application level — so your teams stop doing CVE janitor work and start building.Ready to get started? Jump into the Quick Start or learn how Root works.