Prerequisites
Before you begin, ensure you have:- A Root account with an active subscription (app.root.io)
- A Root API token (generated from the Root dashboard)
- Docker with BuildKit support (Docker 23.0+ or
DOCKER_BUILDKIT=1) - A Dockerfile that installs OS packages via
apt-getorapk
Step 1: Generate an API Token
- Log in to app.root.io.
- Navigate to Settings → API Tokens.
- Click Generate Token.
- Copy the token value. You will need it to authenticate with
pkg.root.io.
Step 2: Configure Your Dockerfile
All examples use Docker BuildKit’s--mount=type=secret to pass the API key securely. The key never appears in any image layer.
- Ubuntu (APT)
- Debian (APT)
- Alpine (APK)
noble in both the echo and sources.list.d lines with your distro codename.Step 3: Build Your Image
Pass your API token as a BuildKit secret at build time:The
--secret flag requires BuildKit. It ensures your API key is only available inside the RUN step that mounts it and never written to any image layer.Step 4: Verify Installation
After building, confirm that Root-patched packages were installed:rootio-curl, rootio-git, etc. for every package that Root has a patched version available.
Step 5: CI/CD Integration
- GitHub Actions
- GitLab CI
Troubleshooting
401 Unauthorized when running apt-get update
Your API token is missing or invalid. Verify the secret is being passed correctly with --secret id=rootio_api_key,env=ROOTIO_API_KEY and that ROOTIO_API_KEY is set in your environment.
rootio-<package> not found
Root hasn’t patched this package yet. The fallback pattern (apt-cache show / apk search) ensures your build succeeds with the upstream version. You can request the package via the Root UI.
GPG key import fails
Ensure gnupg and ca-certificates are installed before importing the key. These must be installed from the upstream repository first.
--secret flag not recognized
BuildKit is not enabled. Prepend DOCKER_BUILDKIT=1 to your build command or set it as an environment variable.
What’s Next
- Root Image Catalog - Getting Started - Set up secured base images
- Root Library Catalog - Getting Started - Secure your application dependencies
- Vulnerability Reports - Track CVE status across your subscribed OS packages
- Authentication & Access - Manage API tokens and team access