Skip to main content
Root’s OS Package Registry (pkg.root.io) provides continuously patched versions of operating system packages for Debian, Ubuntu, and Alpine Linux. It closes the security gap between your hardened base image and the additional OS packages you install during Docker builds via apt-get or apk. Even when using a Root Image Catalog (RIC) base image with zero CVEs, installing additional OS packages like curl, git, openssl, or libcurl can reintroduce vulnerabilities. The OS Package Registry eliminates this risk by serving Root-patched versions of those packages.

How It Works

  1. You configure pkg.root.io as an additional package repository in your Dockerfile.
  2. You install packages using the rootio- prefix (e.g., rootio-curl instead of curl).
  3. Root serves the patched version if available; if not, you fall back to the upstream package automatically.
  4. Root discovers which packages your organization uses through install requests and monitors them under your SLA.
Root-patched OS packages are drop-in replacements — same functionality, same version, with CVEs remediated.

Supported Distros & Package Managers

OSPackage ManagerRegistry URLSupported Versions
DebianAPTpkg.root.io/debian/<codename>bullseye, bookworm, trixie
UbuntuAPTpkg.root.io/ubuntu/<codename>focal, jammy, mantic, noble, oracular
Alpine LinuxAPKpkg.root.io/alpine/<version>3.18–3.22

Combining with RIC and RLC

The OS Package Registry is designed to work alongside Root’s other products for complete stack coverage:
LayerProductWhat it secures
Base imageRoot Image Catalog (RIC)Container base images from cr.root.io
OS packagesOS Package RegistryPackages installed via apt-get / apk from pkg.root.io
App dependenciesRoot Library Catalog (RLC)Python, JavaScript, and Java libraries from pkg.root.io
Recommended Dockerfile structure: 
# Layer 1: Secured base image from RIC
FROM cr.root.io/python:3.11-slim-bookworm

# Layer 2: Secured OS packages from OS Package Registry
ARG ROOTIO_API_KEY
RUN <configure pkg.root.io and install rootio-* packages>

# Layer 3: Secured app dependencies from RLC
RUN pip config set global.index-url https://pkg.root.io/pypi/simple \
    && pip install -r requirements.txt

Subscribing to OS Packages

Root tracks packages your organization installs through pkg.root.io. To manage your subscribed OS packages:
  1. Navigate to My Library in app.root.io.
  2. Filter by the OS Packages ecosystem.
  3. View discovered packages, their vulnerability status, and whether a Root-patched version is available.
You can also request support for additional packages that Root doesn’t yet patch by using the Submit Package Request option in the UI.