Skip to main content
Root delivers pre-patched open source through two registries. Choose the path that matches what you need to secure.

Secure Container Images

Switch base images to cr.root.io for zero-CVE containers.

Secure Packages

Point pip, npm, Maven, or other package managers at pkg.root.io.

Secure Container Images

Root Image Catalog (RIC) provides drop-in replacements for standard base images — same tags, pre-patched.

1. Get access

Contact root.io to receive your registry credentials for cr.root.io.

2. Authenticate

docker login cr.root.io

3. Update your Dockerfile

Replace your base image reference. Tags, APIs, and behavior are identical. 
# Before
FROM python:3.12-slim

# After — same image, zero vulnerabilities
FROM cr.root.io/python:3.12-slim

4. Verify patch coverage

docker pull cr.root.io/python:3.12-slim
docker inspect cr.root.io/python:3.12-slim | jq '.[0].Config.Labels'
Image labels include the SBOM digest and a reference to every Root Patch applied.
Every image from cr.root.io ships with an updated SBOM and VEX statements. See Supported Images for the full list.

Secure Application Packages

Root Library Catalog (RLC) provides a secure package registry at pkg.root.io for Python, JavaScript, and Java ecosystems.

1. Get access

Contact root.io to receive your registry credentials for pkg.root.io.

2. Configure your package manager

echo "machine pkg.root.io login token password YOUR_ROOT_TOKEN" >> ~/.netrc
chmod 600 ~/.netrc

pip config set global.index-url https://pkg.root.io/pypi/simple &&
pip config set global.extra-index-url https://pypi.org/simple

3. Install packages as usual

For Python, install from your requirements.txt or add packages directly — Root resolves and serves patched versions transparently: 
pip install -r requirements.txt
For JavaScript, patched packages are served under the @rootio/ scope and applied via overrides in package.json. See the JavaScript guide for details.

What happens next

Once configured, Root’s AVR agents continuously monitor every package you consume. When a new CVE is published:
1

Research

AVR collects advisories, upstream commits, exploit details, and affected versions to build the full picture before touching any code.
2

Patch

Agents apply the smallest safe fix — backporting patches when possible, applying native distribution package upgrades when not.
3

Test

Package tests, functional tests, and CVE-specific tests run automatically to ensure the patch works and nothing else breaks.
4

Deliver

The patched package or image is available at Root’s registries — along with an updated SBOM and VEX statement.
No tickets. No triage. No engineering time spent on CVE work.

Explore Root Image Catalog

Supported images, patch details, and CI/CD integration.

Explore Root Library Catalog

Python, JavaScript, and Java package manager setup.