> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Quick Start

> Get secure open source into your pipeline in minutes.

Root delivers pre-patched open source through two registries. Choose the path that matches what you need to secure.

<CardGroup cols={2}>
  <Card title="Secure Container Images" icon="container-storage" href="#secure-container-images">
    Switch base images to `cr.root.io` for zero-CVE containers.
  </Card>

  <Card title="Secure Packages" icon="package" href="#secure-application-packages">
    Point pip, npm, Maven, or other package managers at `pkg.root.io`.
  </Card>
</CardGroup>

***

## Secure Container Images

Root Image Catalog (RIC) provides drop-in replacements for standard base images - same tags, pre-patched.

### 1. Get access

Contact [root.io](https://root.io) to receive your registry credentials for `cr.root.io`.

### 2. Authenticate

```bash theme={null}
docker login cr.root.io
```

### 3. Update your Dockerfile

Replace your base image reference. Tags, APIs, and behavior are identical.

```dockerfile theme={null}
# Before
FROM python:3.12-slim

# After - same image, zero vulnerabilities
FROM cr.root.io/python:3.12-slim
```

### 4. Verify patch coverage

```bash theme={null}
docker pull cr.root.io/python:3.12-slim
docker inspect cr.root.io/python:3.12-slim | jq '.[0].Config.Labels'
```

Image labels include the SBOM digest and a reference to every Root Patch applied.

<Info>
  Every image from `cr.root.io` ships with an updated SBOM and VEX statements. See [Supported Images](/ric/supported-images) for the full list.
</Info>

***

## Secure Application Packages

Root Library Catalog (RLC) provides a secure package registry at `pkg.root.io` for Python, JavaScript, Java, and Go ecosystems.

### 1. Get access

Contact [root.io](https://root.io) to receive your registry credentials for `pkg.root.io`.

### 2. Configure your package manager

<Tabs>
  <Tab title="pip">
    ```bash theme={null}
    echo "machine pkg.root.io login token password YOUR_ROOT_TOKEN" >> ~/.netrc
    chmod 600 ~/.netrc

    pip config set global.index-url https://pkg.root.io/pypi/simple &&
    pip config set global.extra-index-url https://pypi.org/simple
    ```
  </Tab>

  <Tab title="uv">
    ```bash theme={null}
    echo "machine pkg.root.io login token password YOUR_ROOT_TOKEN" >> ~/.netrc
    chmod 600 ~/.netrc
    ```

    ```toml theme={null}
    # pyproject.toml
    [[tool.uv.index]]
    name = "root"
    url = "https://pkg.root.io/pypi/simple/"
    ```
  </Tab>

  <Tab title="npm">
    ```bash theme={null}
    npm config set registry https://pkg.root.io/npm/ --location=project &&
    npm config set //pkg.root.io/npm/:_authToken YOUR_ROOT_TOKEN --location=project
    ```
  </Tab>

  <Tab title="Maven">
    ```bash theme={null}
    export ROOT_TOKEN="your-token-here"
    ```

    ```xml theme={null}
    <!-- ~/.m2/settings.xml -->
    <server>
      <id>root-io</id>
      <username>rootio</username>
      <password>${env.ROOT_TOKEN}</password>
    </server>
    <mirror>
      <id>root-io</id>
      <url>https://pkg.root.io/maven/</url>
      <mirrorOf>central</mirrorOf>
    </mirror>
    ```
  </Tab>

  <Tab title="Go">
    ```bash theme={null}
    # Configure GOPROXY with authentication
    export GOPROXY="https://:${ROOTIO_API_KEY}@pkg.root.io/gobinary,https://proxy.golang.org,direct"

    # Install the Root Patcher CLI to add replace directives
    curl -sL https://github.com/rootio-avr/rootio_patcher/releases/latest/download/rootio_patcher_darwin_arm64.tar.gz | tar xz
    chmod +x rootio_patcher && sudo mv rootio_patcher /usr/local/bin/

    # Patch your go.mod
    rootio_patcher go remediate --dry-run=false
    ```
  </Tab>
</Tabs>

### 3. Install packages as usual

For Python, install from your `requirements.txt` or add packages directly - Root resolves and serves patched versions transparently:

```bash theme={null}
pip install -r requirements.txt
```

For JavaScript, patched packages are served under the `@rootio/` scope and applied via `overrides` in `package.json`. See the [JavaScript guide](/rlc/javascript) for details.

***

## What happens next

Once configured, Root's AVR agents continuously monitor every package you consume. When a new CVE is published:

<Steps>
  <Step title="Research">
    AVR collects advisories, upstream commits, exploit details, and affected versions to build the full picture before touching any code.
  </Step>

  <Step title="Patch">
    Agents apply the smallest safe fix - backporting patches when possible, applying native distribution package upgrades when not.
  </Step>

  <Step title="Test">
    Package tests, functional tests, and CVE-specific tests run automatically to ensure the patch works and nothing else breaks.
  </Step>

  <Step title="Deliver">
    The patched package or image is available at Root's registries - along with an updated SBOM and VEX statement.
  </Step>
</Steps>

No tickets. No triage. No engineering time spent on CVE work.

<CardGroup cols={2}>
  <Card title="Explore Root Image Catalog" icon="container-storage" href="/ric/overview">
    Supported images, patch details, and CI/CD integration.
  </Card>

  <Card title="Explore Root Library Catalog" icon="package" href="/rlc/overview">
    Python, JavaScript, Java, and Go package manager setup.
  </Card>
</CardGroup>