Skip to main content

rootio_patcher

rootio_patcher is Root’s open-source CLI tool for applying security patches to your project’s dependencies. It scans installed packages and applies fixes from Root’s vulnerability database - modifying your requirements.txt, package.json, or pom.xml without changing package versions unless necessary. Source: github.com/rootio-avr/rootio_patcher For full documentation, see Root Library Catalog Patcher.

Installation

Download pre-built binaries from the GitHub releases page: Supported platforms: Linux x86_64, macOS (Apple Silicon, Intel), Windows x86_64 Or build from source (requires Go): 
git clone https://github.com/rootio-avr/rootio_patcher
cd rootio_patcher
go build -o rootio_patcher .

Authentication

Set your API token before running any commands: 
export ROOTIO_API_KEY=your-api-token
Obtain your API token from the Root platform under Settings → Token Management → Generate API Token. Optionally override the API endpoint: 
export ROOTIO_API_URL=https://api.root.io  # default

Commands

Python (pip)

# Preview patches (dry-run mode - default)
rootio_patcher pip remediate

# Apply patches
rootio_patcher pip remediate --dry-run=false

# Specify a Python interpreter
rootio_patcher pip remediate --python-path=/usr/bin/python3 --dry-run=false

# Use Root.io aliased package names (default: true)
rootio_patcher pip remediate --use-alias=true --dry-run=false
After applying patches, reinstall your packages: 
pip install -r requirements.txt

JavaScript (npm / yarn / pnpm)

# Preview patches
rootio_patcher npm remediate

# Apply patches - specify your package manager
rootio_patcher npm remediate --package-manager=npm --dry-run=false
rootio_patcher npm remediate --package-manager=yarn --dry-run=false
rootio_patcher npm remediate --package-manager=pnpm --dry-run=false
After applying, run your package manager’s install: 
npm install
# or
yarn install
# or
pnpm install

Java (Maven)

# Preview patches
rootio_patcher maven remediate

# Apply patches
rootio_patcher maven remediate --dry-run=false

# Specify a custom pom.xml path
rootio_patcher maven remediate --file=path/to/pom.xml --dry-run=false
After applying, rebuild: 
mvn clean install

Workflow

The recommended workflow is always to preview before applying: 
# Step 1: Preview
rootio_patcher pip remediate
# Review output - which packages will be patched, which CVEs addressed

# Step 2: Apply
rootio_patcher pip remediate --dry-run=false

# Step 3: Reinstall
pip install -r requirements.txt

Flags Reference

FlagDefaultDescription
--dry-runtruePreview changes without modifying files
--use-aliastrue(pip) Use Root.io-branded package aliases
--python-pathsystem Python(pip) Path to Python interpreter
--package-manager-(npm) Select npm, yarn, or pnpm
--filepom.xml(maven) Path to Maven config file

GitHub Actions

Use the rootio-remediation-action to apply Root patches to container images in CI/CD: 
- name: Remediate image with Root
  uses: rootio-avr/rootio-remediation-action@v1
  with:
    image_reference: your-registry/your-app:latest
    org_id: ${{ env.ROOTIO_ORG_ID }}
    api_token: ${{ secrets.ROOTIO_API_TOKEN }}
    registry_credentials_id: ${{ env.ROOTIO_REGISTRY_CREDENTIALS }}
Outputs:
OutputDescription
result_imageThe patched image name
process_statusOverall remediation status
remediation_decisionWhether the system proceeded with patching
image_createdBoolean - whether a new patched image was produced