Skip to main content

rootio_patcher

rootio_patcher is Root’s open-source CLI tool for applying security patches to your project’s dependencies. It scans installed packages and applies fixes from Root’s vulnerability database - modifying your requirements.txt, package.json, or pom.xml without changing package versions unless necessary. Source: github.com/rootio-avr/rootio_patcher For full documentation, see Root Library Catalog Patcher.

Installation

Download pre-built binaries from the GitHub releases page: Supported platforms: Linux x86_64, macOS (Apple Silicon, Intel), Windows x86_64 Or build from source (requires Go):

Authentication

Set your API token before running any commands:
Obtain your API token from the Root platform under Settings → Token Management → Generate API Token. Optionally override the API endpoint:

Commands

Python (pip)

After applying patches, reinstall your packages:

JavaScript (npm / yarn / pnpm)

After applying, run your package manager’s install:

Java (Maven)

After applying, rebuild:

Workflow

The recommended workflow is always to preview before applying:

Flags Reference

Exit Codes

When running in dry-run mode (the default), rootio_patcher exits with a code indicating the outcome. Use this to gate pipelines without modifying any files.

GitHub Actions

rootio-patch (vulnerability check)

A reusable composite action runs rootio_patcher in dry-run mode and fails the job if patches are available (exit code 2). No files are modified.
Inputs: Outputs: Environment variables: Advanced settings are not action inputs — pass them as env: on the step:
Example — block a PR if vulnerabilities exist:
Example — warn without blocking:

rootio-remediation-action (container image patching)

Use the rootio-remediation-action to apply Root patches to container images in CI/CD:
Outputs: