Skip to main content

General

What is Root?

Root is a secure software supply platform. It delivers container images and application packages with vulnerabilities already remediated — so you consume the same open source you rely on today, but without the CVEs. Root’s core technology is AVR (Agentic Vulnerability Remediation): a pipeline of AI agents that research, patch, test, and deliver fixes automatically.

How is Root different from a vulnerability scanner?

Scanners find vulnerabilities. Root fixes them. Instead of generating tickets and alert noise, Root applies Root Patches to the packages you consume before they reach your environment. You still get full transparency — SBOM, VEX, provenance — but the work of remediation happens on Root’s side, not yours.

Do I have to migrate my stack to use Root?

No. Root works as a drop-in registry replacement. For containers, you change the registry prefix in your Dockerfile (cr.root.io/ instead of bare Docker Hub references). For packages, you point your package manager at pkg.root.io. Package names, version numbers, tags, and APIs are identical. No application code changes are required.

What open source ecosystems does Root support?

Container images: Root Image Catalog (cr.root.io) covers 500+ image families — Python, Node, Nginx, Redis, PostgreSQL, and more. Application packages: Root Library Catalog (pkg.root.io) supports:
  • Python: pip, uv, Poetry
  • JavaScript: npm, pnpm, Yarn 1, Yarn 3+
  • Java: Maven (Gradle coming soon)

Root Image Catalog

What images are available?

Root Image Catalog provides patched versions of popular Docker Hub images. See Supported Images for the full list. Images include all major language runtimes, databases, web servers, and infrastructure tools.

Do the images use the same tags?

Yes. Tags are preserved. cr.root.io/python:3.12-slim behaves identically to docker.io/python:3.12-slim — same entrypoints, same environment variables, same behavior — with CVEs removed.

What happens when a new CVE is published?

AVR automatically detects the new vulnerability in subscribed images. The pipeline researches the fix, applies the smallest safe patch, validates it, and publishes the updated image at cr.root.io. Your next pull gets the patched version. No action required on your end.

How long until a patched image is available after a CVE disclosure?

Root’s SLA commitments:
SeverityPatch Available Within
Critical7 days
High14 days
Medium60 days
In practice, Root often patches Critical and High vulnerabilities significantly faster than the SLA.

What security artifacts ship with each image?

Every image at cr.root.io includes:
  • SBOM — full component inventory in SPDX or CycloneDX format
  • VEX statement — which CVEs were fixed, which are not applicable
  • Provenance attestation — cryptographic proof of Root’s build pipeline

Root Library Catalog

How does Root patch packages without changing the version?

Root applies backported patches — taking the security fix from a newer version and applying it to the exact version you declared. The version string stays the same; only the vulnerability is removed. This is the same technique Linux distributions use to maintain long-term support branches.

Do I have to change my dependency files?

For Python and Java, no — packages resolve transparently. For JavaScript, you add an overrides (npm), pnpm.overrides (pnpm), or resolutions (Yarn) field to package.json pointing vulnerable packages to their @rootio/-scoped equivalents. Your import statements don’t change.

Why does JavaScript use @rootio/ scoped packages?

The npm registry doesn’t allow publishing patched versions under the original package name. Root publishes patched packages under the @rootio/ scope and uses the package manager’s override/resolution mechanism to transparently redirect resolution. Your code still imports axios — it just resolves to @rootio/axios under the hood.

Is Gradle supported?

Gradle support is coming soon. Maven is the supported Java build tool today. Contact Root if Gradle support is blocking your adoption.

Security and Compliance

What is a Root Patch?

A Root Patch is the smallest safe change that eliminates a known vulnerability from a package or image, applied in-place without forcing a version upgrade. Root uses two patch types:
  • Backported patch — a security fix from a newer version, applied to the version you’re running
  • Native distribution package upgrade — the distribution’s own updated package, applied when available and safe
See Root Patches for the full explanation.

What is a VEX statement?

VEX (Vulnerability Exploitability eXchange) is a machine-readable document that communicates whether a known vulnerability in a component is actually exploitable. Root generates a VEX statement for every patched artifact, documenting which CVEs were fixed and asserting non-exploitability for remaining known findings. See VEX Statements.

Does Root provide SBOMs?

Yes. Every artifact from cr.root.io and pkg.root.io ships with an SBOM in SPDX or CycloneDX format. SBOMs are updated whenever a Root Patch is applied. See SBOMs.

Can Root help us meet FedRAMP / SOC 2 / PCI-DSS requirements?

Root’s continuous vulnerability remediation and audit-ready artifacts (SBOM, VEX, provenance) support common compliance frameworks. See Trust & Compliance for details, or contact Root for specific compliance use cases.

What happens if Root can’t fix a vulnerability?

If no upstream fix or applicable patch candidate exists, the vulnerability enters No Fix Available status. Root continues monitoring and will begin remediation automatically as soon as an upstream fix becomes available. See Vulnerability Statuses.

Operations

Do I need to change my CI/CD pipeline?

Typically no. You update the registry reference in your Dockerfile or package manager configuration, and existing pipeline steps continue to work. See the Integrations section for CI/CD-specific guidance.

Can I use Root with a private registry (ECR, JFrog Artifactory, etc.)?

Yes. Root’s registries are designed to work as an upstream source for private registries. You can mirror or proxy cr.root.io and pkg.root.io through your internal registry. See Amazon ECR and JFrog Artifactory for setup guides.

How do I get access to Root?

Contact Root to request access. You’ll receive credentials for cr.root.io and pkg.root.io along with onboarding support.