> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# FAQ

> Frequently asked questions about Root, Root Image Catalog, Root Library Catalog, and the AVR pipeline.

## General

### What is Root?

Root is a secure software supply platform. It delivers container images and application packages with vulnerabilities already remediated - so you consume the same open source you rely on today, but without the CVEs. Root's core technology is AVR (Agentic Vulnerability Remediation): a pipeline of AI agents that research, patch, test, and deliver fixes automatically.

### How is Root different from a vulnerability scanner?

Scanners find vulnerabilities. Root fixes them. Instead of generating tickets and alert noise, Root applies Root Patches to the packages you consume before they reach your environment. You still get full transparency - SBOM, VEX, provenance - but the work of remediation happens on Root's side, not yours.

### Do I have to migrate my stack to use Root?

No. Root works as a drop-in registry replacement. For containers, you change the registry prefix in your Dockerfile (`cr.root.io/` instead of bare Docker Hub references). For packages, you point your package manager at `pkg.root.io`. Package names, version numbers, tags, and APIs are identical. No application code changes are required.

### What open source ecosystems does Root support?

**Container images:** Root Image Catalog (`cr.root.io`) covers 500+ image families - Python, Node, Nginx, Redis, PostgreSQL, and more.

**Application packages:** Root Library Catalog (`pkg.root.io`) supports:

* Python: pip, uv, Poetry
* JavaScript: npm, pnpm, Yarn 1, Yarn 3+
* Java: Maven, Gradle

***

## Root Image Catalog

### What images are available?

Root Image Catalog provides patched versions of popular Docker Hub images. See [Supported Images](/ric/supported-images) for the full list. Images include all major language runtimes, databases, web servers, and infrastructure tools.

### Do the images use the same tags?

Yes. Tags are preserved. `cr.root.io/python:3.12-slim` behaves identically to `docker.io/python:3.12-slim` - same entrypoints, same environment variables, same behavior - with CVEs removed.

### What happens when a new CVE is published?

AVR automatically detects the new vulnerability in subscribed images. The pipeline researches the fix, applies the smallest safe patch, validates it, and publishes the updated image at `cr.root.io`. Your next pull gets the patched version. No action required on your end.

### How long until a patched image is available after a CVE disclosure?

Root's SLA commitments:

| Severity | Patch Available Within |
| -------- | ---------------------- |
| Critical | 7 days                 |
| High     | 14 days                |
| Medium   | 60 days                |

In practice, Root often patches Critical and High vulnerabilities significantly faster than the SLA.

### What security artifacts ship with each image?

Every image at `cr.root.io` includes:

* **SBOM** - full component inventory in SPDX or CycloneDX format
* **VEX statement** - which CVEs were fixed, which are not applicable
* **Provenance attestation** - cryptographic proof of Root's build pipeline

***

## Root Library Catalog

### How does Root patch packages without changing the version?

Root applies backported patches - taking the security fix from a newer version and applying it to the exact version you declared. The version string stays the same; only the vulnerability is removed. This is the same technique Linux distributions use to maintain long-term support branches.

### Do I have to change my dependency files?

For Python and Java, no - packages resolve transparently. For JavaScript, you add an `overrides` (npm), `pnpm.overrides` (pnpm), or `resolutions` (Yarn) field to `package.json` pointing vulnerable packages to their `@rootio/`-scoped equivalents. Your import statements don't change.

### Why does JavaScript use `@rootio/` scoped packages?

The npm registry doesn't allow publishing patched versions under the original package name. Root publishes patched packages under the `@rootio/` scope and uses the package manager's override/resolution mechanism to transparently redirect resolution. Your code still imports `axios` - it just resolves to `@rootio/axios` under the hood.

### Is Gradle supported?

Yes. Use the [Root.io Gradle Plugin](/integrations/gradle) — it automatically patches vulnerable dependencies at build time with no changes to your dependency declarations.

***

## Security and Compliance

### What is a Root Patch?

A Root Patch is the smallest safe change that eliminates a known vulnerability from a package or image, applied in-place without forcing a version upgrade. Root uses two patch types:

* **Backported patch** - a security fix from a newer version, applied to the version you're running
* **Native distribution package upgrade** - the distribution's own updated package, applied when available and safe

See [Root Patches](/concepts/root-patches) for the full explanation.

### What is a VEX statement?

VEX (Vulnerability Exploitability eXchange) is a machine-readable document that communicates whether a known vulnerability in a component is actually exploitable. Root generates a VEX statement for every patched artifact, documenting which CVEs were fixed and asserting non-exploitability for remaining known findings. See [VEX Statements](/concepts/vex).

### Does Root provide SBOMs?

Yes. Every artifact from `cr.root.io` and `pkg.root.io` ships with an SBOM in SPDX or CycloneDX format. SBOMs are updated whenever a Root Patch is applied. See [SBOMs](/concepts/sbom).

### Can Root help us meet FedRAMP / SOC 2 / PCI-DSS requirements?

Root's continuous vulnerability remediation and audit-ready artifacts (SBOM, VEX, provenance) support common compliance frameworks. See [Trust & Compliance](/compliance/overview) for details, or [contact Root](https://root.io) for specific compliance use cases.

### What happens if Root can't fix a vulnerability?

If no upstream fix or applicable patch candidate exists, the vulnerability enters **No Fix Available** status. Root continues monitoring and will begin remediation automatically as soon as an upstream fix becomes available. See [Vulnerability Statuses](/concepts/vulnerability-statuses).

***

## Operations

### Do I need to change my CI/CD pipeline?

Typically no. You update the registry reference in your Dockerfile or package manager configuration, and existing pipeline steps continue to work. See the [Integrations](/integrations/overview) section for CI/CD-specific guidance.

### Can I use Root with a private registry (ECR, JFrog Artifactory, etc.)?

Yes. Root's registries are designed to work as an upstream source for private registries. You can mirror or proxy `cr.root.io` and `pkg.root.io` through your internal registry. See [Amazon ECR](/integrations/ecr) and [JFrog Artifactory](/integrations/jfrog-artifactory) for setup guides.

### How do I get access to Root?

[Contact Root](https://root.io) to request access. You'll receive credentials for `cr.root.io` and `pkg.root.io` along with onboarding support.