Skip to main content
Root provides a suite of reports and dashboards that give AppSec and Security Leadership continuous visibility into the state of your supply chain - what’s been patched, what’s still exposed, and how your posture has changed over time.

Available Reports

ReportDescription
Vulnerability ReportsCVE coverage and patch status across all adopted images and packages
SBOM ReportsCurrent SBOMs for every artifact in your environment
VEX ReportsVEX statement coverage and scanner integration
Dashboard & MetricsCVE backlog trends, MTTR, and patch coverage metrics

Accessing Reports

Root platform UI: The dashboard and all report views are accessible from the Root platform at app.root.io. Log in with your organization credentials. The left sidebar provides navigation to:
  • Dashboard - fleet-wide metrics at a glance
  • Vulnerabilities - full CVE table with filtering and export
  • Reports - vulnerability reduction graphs and per-artifact views
  • Subscriptions - per-image and per-package patch status
Root API: Every report is accessible programmatically via the Root REST API at https://api.root.io/v1. Authenticate with a Bearer token: 
curl -H "Authorization: Bearer $ROOT_TOKEN" \
  "https://api.root.io/v1/patches?ticket_statuses=done&limit=100"
See the API Reference for the full endpoint list. Export formats:
FormatAvailable From
CSVVulnerabilities page (UI export button)
JSONAPI endpoints
CycloneDX / SPDXSBOM and VEX download endpoints
Webhook notifications: Root can deliver patch events to a webhook endpoint in real time - when a patch is applied to a subscribed artifact, Root sends a notification to your endpoint. Integrate with Slack, PagerDuty, Jira, or your SIEM. Contact Root to configure webhooks.

Integrating with Your Security Stack

Root reports are designed to integrate with existing security tooling: Vulnerability scanners (Grype, Trivy): Import Root SBOM and VEX files into your scanner to suppress findings for patched CVEs. See VEX Reports for scanner-specific instructions. ASPM platforms (Wiz, Orca, Snyk): Use VEX statements to update finding status in your ASPM. Root’s VEX marks patched CVEs as fixed, suppressing them from active alert queues. SIEM (Splunk, Elastic): Poll the Root API on a schedule to ingest patch events. Use the /patches endpoint filtered by updated_at to get incremental updates. Dependency-Track: Import Root SBOMs (CycloneDX format) directly into Dependency-Track projects for continuous monitoring and policy evaluation. Ticketing (Jira, ServiceNow): Use webhooks or API polling to automatically close vulnerability tickets when Root delivers a patch.