Skip to main content
A Root Patch is the smallest safe fix for a vulnerable package. For container images, Root Patches target OS-level packages and language runtime packages installed inside the image.

What is a Root Patch?

[Definition, scope — what gets patched inside a container image (OS packages, runtime, installed tools) coming soon]

Patch Types

[Backported patches — applying a fix to an older version without upgrading; native distribution package upgrades — using the distro’s own updated package coming soon]

How Patches Are Applied Without Rebuilding

[Root patches in place rather than rebasing to a new upstream — why this matters for reproducibility and compatibility coming soon]

Viewing Patch History for an Image

[How to see which CVEs were patched, which Root Patches were applied, and when coming soon]

SBOM and VEX for Patched Images

[What the updated SBOM contains, how VEX statements document each patched vulnerability, formats (SPDX, CycloneDX) coming soon]

Patch Freshness SLA

[Root’s commitment to patch availability after CVE publication coming soon]