Root OSS Security Platform

Open source is the foundation of modern software. It is also the fastest-growing attack surface in the world.

In March 2026, five major supply chain attacks landed in 12 days. Trivy, the vulnerability scanner trusted by thousands of organizations, was weaponized to exfiltrate CI/CD secrets. Axios, with 100M+ weekly downloads, was compromised by a North Korean state actor who deployed cross-platform RATs through a single hidden dependency. LiteLLM was poisoned on PyPI. The malicious packages were live for hours before removal. Hours is all it takes.

The problem is accelerating. AI coding agents now pull dependencies at machine speed with no human review. Every docker pull, every npm install, every pip install that an agent executes expands your attack surface. Agents trust the registry. They pull latest. They don't check provenance.

Root is the security boundary between upstream open source and your build environment.

The Root OSS Security Platform continuously monitors, patches, tests, and delivers hardened versions of the open source images and libraries your applications depend on. Every artifact is rebuilt from source with full provenance. No unknown binaries. No hidden malware. No unpatched vulnerabilities in your builds.

WHAT'S INCLUDED

Hardened Container Images: Continuously remediated base OS images built on Debian, Ubuntu, and Alpine, plus official runtimes for Python, Node, Java, and more. Full version history spanning 3-5 years. Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04.

Patched Application Dependencies: Remediated library versions across JavaScript (npm), Python (PyPI), and Java (Maven). Root resolves vulnerable dependencies in place through targeted backports, without forcing major version upgrades or breaking your dependency tree.

Compliance Artifacts: Every artifact ships with SBOM (CycloneDX), VEX documentation, and attestation. Audit-ready proof for SOC 2, FedRAMP, and FIPS 140-2/3.

Coverage is continuously expanding across new base OS distributions and language ecosystems.

WHY ROOT

Scanners find problems. Root fixes them. When Trivy itself was compromised in March 2026, Root's hardened artifacts remained unaffected. We rebuild from source with independent verification.

Shift Out, not Shift Left. Root remediates outside your developer workflow so teams ship features instead of chasing vulnerability backlogs.

Built from Source, Every Time. No opaque binaries. No trust-me patches. Complete provenance from source to registry.

Zero Breaking Changes. If it worked on the official upstream version, it works on Root's version. Every patch is tested against CVE-specific and functional test suites before delivery.

HOW IT WORKS

1. RESEARCH: Root's agents continuously monitor CVE advisories, upstream commits, exploits, and security disclosures on the projects you care about.
2. PATCH: Apply the smallest safe fix. Upgrade if possible. Backport if not. No forced migrations.
3. TEST: Package tests, functional tests, and CVE-specific regression tests.
4. DELIVER: Deliver the hardened artifact into your registry with full provenance.

INTEGRATION

Works with AWS ECR, Docker Hub, GCR/GAR, GitLab and more. No pipeline disruption. Native CI/CD integration. Compatible with Trivy, Grype, Aikido, and all major scanners.

Additional flexible integration point at your IDE, Agents and beyond.

COMPLIANCE

SOC 2 Type 2 certified. SLSA Level 3 verified. FIPS 140-2/3 ready. FedRAMP ready.

PRICING

Three tiers. All require 12-month term, billed monthly. Essentials: start securing your open source today with catalog access and reasonable-effort remediation. Professional: contractual SLAs, expanded coverage, and catalog request entitlements. Enterprise: unlimited coverage, 7-day Critical/High SLA, service credits, FIPS, and FedRAMP.