Root Library Catalog (RLC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Root patches your application dependencies (npm, PyPI, Maven, Go, and more) in place at your pinned versions, eliminating CVEs without forcing upgrades or breaking your builds.
If you use it, we support it.
*Libraries requires an active Root Image Catalog (RIC) subscription or equivalent base image support.
The problem
Application libraries are a nightmare
Application libraries are a nightmare
The Inventory Illusion: Most organizations think they know what software they're running. They don't. You might know your base OS. Maybe. But your application libraries? They're buried three layers deep in dependency trees; hiding inside node_modules, scattered across requirements.txt, locked in uv.lock files.
While base images account for many CVEs, the most complex and critical vulnerabilities often live in your application libraries. Manually managing these is a nightmare:
Developer disruption
Engineers lose 20-30 of their sprint capacity to the CVE grind—triaging alerts, negotiating safe upgrades, and running endless regression tests.
Developer disruption
Engineers lose 20-30 of their sprint capacity to the CVE grind—triaging alerts, negotiating safe upgrades, and running endless regression tests.
Developer disruption
Engineers lose 20-30 of their sprint capacity to the CVE grind—triaging alerts, negotiating safe upgrades, and running endless regression tests.
Developer disruption
Engineers lose 20-30 of their sprint capacity to the CVE grind—triaging alerts, negotiating safe upgrades, and running endless regression tests.
Forced upgrades breakage
The default fix—upgrading a dependency—can have a cascading effect, forcing other upgrades and introducing breaking changes that bring development to a halt.
Forced upgrades breakage
The default fix—upgrading a dependency—can have a cascading effect, forcing other upgrades and introducing breaking changes that bring development to a halt.
Forced upgrades breakage
The default fix—upgrading a dependency—can have a cascading effect, forcing other upgrades and introducing breaking changes that bring development to a halt.
Forced upgrades breakage
The default fix—upgrading a dependency—can have a cascading effect, forcing other upgrades and introducing breaking changes that bring development to a halt.
Pinned dependencies
Your most critical systems often rely on older, pinned dependencies that can’t be easily upgraded. This leaves you with a permanent, unfixable attack surface.
Pinned dependencies
Your most critical systems often rely on older, pinned dependencies that can’t be easily upgraded. This leaves you with a permanent, unfixable attack surface.
Pinned dependencies
Your most critical systems often rely on older, pinned dependencies that can’t be easily upgraded. This leaves you with a permanent, unfixable attack surface.
Pinned dependencies
Your most critical systems often rely on older, pinned dependencies that can’t be easily upgraded. This leaves you with a permanent, unfixable attack surface.
Massive backlogs
Vulnerability backlogs grow faster than your team can manage, creating a huge operational burden and leaving you exposed to risk for months or even years.
Massive backlogs
Vulnerability backlogs grow faster than your team can manage, creating a huge operational burden and leaving you exposed to risk for months or even years.
Massive backlogs
Vulnerability backlogs grow faster than your team can manage, creating a huge operational burden and leaving you exposed to risk for months or even years.
Massive backlogs
Vulnerability backlogs grow faster than your team can manage, creating a huge operational burden and leaving you exposed to risk for months or even years.
Why Hardened Images Aren't Enough Anymore
Why Hardened Images Aren't Enough Anymore
Why Hardened Images Aren't Enough Anymore
Three years ago, a clean Alpine or Distroless base image was a differentiator. Today? Table stakes. Prices for FIPS-compliant OS images are dropping. Basic OS security is a solved problem. The real danger—and the real complexity—lives in your application libraries. Competitors will sell you a pristine base OS, then leave you alone to fight the war in your Python packages and Node dependencies. That's where 80% of your actual CVE exposure lives. And that's exactly where they abandon you.
Root is the only platform that delivers a patch stream for both your OS and your application libraries. One vendor. One SLA. Complete coverage.
Three years ago, a clean Alpine or Distroless base image was a differentiator. Today? Table stakes. Prices for FIPS-compliant OS images are dropping. Basic OS security is a solved problem. The real danger—and the real complexity—lives in your application libraries. Competitors will sell you a pristine base OS, then leave you alone to fight the war in your Python packages and Node dependencies. That's where 80% of your actual CVE exposure lives. And that's exactly where they abandon you.
Root is the only platform that delivers a patch stream for both your OS and your application libraries. One vendor. One SLA. Complete coverage.
Three years ago, a clean Alpine or Distroless base image was a differentiator. Today? Table stakes. Prices for FIPS-compliant OS images are dropping. Basic OS security is a solved problem. The real danger—and the real complexity—lives in your application libraries. Competitors will sell you a pristine base OS, then leave you alone to fight the war in your Python packages and Node dependencies. That's where 80% of your actual CVE exposure lives. And that's exactly where they abandon you.
Root is the only platform that delivers a patch stream for both your OS and your application libraries. One vendor. One SLA. Complete coverage.
The solution:
Shift Out
We say, it’s time to Shift Out.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Libraries offering is a managed patching service that fixes vulnerabilities in your application dependencies at the versions you run. No more forced upgrades. No more dependency hell.
Root’s Libraries offering is a managed patching service that fixes vulnerabilities in your application dependencies at the versions you run. No more forced upgrades. No more dependency hell.
Root’s Libraries offering is a managed patching service that fixes vulnerabilities in your application dependencies at the versions you run. No more forced upgrades. No more dependency hell.
Root’s Libraries offering is a managed patching service that fixes vulnerabilities in your application dependencies at the versions you run. No more forced upgrades. No more dependency hell.
Our Agentic Vulnerability Remediation (AVR) platform automates the entire process, delivering secure, patched versions of your libraries without disrupting your workflow.
Our Agentic Vulnerability Remediation (AVR) platform automates the entire process, delivering secure, patched versions of your libraries without disrupting your workflow.
Our Agentic Vulnerability Remediation (AVR) platform automates the entire process, delivering secure, patched versions of your libraries without disrupting your workflow.
Our Agentic Vulnerability Remediation (AVR) platform automates the entire process, delivering secure, patched versions of your libraries without disrupting your workflow.
How it works
Research, patch, test, replace
Root Libraries doesn't ask you to 'bring your inventory.' We take the burden of discovery and remediation off your plate entirely:
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture. You provide the vulnerable library (library@version) and CVEs, often via scanner export (Snyk, Prisma, Aikido, etc.).
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture. You provide the vulnerable library (library@version) and CVEs, often via scanner export (Snyk, Prisma, Aikido, etc.).
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture. You provide the vulnerable library (library@version) and CVEs, often via scanner export (Snyk, Prisma, Aikido, etc.).
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture. You provide the vulnerable library (library@version) and CVEs, often via scanner export (Snyk, Prisma, Aikido, etc.).
Patch
Apply the smallest safe fix. Our AI-powered agents generate the smallest possible safe fix—often a backport of a security patch, not a full version upgrade.
Patch
Apply the smallest safe fix. Our AI-powered agents generate the smallest possible safe fix—often a backport of a security patch, not a full version upgrade.
Patch
Apply the smallest safe fix. Our AI-powered agents generate the smallest possible safe fix—often a backport of a security patch, not a full version upgrade.
Patch
Apply the smallest safe fix. Our AI-powered agents generate the smallest possible safe fix—often a backport of a security patch, not a full version upgrade.
Test
Run package tests, functional tests, and CVE-specific tests. Expert security researchers review and validate every patch for safety, correctness, and effectiveness.
Test
Run package tests, functional tests, and CVE-specific tests. Expert security researchers review and validate every patch for safety, correctness, and effectiveness.
Test
Run package tests, functional tests, and CVE-specific tests. Expert security researchers review and validate every patch for safety, correctness, and effectiveness.
Test
Run package tests, functional tests, and CVE-specific tests. Expert security researchers review and validate every patch for safety, correctness, and effectiveness.
Replace
Deliver a built-from-source, patched artifact (e.g., django==4.2.1-root) with complete chain of trust: provenance, attestation, SBOM (CycloneDX), VEX, and before/after CVE delta report.
Replace
Deliver a built-from-source, patched artifact (e.g., django==4.2.1-root) with complete chain of trust: provenance, attestation, SBOM (CycloneDX), VEX, and before/after CVE delta report.
Replace
Deliver a built-from-source, patched artifact (e.g., django==4.2.1-root) with complete chain of trust: provenance, attestation, SBOM (CycloneDX), VEX, and before/after CVE delta report.
Replace
Deliver a built-from-source, patched artifact (e.g., django==4.2.1-root) with complete chain of trust: provenance, attestation, SBOM (CycloneDX), VEX, and before/after CVE delta report.
Delivery model
Libraries are fulfilled via contracted fix-rate throughput (e.g., 5 fixes/week, 10 fixes/week) with Critical/High vulnerabilities automatically prioritized. CISA KEV vulnerabilities receive priority treatment regardless of capacity constraints.
Delivery model
Libraries are fulfilled via contracted fix-rate throughput (e.g., 5 fixes/week, 10 fixes/week) with Critical/High vulnerabilities automatically prioritized. CISA KEV vulnerabilities receive priority treatment regardless of capacity constraints.
Delivery model
Libraries are fulfilled via contracted fix-rate throughput (e.g., 5 fixes/week, 10 fixes/week) with Critical/High vulnerabilities automatically prioritized. CISA KEV vulnerabilities receive priority treatment regardless of capacity constraints.
Delivery model
Libraries are fulfilled via contracted fix-rate throughput (e.g., 5 fixes/week, 10 fixes/week) with Critical/High vulnerabilities automatically prioritized. CISA KEV vulnerabilities receive priority treatment regardless of capacity constraints.
Shift Out means
All open source is fixed
Use your version, your stack – and it’s already fixed with no forced upgrades and no vendor-imposed images.
CVE work drops to zero
There’s no more triage and no more manual patching. CVE work is done for you – not by you.
Every fix is trustworthy
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Every fix is transparent
AppSec and Devs can always see exactly what was fixed, how it was tested, and why it can be trusted.
Key features benefits
Key features benefits
Automatic discovery
We connect to your Artifactory or registry and analyze your actual production usage—not theoretical dependency trees, but the libraries you're running right now.
No inventory burden: We discover what you use. No spreadsheets. No guessing. No manual cataloging.
Automatic discovery
We connect to your Artifactory or registry and analyze your actual production usage—not theoretical dependency trees, but the libraries you're running right now.
No inventory burden: We discover what you use. No spreadsheets. No guessing. No manual cataloging.
Automatic discovery
We connect to your Artifactory or registry and analyze your actual production usage—not theoretical dependency trees, but the libraries you're running right now.
No inventory burden: We discover what you use. No spreadsheets. No guessing. No manual cataloging.
Automatic discovery
We connect to your Artifactory or registry and analyze your actual production usage—not theoretical dependency trees, but the libraries you're running right now.
No inventory burden: We discover what you use. No spreadsheets. No guessing. No manual cataloging.
Contractual SLA coverage
If you use it, we support it. Once we discover a library you rely on, we commit to patching new vulnerabilities against it—regardless of whether it was in our catalog yesterday.
Guaranteed coverage: Your stack becomes our responsibility. Contractual SLA means you're covered, not just cataloged.
Contractual SLA coverage
If you use it, we support it. Once we discover a library you rely on, we commit to patching new vulnerabilities against it—regardless of whether it was in our catalog yesterday.
Guaranteed coverage: Your stack becomes our responsibility. Contractual SLA means you're covered, not just cataloged.
Contractual SLA coverage
If you use it, we support it. Once we discover a library you rely on, we commit to patching new vulnerabilities against it—regardless of whether it was in our catalog yesterday.
Guaranteed coverage: Your stack becomes our responsibility. Contractual SLA means you're covered, not just cataloged.
Contractual SLA coverage
If you use it, we support it. Once we discover a library you rely on, we commit to patching new vulnerabilities against it—regardless of whether it was in our catalog yesterday.
Guaranteed coverage: Your stack becomes our responsibility. Contractual SLA means you're covered, not just cataloged.
Built-from-source artifacts
Every patched library is rebuilt from source, ensuring no unknown binaries or hidden malware. Complete chain of trust with provenance, attestation, SBOM, and VEX.
Complete trust: Eliminate supply chain risk with verifiable, transparently built libraries. See exactly what was fixed and how it was tested.
Built-from-source artifacts
Every patched library is rebuilt from source, ensuring no unknown binaries or hidden malware. Complete chain of trust with provenance, attestation, SBOM, and VEX.
Complete trust: Eliminate supply chain risk with verifiable, transparently built libraries. See exactly what was fixed and how it was tested.
Built-from-source artifacts
Every patched library is rebuilt from source, ensuring no unknown binaries or hidden malware. Complete chain of trust with provenance, attestation, SBOM, and VEX.
Complete trust: Eliminate supply chain risk with verifiable, transparently built libraries. See exactly what was fixed and how it was tested.
Built-from-source artifacts
Every patched library is rebuilt from source, ensuring no unknown binaries or hidden malware. Complete chain of trust with provenance, attestation, SBOM, and VEX.
Complete trust: Eliminate supply chain risk with verifiable, transparently built libraries. See exactly what was fixed and how it was tested.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Multi-ecosystem support
Secure libraries across npm, PyPI, Maven, Go, and more. One platform. One SLA. Complete coverage.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation for every library.
Multi-ecosystem support
Secure libraries across npm, PyPI, Maven, Go, and more. One platform. One SLA. Complete coverage.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation for every library.
Multi-ecosystem support
Secure libraries across npm, PyPI, Maven, Go, and more. One platform. One SLA. Complete coverage.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation for every library.
Multi-ecosystem support
Secure libraries across npm, PyPI, Maven, Go, and more. One platform. One SLA. Complete coverage.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation for every library.
Complete security artifacts
Every patched library includes SBOM (CycloneDX), VEX, attestation, and before/after CVE delta reports for audit-ready compliance.
Future-proof your dependencies: Secure older, pinned dependencies without being forced to upgrade. Maintain compatibility while eliminating risk.
Complete security artifacts
Every patched library includes SBOM (CycloneDX), VEX, attestation, and before/after CVE delta reports for audit-ready compliance.
Future-proof your dependencies: Secure older, pinned dependencies without being forced to upgrade. Maintain compatibility while eliminating risk.
Complete security artifacts
Every patched library includes SBOM (CycloneDX), VEX, attestation, and before/after CVE delta reports for audit-ready compliance.
Future-proof your dependencies: Secure older, pinned dependencies without being forced to upgrade. Maintain compatibility while eliminating risk.
Complete security artifacts
Every patched library includes SBOM (CycloneDX), VEX, attestation, and before/after CVE delta reports for audit-ready compliance.
Future-proof your dependencies: Secure older, pinned dependencies without being forced to upgrade. Maintain compatibility while eliminating risk.
Who is RLC for?
Security teams
Eliminate 60-70 of CVE noise from scanners; focus on high-impact application-level risks.
Platform DevOps teams
Standardize on a secure foundation; eliminate image drift and reduce maintenance overhead.
Developers
Pull secure images by default; never blocked by base image vulnerabilities. Zero learning curve, no migration required.
Compliance GRC teams
Generate audit-ready proof on demand for SOC 2, FedRAMP, and other regulatory requirements.
Pricing model
Simple, predictable
We offer two simple pricing models for Root Libraries, designed to scale with your needs. Both models include contractual SLA commitments: if you use a library, we support it. No catalog limitations.
Root Library Catalog
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price for all versions within a library
Root Library Catalog
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price for all versions within a library
Root Library Catalog
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price for all versions within a library
Root Library Catalog
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price for all versions within a library
Image & Library Bundle
Best for:
Includes Root Image Catalog. Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
Image & Library Bundle
Best for:
Includes Root Image Catalog. Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
Image & Library Bundle
Best for:
Includes Root Image Catalog. Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
Image & Library Bundle
Best for:
Includes Root Image Catalog. Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
All subscriptions include:
Registry SLA guarantees (30-day Standard or 7-day Enhanced for Critical/High vulnerabilities)
Full version history (3-5 years) and dual-architecture support (AMD64 + ARM64)
Complete security artifact chain (provenance, attestation, SBOM, VEX, malware scans)
Standard support (Premium Support available with RIC + Libraries bundle)
Why we don’t suck
Why we don’t suck
No forced reengineering
No forced reengineering
No vendor lock-in
No vendor lock-in
No restrictions on open source
No restrictions on open source
Full transparency on every fix
Full transparency on every fix
One-click integration
One-click integration
Get started in minutes
Browse the community catalog
Explore our patched libraries and images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Browse the community catalog
Explore our patched libraries and images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Browse the community catalog
Explore our patched libraries and images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Browse the community catalog
Explore our patched libraries and images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Request a free POV
Want to see how RLC works on your specific libraries? We'll connect to your registry, discover what you use, and deliver patched versions in about a week.
Request a free POV
Want to see how RLC works on your specific libraries? We'll connect to your registry, discover what you use, and deliver patched versions in about a week.
Request a free POV
Want to see how RLC works on your specific libraries? We'll connect to your registry, discover what you use, and deliver patched versions in about a week.
Request a free POV
Want to see how RLC works on your specific libraries? We'll connect to your registry, discover what you use, and deliver patched versions in about a week.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Note: RLC covers base OS, runtimes, and bundled packages. For application-layer dependencies (npm, PyPI, Maven, etc.), see our Libraries add-on offering.
No migrations.
Just fixes.
See how Root's CVE-first architecture works in 3 minutes.
No migrations.
Just fixes.
See how Root's CVE-first architecture works in 3 minutes.
No migrations.
Just fixes.
See how Root's CVE-first architecture works in 3 minutes.
No migrations.
Just fixes.
See how Root's CVE-first architecture works in 3 minutes.