Root Library Catalog (RLC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Root patches your application dependencies (npm, PyPI, Maven, Go, and more) in place at your pinned versions, eliminating CVEs without forcing upgrades or breaking your builds.
If you use it, we support it.
*Libraries requires an active Root Image Catalog (RIC) subscription or equivalent base image support.
The problem
The Inventory Illusion: Most organizations think they know what software they're running. They don't. You might know your base OS. Maybe. But your application libraries? They're buried three layers deep in dependency trees; hiding inside node_modules, scattered across requirements.txt, locked in uv.lock files.
While base images account for many CVEs, the most complex and critical vulnerabilities often live in your application libraries. Manually managing these is a nightmare:
The solution:
Shift Out
We say, it’s time to Shift Out.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Libraries offering is a managed patching service that fixes vulnerabilities in your application dependencies at the versions you run. No more forced upgrades. No more dependency hell.
Our Agentic Vulnerability Remediation (AVR) platform automates the entire process, delivering secure, patched versions of your libraries without disrupting your workflow.
How it works
Research, patch, test, replace
Root Libraries doesn't ask you to 'bring your inventory.' We take the burden of discovery and remediation off your plate entirely:
Shift Out means
All open source is fixed
Use your version, your stack – and it’s already fixed with no forced upgrades and no vendor-imposed images.
CVE work drops to zero
There’s no more triage and no more manual patching. CVE work is done for you – not by you.
Every fix is trustworthy
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Every fix is transparent
AppSec and Devs can always see exactly what was fixed, how it was tested, and why it can be trusted.
Who is RLC for?
Security teams
Eliminate 60-70 of CVE noise from scanners; focus on high-impact application-level risks.
Platform DevOps teams
Standardize on a secure foundation; eliminate image drift and reduce maintenance overhead.
Developers
Pull secure images by default; never blocked by base image vulnerabilities. Zero learning curve, no migration required.
Compliance GRC teams
Generate audit-ready proof on demand for SOC 2, FedRAMP, and other regulatory requirements.
Pricing model
Simple, predictable
We offer two simple pricing models for Root Libraries, designed to scale with your needs. Both models include contractual SLA commitments: if you use a library, we support it. No catalog limitations.
Root Library Catalog
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price for all versions within a library
Image & Library Bundle
Best for:
Includes Root Image Catalog. Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
All subscriptions include:
Registry SLA guarantees (30-day Standard or 7-day Enhanced for Critical/High vulnerabilities)
Full version history (3-5 years) and dual-architecture support (AMD64 + ARM64)
Complete security artifact chain (provenance, attestation, SBOM, VEX, malware scans)
Standard support (Premium Support available with RIC + Libraries bundle)
Get started in minutes
Note: RLC covers base OS, runtimes, and bundled packages. For application-layer dependencies (npm, PyPI, Maven, etc.), see our Libraries add-on offering.
