Root vs Chainguard
Backports > Rebuilds
Chainguard rebuilds from source and forces you onto latest. Root backports upstream fixes to your pinned versions. Same security patch. Zero breaking changes. No infrastructure migration.
The Rebuild-From-Source Tax
Rebuilding everything from source sounds great in a keynote. In production, it means forced registry migration, version upgrades that break compatibility, and daily rebuilds that change your entire stack. You're not buying vulnerability remediation, you're buying a platform migration disguised as a security tool.
Patch delivery speed
Base image changes
Version control
Registry migration
Minutes, not weeks
No changes required
Upgrades on your version
Works with existing tooling
Patch only with latest
Rebase to Wolfi
Proprietary images only
Disrupts workflows
Forced vendor lock-in
Trusted by companies who can't afford to slow down
Root Core Features
Root Features
Secure your container ecosystem with precision patching that works with your existing infrastructure.
01
Agentic Vulnerability Remediation (AVR)
Root backports upstream security patches directly to your pinned versions without forcing upgrades. We patch the CVE—not the entire release. Your openssl 1.1.1k becomes openssl 1.1.1k-root-patched with the vulnerability fixed. Same API. Same ABI. Zero breaking changes.
02
Full-Stack Coverage: Base Images + Dependencies
Root patches both OS packages AND application dependency trees (npm, PyPI, Maven). 80% of exploitable CVEs exist in application dependencies, not base images. Chainguard secures the base image and stops. Root secures the entire stack where real vulnerabilities live.
03
Registry-Agnostic Architecture
Root delivers patched artifacts to YOUR existing registry—Docker Hub, AWS ECR, GCR, Harbor, or any OCI-compliant registry. No migration to cgr.dev. No vendor lock-in. No registry dependency. We're a remediation layer, not a registry replacement.
04
Pinned Version Patch Support
Still running Python 3.8? Node 14? Java 8? Root patches your pinned versions, including EOL and LTS releases. Chainguard tells you to upgrade to latest or accept the CVEs. Root backports the fix to the version you're actually running—no forced upgrades, no compatibility testing, no rewrites.
