
Directly patch container image vulnerabilities
copa is an Open Source CLI tool written in Go and based on buildkit that can be used to directly patch container images without full rebuilds. It can also patch container images using the vulnerability scanning results from popular tools like Trivy.

Direct Vulnerability Patching
Patches container images instantly without requiring full rebuilds - just adds a lightweight patch layer on top of existing images.

Multi-Package Manager Support
Supports multiple package managers, covering a wide range of base images like Alpine, Debian, Ubuntu, RHEL and many more.

Multi-Platform Support
Copa can automatically detect and patch multi-platform images across all supported platforms or target specific architectures.

Distroless Image Support
Copacetic also supports patching of distroless DPKG and RPM based distroless images by spinning up a build tooling container.

Ecosystem & Scanner Compatible
Built-in Trivy support with third-party scanners support, can be used in any CI/CD pipeline and we have a Docker-Desktop Extension.
Adopted by

Azure Container Registry (ACR) Continuous Patching uses Copa to automate the detection and remediation of vulnerabilities in container images.

Kubescape (CNCF incubating) uses Copa to patch container images using the Grype image scanning tool.

Devtron uses Copa to patch container image vulnerabilities traced by the security scan performed on the image.

Helmper uses Copa to patch container images used in Helm charts.
Featured Talks
Session Presentation at KubeCon North America 2024
Session Presentation at OpenSSF SOSS Fusion Conference 2024
Project lightning talk at KubeCon North America 2024
Copacetic is a Cloud Native Computing Foundation Sandbox project