Usually, my pieces about open source platform engineering projects are deep dives into fairly big name tools that are at an interesting point in their lifecycle, but every now and then I find a hidden gem that I'm surprised everyone isn't using because it fixes a problem almost everyone has: Copa is one of those.
It's still in the CNCF sandbox but gearing up for incubation and with the Cyber Resiliency Act looming on the horizon for anyone who sells into the EU and, frankly, the state of the world, if you have containers that have known vulnerabilities, you need a way to always be patching...
Or as Mark Russinovich said when he shared my piece on LinkedIn, "the ability to patch at scale is no longer optional; it’s a requirement for survival".
I first came across Project Copacetic (Copa for short) in @markrussinovich.bsky.social keynotes about Azure where they use it to patch vulns in millions of container images a month, internally and for Azure users and I thought 'doesn't everyone with container images need to do this'?
that's exactly what the Copa team (who also worked on tools like Radius and Dapr) thought and when they open sourced it, other tools like Kubescape started to use it and @descope.com built a whole self-patching registry on top of it.
Copa doesn't create patches but as soon as there is a patch for an issue Trivy (or other scanners) find, it can apply it as a patch layer so you don't have to wait for an official image or even an image rebuild; it does OS patches, distroless and now app runtime patches for Node.js, Python, .NET, Go
security
vulnerabilities
containers
patching
app runtimes
distroless
dependencies
CNCF sandbox
Azure
Microsoft