Copa, short for Copacetic, is an open-source project for vulnerability management. It can automatically apply the necessary patches to a container image based on the results of vulnerability scans.
This allows containers to be patched quickly without waiting on a full rebuild upstream, so that they can be redeployed as fast as possible.
The maintainers of Copa say that its method of patching vulnerabilities offers several benefits. For one, it allows users to patch container images even if they weren’t the original publishers of the image.
It also lessens costs associated with storage and transmission, since it only creates one additional patch layer compared to having to fully rebuild it.
It works by parsing update packages from the vulnerability report (run by a scanner tool like Trivy), obtaining the update packages with a package manager tool, and using buildkit to apply the update binaries.
Copa is currently a Sandbox project at the Cloud Native Computing Foundation. It was accepted into the organization last September. As of the time of this writing, it has 765 stars on GitHub.