Skip to content

Adoption & Ecosystem

Who uses it

The organizations below are listed on the project's adopters page (accessed 2026-06-28). They are split by how they integrate Copa: as a CLI called from another tool, or through the GitHub Action. This deep-dive lists only what that page cites and does not add others.

OrganisationUse caseSource
KubescapePatches images via Copa, using Grype for the scan stepadopters page
DevtronCopacetic plugin in its CI/CD pipelinesadopters page
HelmperPatches images referenced inside Helm chartsadopters page
VerityUses the Copa CLIadopters page
AKS Periscope, Azure Workload Identity, AI Kit, UnoplatUse the Copa GitHub Actionadopters page

Adoption signals

As of 2026-06-28 (gh repo view project-copacetic/copacetic): 1,652 stars and 120 forks. The GitHub contributors API paginates to roughly 48 contributors. The project is a CNCF Sandbox project (accepted 2023-09-19) and displays the OpenSSF Best Practices badge (project 8031) and an OpenSSF Scorecard badge in its README (src/README.md:5-6). Releases are tagged regularly, with v0.14.1 on 2026-05-18 and the documented commit 0f6f0ab on main after it.

Ecosystem

Copa sits between a scanner and a container runtime or registry. Its built-in report parser handles Trivy; other scanners integrate through copa-<scanner> plugin binaries, which is how Grype-based flows work (src/pkg/report/report.go:52-55). Around the core CLI the project ships copa-action for GitHub Actions and a Docker Desktop Extension for a GUI flow. On output it can load into Docker or Podman, push to a registry, or write a local OCI layout, and it emits OpenVEX documents describing what it patched.

Alternatives

Copa's distinction is that it patches an existing image as an additive layer, driven by a scanner report, and can be run by someone who is not the image publisher.

AlternativeDiffers by
Rebuild on an updated base imageProduces a clean image but requires the Dockerfile and build context and controlling the publish pipeline; Copa patches when you have neither
Chainguard / Wolfi imagesRemediate by shipping a freshly rebuilt minimal base rather than patching an existing image; Copa extends the life of an image already in use (src/README.md:29-54)
apt upgrade in a derived DockerfileUpdates every outdated package and rebuilds the layer; Copa touches only the packages the scanner flagged and keeps the change to one layer