docs: add Root.io documentation

- Add Root.io documentation in others directory
- Update vulnerability scanner data sources to include Root.io
- Add Root.io to mkdocs navigation
- Update others index to include Root.io images

docs/docs/coverage/others/index.md

@@ -15,6 +15,7 @@ Trivy supports them for
 | [Bitnami packages](bitnami.md) | `/opt/bitnami/<component>/.spdx-<component>.spdx`   |     ✅     |     ✅      |       -        |       -        |
 | [Conda](conda.md)              | `<conda-root>/envs/<env>/conda-meta/<package>.json` |     ✅     |     ✅      |       -        |       -        |
 |                                | `environment.yml`                                   |     -     |     -      |       ✅        |       ✅        |
+| [Root.io images](rootio.md)    | -                                                   |     ✅     |     ✅      |       -        |       -        |
 | [RPM Archives](rpm.md)         | `*.rpm`                                             |   ✅[^5]   |   ✅[^5]    |     ✅[^5]      |     ✅[^5]      |
 
 [sbom]: ../../supply-chain/sbom.md

docs/docs/coverage/others/rootio.md

@@ -0,0 +1,20 @@
+# Root.io
+
+!!! warning "EXPERIMENTAL"
+    Scanning results may be inaccurate.
+
+While it is not an OS, this page describes the details of [Root.io](https://root.io/) patch distribution service.
+Root.io provides security patches for [Debian](../os/debian.md), [Ubuntu](../os/ubuntu.md), and [Alpine](../os/alpine.md)-based container images.
+Root.io patches are detected when Trivy finds packages with specific version suffixes:
+
+- **Debian/Ubuntu**: packages with `.root.io` in version string
+- **Alpine**: packages with `-r\d007\d` pattern in version string (e.g., `-r10071`, `-r20072`)
+
+When Root.io patches are detected, Trivy automatically switches to Root.io scanning mode for vulnerability detection.
+Even when the original OS distributor (Debian, Ubuntu, Alpine) has not provided a patch for a vulnerability, Trivy will display Root.io patches if they are available.
+
+For detailed information about supported scanners, features, and functionality, please refer to the documentation for the underlying OS:
+
+- [Debian](../os/debian.md)
+- [Ubuntu](../os/ubuntu.md) 
+- [Alpine](../os/alpine.md)

docs/docs/scanner/vulnerability.md

@@ -37,6 +37,7 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
 | Azure Linux (CBL-Mariner) | [OVAL][azure]                                                |
 | OpenSUSE/SLES             | [CVRF][suse]                                                 |
 | Photon OS                 | [Photon Security Advisory][photon]                           |
+| Root.io                   | [Root.io Patch Feed][rootio]                                 |
 
 #### Data Source Selection
 Trivy **only** consumes security advisories from the sources listed in the above table.
@@ -394,6 +395,7 @@ Example logic for the following vendor severity levels when scanning an Alpine i
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
 [azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
+[rootio]: https://api.root.io/external/patch_feed
 
 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip

mkdocs.yml

@@ -117,6 +117,7 @@ nav:
               - Overview: docs/coverage/others/index.md
               - Bitnami Images: docs/coverage/others/bitnami.md
               - Conda: docs/coverage/others/conda.md
+              - Root.io Images: docs/coverage/others/rootio.md
               - RPM Archives: docs/coverage/others/rpm.md
           - Kubernetes: docs/coverage/kubernetes.md
       - Configuration: