# Install copa with Homebrew

Tool to directly patch container images given the vulnerability scanning results. Version 0.14.2 via Homebrew; verified 2026-07-03.

## Install

```sh
sudo av install brew:copa
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install copa
```

  Evidence: local Homebrew formula metadata

## Package facts

- **Package key:** brew:copa
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/copa>
- **Version:** 0.14.2
- **Source summary:** Tool to directly patch container images given the vulnerability scanning results
- **Homepage:** <https://project-copacetic.github.io/copacetic/>
- **Repository:** <https://github.com/project-copacetic/copacetic>
- **Upstream docs:** <https://project-copacetic.github.io/copacetic>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/project-copacetic/copacetic/archive/refs/tags/v0.14.2.tar.gz>
- **Last updated:** 2026-07-03T03:35:43Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- copa (cli)
- copa (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.14.2
- Package-manager updated: 2026-07-03
- Local data: ok
- Upstream repository: https://github.com/project-copacetic/copacetic
- Upstream latest detected: v0.14.2 (current)
## Project history and usage

Copa is the CLI for Project Copacetic, a Go and BuildKit-based tool for patching vulnerable container images without doing a full image rebuild.

### Project history

The official repository was created in January 2023 and released v0.1.0 the next day. The project developed around direct vulnerability patching: adding a patch layer to existing images based on scanner output rather than forcing users to rebuild from source.

### Adoption history

The official site identifies Copacetic as a CNCF Sandbox project and lists ecosystem adoption by Azure Container Registry Continuous Patching, Kubescape, Devtron, and Helmper. It also documents featured talks at KubeCon North America 2024 and OpenSSF SOSS Fusion Conference 2024.

### How it is used

Copa is commonly used in CI/CD and image-maintenance workflows. It consumes vulnerability scanning results, has built-in Trivy support, supports third-party scanners, and patches images across multiple Linux package-manager families and platforms.

### Why package nerds care

For package and container maintainers, Copa sits at the boundary between OS package updates and container distribution. It is interesting because it turns package-manager-level remediation into a post-build image operation, which can reduce rebuild churn for downstream image consumers.

### Timeline

- 2023: Official GitHub repository created.
- 2023: v0.1.0 released.
- 2024: Project featured in KubeCon and OpenSSF talks listed by the official site.
- 2026: Official site lists Copacetic as a CNCF Sandbox project.

### Related projects

- Official documentation connects Copa with BuildKit, Trivy, Azure Container Registry Continuous Patching, Kubescape, Devtron, and Helmper.

### Sources

- <https://project-copacetic.github.io/copacetic/website/>
- <https://github.com/project-copacetic/copacetic>
- <https://github.com/project-copacetic/copacetic/releases>
- <https://api.github.com/repos/project-copacetic/copacetic>


## Security Notes

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** copa
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [clair](https://www.automicvault.com/pkg/brew/clair/) - Shares av.db curated category or tags: cli, containers, security, vulnerability-scanning.
- [vexctl](https://www.automicvault.com/pkg/brew/vexctl/) - Shares av.db curated category or tags: cli, security, vulnerability-management.
- [xeol](https://www.automicvault.com/pkg/brew/xeol/) - Shares av.db curated category or tags: cli, security, vulnerability-management.
- [bubblewrap](https://www.automicvault.com/pkg/brew/bubblewrap/) - Shares av.db curated category or tags: cli, containers, security.
- [cargo-audit](https://www.automicvault.com/pkg/brew/cargo-audit/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [dalfox](https://www.automicvault.com/pkg/brew/dalfox/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [dependency-check](https://www.automicvault.com/pkg/brew/dependency-check/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [grype](https://www.automicvault.com/pkg/brew/grype/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, container, containers, images, scanning.

## Combined YAML source

View the package source record on GitHub. [combined/copa.yml](https://github.com/automic-vault/db/blob/main/combined/copa.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
