Getting Started With Root Images Catalog

1) Prerequisites

Entitlements: Must have access to the Root Images Catalog by unlimited access to the Root Images Catalog
Docker: Docker Desktop (macOS) or Docker Engine (Linux) installed and running.
Organization access: You can access the correct Organization (for example, GTM demo) with the required billing tier and ecosystems enabled.
Scanner (recommended): Install Trivy.
- macOS (Homebrew): brew install trivy

2) Access & Authentication

Subscribe to a project

In the Root UI, open Image Catalog.
Select a project (for example, Python 3.12) and click Subscribe.
Confirm it appears in your Inventory.

Authenticate (Docker login)

You can generate credentials from the UI or use an API token.

Option A: UI-generated credentials

In the Root UI, click Configure Catalog Access (or Get the fix) and follow the generated instructions.

Option B: API token (terminal)

Generate an API token in the Root UI.

export ROOT_TOKEN="PASTE_TOKEN_HERE"
echo "$ROOT_TOKEN" | docker login cr.root.io -u root --password-stdin

3) Pulling and using images

Update your Dockerfile (or pull commands) to use Root images instead of public base images.

Standard: docker pull python:3.12
Root: docker pull cr.root.io/python:3.12

4) Verification (Trivy scan)

Run a side-by-side scan to validate security improvements.

Note: the first Trivy run may take longer while it downloads its vulnerability database.

Scan a standard image

trivy image python:3.12

Typical result: a high vulnerability count (for example, ~1300 total).

Scan the Root image

trivy image cr.root.io/python:3.12

Typical result: a significant reduction (for example, ~656 lows), targeting zero criticals/highs.

Proving remediation to scanners

Root integrates with most popular scanners (Trivy, Aikido, etc) recognize remediated packages. You can also download SBOM and VEX artifacts from the Root UI for audit and proof workflows.