Skip to main content
This guide walks through subscribing to an image in Root Image Catalog, authenticating to cr.root.io, pulling a secure image, and verifying its patch coverage.

Prerequisites

  • Docker Desktop (macOS) or Docker Engine (Linux) installed and running
  • Access to Root Image Catalog — contact Root to get credentials
  • A scanner for verification (recommended: Trivybrew install trivy)

Step 1: Subscribe to an Image

  1. Open Image Catalog in the Root platform UI
  2. Find the image family you want (for example, Python 3.12)
  3. Click Subscribe
  4. Verify it appears in your Inventory

Step 2: Authenticate to cr.root.io

Generate an API token from the Root UI, then authenticate Docker: 
export ROOT_TOKEN="your-token-here"
echo "$ROOT_TOKEN" | docker login cr.root.io -u root --password-stdin
You can also use Configure Catalog Access in the Root UI for step-by-step credential instructions.

Step 3: Pull a Secure Image

Replace your existing image reference with the Root equivalent. Tags are identical: 
# Standard image
docker pull python:3.12

# Root secure image — same tag, zero Critical/High CVEs
docker pull cr.root.io/python:3.12

Step 4: Update Your Dockerfile

# Before
FROM python:3.12

# After
FROM cr.root.io/python:3.12
No other changes required.

Step 5: Verify with Trivy

Run a side-by-side scan to confirm vulnerability reduction: 
# Scan the standard image
trivy image python:3.12
# Typical result: ~1,300 vulnerabilities

# Scan the Root image
trivy image cr.root.io/python:3.12
# Typical result: zero Critical/High vulnerabilities
Some low-severity findings may still appear in scanner output. Download the SBOM and VEX artifacts from the Root UI or API to provide auditors with full remediation documentation — VEX statements tell scanners like Trivy which findings are fixed and why they’re not exploitable.

Next Steps

Supported Images

See all available image families and tags.

Root Patches for Images

Learn how patches are applied and what artifacts ship with each image.