Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.root.io/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks through subscribing to an image in Root Image Catalog, authenticating to cr.root.io, pulling a secure image, and verifying its patch coverage.

Prerequisites

  • Docker Desktop (macOS) or Docker Engine (Linux) installed and running
  • Access to Root Image Catalog - contact Root to get credentials
  • A scanner for verification (recommended: Trivy - brew install trivy)

Step 1: Subscribe to an Image

Subscribing to an image activates continuous scanning, SLA-backed remediation, and notifications for that image. Root will begin monitoring it for new CVEs and automatically patch them according to the remediation SLA.*
  1. Open Image Catalog in the Root platform UI
  2. Find the image family you want (for example, Python 3.12)
  3. Click Subscribe
  4. Verify it appears in your Inventory
* Continuous scanning, SLA-backed remediation, and notifications are available on paid plans only and are not included in free trials.

Step 2: Authenticate to cr.root.io

Generate an API token from the Root UI, then authenticate Docker: 
export ROOT_TOKEN="your-token-here"
echo "$ROOT_TOKEN" | docker login cr.root.io -u root --password-stdin
You can also use Configure Catalog Access in the Root UI for step-by-step credential instructions.

Step 3: Pull a Secure Image

Replace your existing image reference with the Root equivalent. Tags are identical: 
# Standard image
docker pull python:3.12

# Root secure image - same tag, zero Critical/High CVEs
docker pull cr.root.io/python:3.12

Step 4: Update Your Dockerfile

# Before
FROM python:3.12

# After
FROM cr.root.io/python:3.12
No other changes required.

Step 5: Verify with Trivy

Run a side-by-side scan to confirm vulnerability reduction: 
# Scan the standard image
trivy image python:3.12
# Typical result: ~1,300 vulnerabilities

# Scan the Root image
trivy image cr.root.io/python:3.12
# Typical result: zero Critical/High vulnerabilities
Some low-severity findings may still appear in scanner output. Download the SBOM and VEX artifacts from the Root UI or API to provide auditors with full remediation documentation - VEX statements tell scanners like Trivy which findings are fixed and why they’re not exploitable.

Next Steps

Supported Images

See all available image families and tags.

Root Patches for Images

Learn how patches are applied and what artifacts ship with each image.