Skip to main content
Root Image Catalog (RIC) provides secure container images that work as drop-in replacements for Docker Hub images. You get the same images - Python, Node, Nginx, Redis, and more - with CVEs remediated, continuously maintained, and delivered with zero Critical/High vulnerabilities.

What Root Image Catalog Provides

  • The same images you pull from Docker Hub today - same tags, same behavior
  • CVEs remediated - typically 2+ Critical and 15+ High vulnerabilities reduced to zero
  • Continuously maintained - when new CVEs are disclosed, AVR patches them automatically
  • SLA-backed remediation - Critical CVEs patched within hours, not days or weeks
  • No breaking changes - same tags, same compatibility, no ecosystem migration required

Who Should Use RIC

Root Image Catalog is for teams that:
  • Need secure base images without rebuilding applications
  • Want continuous security maintenance without manual patching
  • Can’t absorb breaking changes from forced upstream upgrades
  • Need verifiable security artifacts (SBOM, VEX, provenance) for compliance

RIC vs. Standard Images

vs. Official Images (Docker Hub)

Docker HubRoot Image Catalog
Vulnerability count2+ Critical, 15+ High on averageZero Critical/High
PatchingManual - your responsibilityAutomatic via AVR
Remediation SLANoneCritical CVEs within hours
Security artifactsNoneSBOM, VEX, Provenance

vs. Other Secure Image Providers

Other ProvidersRoot Image Catalog
ApproachRebuild from sourcePatch in place
Breaking changesPossibleNone - drop-in replacement
Registry migrationRequiredNot required
Version supportLimitedUniversal - any version you’re running
Ecosystem changesRequiredNone

Continuous Maintenance

Root Image Catalog provides ongoing security coverage - not a one-time snapshot:
  • Automatic scanning - all subscribed images are scanned continuously for new CVEs
  • Automatic patching - when new vulnerabilities are detected, AVR remediates them without any action on your part
  • Same tags maintained - updated images keep the same tags, so your existing references stay valid
  • SLA-backed - Critical CVEs remediated within hours; High within 14 days; Medium within 60 days
See Vulnerability Statuses for the full SLA breakdown.

Security Artifacts

Every image from cr.root.io ships with:
  • SBOM - complete inventory of all components and their versions, including patched packages
  • VEX statement - records which CVEs were fixed and confirms non-exploitability of others
  • Provenance - cryptographic attestation proving the image came from Root’s AVR pipeline

Get Started

Authenticate and pull your first secure image.

Supported Images

Browse available image families and tags.