Skip to main content
Root Image Catalog (RIC) provides secure container images that work as drop-in replacements for Docker Hub images. You get the same images - Python, Node, Nginx, Redis, and more - with CVEs remediated, continuously maintained, and delivered with zero Critical/High vulnerabilities.

What Root Image Catalog Provides

  • The same images you pull from Docker Hub today - same tags, same behavior
  • CVEs remediated - typically 2+ Critical and 15+ High vulnerabilities reduced to zero
  • Continuously maintained - when new CVEs are disclosed, AVR patches them automatically
  • SLA-backed remediation - Critical CVEs patched within hours, not days or weeks
  • No breaking changes - same tags, same compatibility, no ecosystem migration required

Who Should Use RIC

Root Image Catalog is for teams that:
  • Need secure base images without rebuilding applications
  • Want continuous security maintenance without manual patching
  • Can’t absorb breaking changes from forced upstream upgrades
  • Need verifiable security artifacts (SBOM, VEX, provenance) for compliance

RIC vs. Standard Images

vs. Official Images (Docker Hub)

vs. Other Secure Image Providers

Continuous Maintenance

Root Image Catalog provides ongoing security coverage - not a one-time snapshot:
  • Automatic scanning - all subscribed images are scanned continuously for new CVEs
  • Automatic patching - when new vulnerabilities are detected, AVR remediates them without any action on your part
  • Same tags maintained - updated images keep the same tags, so your existing references stay valid
  • SLA-backed - Critical CVEs remediated within hours; High within 14 days; Medium within 60 days
See Vulnerability Statuses for the full SLA breakdown.

Security Artifacts

Every image from cr.root.io ships with:
  • SBOM - complete inventory of all components and their versions, including patched packages
  • VEX statement - records which CVEs were fixed and confirms non-exploitability of others
  • Provenance - cryptographic attestation proving the image came from Root’s AVR pipeline

Get Started

Authenticate and pull your first secure image.

Supported Images

Browse available image families and tags.