> ## Documentation Index > Fetch the complete documentation index at: https://docs.root.io/llms.txt > Use this file to discover all available pages before exploring further. # Root Image Catalog Overview > Secure container images at cr.root.io - drop-in replacements for Docker Hub with zero Critical/High CVEs, continuously maintained by AVR. Root Image Catalog (RIC) provides secure container images that work as drop-in replacements for Docker Hub images. You get the same images - Python, Node, Nginx, Redis, and more - with CVEs remediated, continuously maintained, and delivered with zero Critical/High vulnerabilities. ## What Root Image Catalog Provides * **The same images** you pull from Docker Hub today - same tags, same behavior * **CVEs remediated** - typically 2+ Critical and 15+ High vulnerabilities reduced to zero * **Continuously maintained** - when new CVEs are disclosed, AVR patches them automatically * **SLA-backed remediation** - Critical CVEs patched within hours, not days or weeks * **No breaking changes** - same tags, same compatibility, no ecosystem migration required ## Who Should Use RIC Root Image Catalog is for teams that: * Need secure base images without rebuilding applications * Want continuous security maintenance without manual patching * Can't absorb breaking changes from forced upstream upgrades * Need verifiable security artifacts (SBOM, VEX, provenance) for compliance ## RIC vs. Standard Images ### vs. Official Images (Docker Hub) | | Docker Hub | Root Image Catalog | | ------------------- | -------------------------------- | -------------------------- | | Vulnerability count | 2+ Critical, 15+ High on average | Zero Critical/High | | Patching | Manual - your responsibility | Automatic via AVR | | Remediation SLA | None | Critical CVEs within hours | | Security artifacts | None | SBOM, VEX, Provenance | ### vs. Other Secure Image Providers | | Other Providers | Root Image Catalog | | ------------------ | ------------------- | -------------------------------------- | | Approach | Rebuild from source | Patch in place | | Breaking changes | Possible | None - drop-in replacement | | Registry migration | Required | Not required | | Version support | Limited | Universal - any version you're running | | Ecosystem changes | Required | None | ## Continuous Maintenance Root Image Catalog provides ongoing security coverage - not a one-time snapshot: * **Automatic scanning** - all subscribed images are scanned continuously for new CVEs * **Automatic patching** - when new vulnerabilities are detected, AVR remediates them without any action on your part * **Same tags maintained** - updated images keep the same tags, so your existing references stay valid * **SLA-backed** - Critical CVEs remediated within hours; High within 14 days; Medium within 60 days See [Vulnerability Statuses](/concepts/vulnerability-statuses) for the full SLA breakdown. ## Security Artifacts Every image from `cr.root.io` ships with: * **SBOM** - complete inventory of all components and their versions, including patched packages * **VEX statement** - records which CVEs were fixed and confirms non-exploitability of others * **Provenance** - cryptographic attestation proving the image came from Root's AVR pipeline Authenticate and pull your first secure image. Browse available image families and tags.