Root Image Catalog (RIC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.
Root Image Catalog (RIC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.
Root Image Catalog (RIC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.
Root Image Catalog (RIC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.
The problem
Base images are broken by default
Base images are broken by default
Base images are broken by default
Base images are broken by default
Container security starts with the base image, but official images are riddled with vulnerabilities. This creates a massive, unending workload:
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
The solution:
Shift Out
We say, it’s time to Shift Out.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.
Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.
How it works
Research, patch, test, replace
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
Shift Out means
All open source is fixed
Use your version, your stack – and it’s already fixed with no forced upgrades and no vendor-imposed images.
CVE work drops to zero
There’s no more triage and no more manual patching. CVE work is done for you – not by you.
Every fix is trustworthy
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Every fix is transparent
AppSec and Devs can always see exactly what was fixed, how it was tested, and why it can be trusted.
Key features benefits
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Who is RIC for?
Security teams
Eliminate 60-70 of CVE noise from scanners; focus on high-impact application-level risks.
Platform DevOps teams
Standardize on a secure foundation; eliminate image drift and reduce maintenance overhead.
Developers
Pull secure images by default; never blocked by base image vulnerabilities. Zero learning curve, no migration required.
Compliance GRC teams
Generate audit-ready proof on demand for SOC 2, FedRAMP, and other regulatory requirements.
