Product

Images

Libraries

Resources

Company

Talk to a real human

Book a demo

Root Image Catalog (RIC)

Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.

Root Image Catalog secures your foundation. For complete stack coverage, add Root Library Catalog to patch application dependencies too.

Pull vulnerability free code now

Book a demo

Book a demo

The problem

Base images are
broken by default

Base images are
broken by default

Container security starts with the base image, but official images are riddled with vulnerabilities. This creates a massive, unending workload:

Constant triage

Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.

Constant triage

Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.

Constant triage

Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.

Forced upgrades

"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.

Forced upgrades

"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.

Forced upgrades

"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.

Image drift

As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.

Image drift

As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.

Image drift

As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.

Delayed deployments

Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.

Delayed deployments

Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.

Delayed deployments

Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.

The solution:

The solution:

Shift Out

Shift Out

We say, it’s time to Shift Out.

We say, it’s time to Shift Out.

Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may
sound crazy, but we’ve made it real.

Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may
sound crazy, but we’ve made it real.

Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may
sound crazy, but we’ve made it real.

Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece
of open source code on this planet.

Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece
of open source code on this planet.

Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece
of open source code on this planet.

The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.

The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.

The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.

Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.

Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.

Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.

How it works

Research, patch, test, replace

Research

Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.

Research

Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.

Research

Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.

Patch

Apply the smallest safe fix. If an upgrade works, great. If not, backport it.

Patch

Apply the smallest safe fix. If an upgrade works, great. If not, backport it.

Patch

Apply the smallest safe fix. If an upgrade works, great. If not, backport it.

Test

Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.

Test

Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.

Test

Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.

Replace

Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.

Replace

Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.

Replace

Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.

SLA-Backed Guarantee

Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.

SLA-Backed Guarantee

Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.

SLA-Backed Guarantee

Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.

Shift Out means

All open source is fixed

Use your version, your stack – and it’s already fixed with no forced upgrades and no vendor-imposed images.

CVE work drops to zero

There’s no more triage and no more manual patching. CVE work is done for you – not by you.

Every fix is trustworthy

Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.

Every fix is transparent

AppSec and Devs can always see exactly

what was fixed, how it was tested, and why it can be trusted.

Key features benefits

Key features benefits

2,000+ curated images

Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.

Instant security: Adopt a secure foundation without changing your stack.

2,000+ curated images

Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.

Instant security: Adopt a secure foundation without changing your stack.

2,000+ curated images

Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.

Instant security: Adopt a secure foundation without changing your stack.

Full version history

Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.

Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.

Full version history

Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.

Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.

Full version history

Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.

Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.

Built-from-source patching

We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.

Complete trust: Eliminate supply chain risk with verifiable, transparently built images.

Built-from-source patching

We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.

Complete trust: Eliminate supply chain risk with verifiable, transparently built images.

Built-from-source patching

We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.

Complete trust: Eliminate supply chain risk with verifiable, transparently built images.

Zero breaking changes

Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.

Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.

Zero breaking changes

Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.

Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.

Zero breaking changes

Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.

Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.

Complete proof chain

Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.

Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.

Complete proof chain

Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.

Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.

Complete proof chain

Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.

Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.

Dual-architecture support

All images are available for both AMD64 and ARM64 architectures.

Future-proof your stack: Build and deploy consistently across all modern infrastructure.

Dual-architecture support

All images are available for both AMD64 and ARM64 architectures.

Future-proof your stack: Build and deploy consistently across all modern infrastructure.

Dual-architecture support

All images are available for both AMD64 and ARM64 architectures.

Future-proof your stack: Build and deploy consistently across all modern infrastructure.

Who is RIC for?

Security teams

Eliminate 60-70 of CVE noise from scanners; focus on high-impact application-level risks.

Platform DevOps teams

Standardize on a secure foundation; eliminate image drift

and reduce maintenance overhead.

Developers

Pull secure images by default; never blocked by base image

vulnerabilities. Zero learning curve, no migration required.

Compliance GRC teams

Generate audit-ready proof on demand for SOC 2, FedRAMP,

and other regulatory requirements.

Pricing model

Simple,
predictable

We offer two simple pricing models for Root Libraries, designed to scale with your needs. Both models include contractual SLA commitments: if you use a library, we support it. No catalog limitations.

Root Library Catalog

Best for:

Teams with defined, predictable workloads

Pricing Unit:

Fixed-price for all versions within a library

Root Library Catalog

Best for:

Teams with defined, predictable workloads

Pricing Unit:

Fixed-price for all versions within a library

Root Library Catalog

Best for:

Teams with defined, predictable workloads

Pricing Unit:

Fixed-price for all versions within a library

Image & Library Bundle

Best for:

Includes Root Image Catalog. Growing teams, microservices architectures, and organizations with 40+ containers

Pricing Unit:

Per-developer seat, with no limit
on container usage

Image & Library Bundle

Best for:

Includes Root Image Catalog. Growing teams, microservices architectures, and organizations with 40+ containers

Pricing Unit:

Per-developer seat, with no limit
on container usage

Image & Library Bundle

Best for:

Includes Root Image Catalog. Growing teams, microservices architectures, and organizations with 40+ containers

Pricing Unit:

Per-developer seat, with no limit
on container usage

All subscriptions include:

Registry SLA guarantees (30-day Standard or 7-day Enhanced for Critical/High vulnerabilities)

Full version history (3-5 years) and dual-architecture support (AMD64 + ARM64)

Complete security artifact chain (provenance,

attestation, SBOM, VEX, malware scans)

Standard support (Premium Support available

with RIC + Libraries bundle)

Why we don’t suck

Why we don’t suck

No forced reengineering
No forced reengineering
No vendor lock-in
No vendor lock-in
No restrictions on open source
No restrictions on open source
Full transparency on every fix
Full transparency on every fix
One-click integration
One-click integration

Get started in minutes

Browse the community catalog

Explore over 500 of our most popular images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).

Browse the community catalog

Explore over 500 of our most popular images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).

Browse the community catalog

Explore over 500 of our most popular images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).

Request a free POV

Want to see how RIC works on your specific images? We’ll set up a free Proof of Value and deliver patched versions in about a week.

Request a free POV

Want to see how RIC works on your specific images? We’ll set up a free Proof of Value and deliver patched versions in about a week.

Request a free POV

Want to see how RIC works on your specific images? We’ll set up a free Proof of Value and deliver patched versions in about a week.

Get a custom quote

Let’s design a plan that fits your team’s
exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.

Get a custom quote

Let’s design a plan that fits your team’s
exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.

Get a custom quote

Let’s design a plan that fits your team’s
exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.

Note: Root Image Catalog secures your base OS, runtimes, and bundled packages. But the real battlefield—where 80% of your CVE exposure lives—is in your application libraries. The Root Library Catalog extends coverage to patch npm, PyPI, Maven, Go, and more at the versions you run. One vendor. One SLA. Complete coverage.

No migrations.
Just fixes.

See how Root's CVE-first architecture works in 3 minutes.

Pull vulnerability free code now

Book a demo

No migrations.
Just fixes.

See how Root's CVE-first architecture works in 3 minutes.

Pull vulnerability free code now

Book a demo

No migrations.
Just fixes.

See how Root's CVE-first architecture works in 3 minutes.

Pull vulnerability free code now

Book a demo

No migrations.
Just fixes.

See how Root's CVE-first architecture works in 3 minutes.

Pull vulnerability free code now

Book a demo