Root Image Catalog (RIC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.
Root Image Catalog (RIC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.
Root Image Catalog (RIC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.
Root Image Catalog (RIC)
Get all your open source clean of vulnerabilities, secured by default. No engineering required. Access over 2,000 continuously remediated container images with 30-day registry SLA for Critical/High vulnerabilities. Get hardened, zero-CVE versions of the base OS, runtimes, and frameworks you already use—without changing a single line of your Dockerfile logic.
The problem
Base images are broken by default
Base images are broken by default
Base images are broken by default
Base images are broken by default
Container security starts with the base image, but official images are riddled with vulnerabilities. This creates a massive, unending workload:
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Constant triage
Developers and security teams waste hours every week identifying, prioritizing, and debating fixes for CVEs in base layers.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Forced upgrades
"Fix-forward" solutions from vendors like Chainguard and Wolfi require you to migrate to their custom, often incompatible, base images (distroless, wolfi-os), leading to months of re-engineering and broken builds.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Image drift
As you manually patch or switch base images, you introduce inconsistencies across your environment, making it impossible to maintain a standard, secure foundation.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
Delayed deployments
Security gates block releases due to vulnerable base images, slowing down feature velocity and frustrating developers.
The solution:
The solution:
The solution:
The solution:
Shift Out
Shift Out
Shift Out
Shift Out
We say, it’s time to Shift Out.
We say, it’s time to Shift Out.
We say, it’s time to Shift Out.
We say, it’s time to Shift Out.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Shift Out is a movement built on a simple idea: open source should arrive clean of all vulnerabilities, secured by default. It may sound crazy, but we’ve made it real.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
Root’s Shift Out Platform is powered by thousands of AI agents trained to detect, patch, and validate vulnerabilities for any piece of open source code on this planet.
The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.
The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.
The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.
The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.
The Root Image Catalog (RIC) is a drop-in solution that eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use, maintained and patched by our automated platform.
Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.
Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.
Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.
Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.
Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That’s it.
How it works
Research, patch, test, replace
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Research
Collect everything known about the CVE—advisories, exploits, affected versions, upstream commits—to build the full picture.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Patch
Apply the smallest safe fix. If an upgrade works, great. If not, backport it.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Test
Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
Replace
Deliver the fixed, fully tested image straight into your pipeline with full transparency on what was found, patched, and tested.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
SLA-Backed Guarantee
Standard SLA provides 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response. Enhanced SLA delivers 7-day Critical/High remediation. Service credits provided if registry SLA is missed.
Shift Out means
All open source is fixed
Use your version, your stack – and it’s already fixed with no forced upgrades and no vendor-imposed images.
CVE work drops to zero
There’s no more triage and no more manual patching. CVE work is done for you – not by you.
Every fix is trustworthy
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Every fix is transparent
AppSec and Devs can always see exactly what was fixed, how it was tested, and why it can be trusted.
Key features benefits
Key features benefits
Key features benefits
Key features benefits
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
2,000+ curated images
Never hear "trust us bro" again - every fix is the smallest possible, and tested to the max to make sure it never breaks.
Instant security: Adopt a secure foundation without changing your stack.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Full version history
Access patched versions of any tag from the last 3-5 years. Need python:3.9-slim-bullseye from 18 months ago? We have it, patched and maintained.
Extended lifetime support: Secure older, pinned dependencies without being forced to upgrade.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Built-from-source patching
We rebuild every patched artifact from source, ensuring no unknown binaries or hidden malware.
Complete trust: Eliminate supply chain risk with verifiable, transparently built images.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Zero breaking changes
Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version.
Frictionless adoption: Swap a single line in your Dockerfile. No code changes, no re-architecting.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Complete proof chain
Every image is delivered with a full set of security artifacts (SBOM, VEX, Attestation) to satisfy auditors.
Automated compliance: Pass security reviews and audits instantly with verifiable proof of remediation.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Dual-architecture support
All images are available for both AMD64 and ARM64 architectures.
Future-proof your stack: Build and deploy consistently across all modern infrastructure.
Who is RIC for?
Security teams
Eliminate 60-70 of CVE noise from scanners; focus on high-impact application-level risks.
Platform DevOps teams
Standardize on a secure foundation; eliminate image drift and reduce maintenance overhead.
Developers
Pull secure images by default; never blocked by base image vulnerabilities. Zero learning curve, no migration required.
Compliance GRC teams
Generate audit-ready proof on demand for SOC 2, FedRAMP, and other regulatory requirements.
Pricing model
Simple, predictable
We offer two simple pricing models for RIC, designed to scale with your needs.
Container Bundles
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price packages for 10, 20, 40, or 60 containers
Container Bundles
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price packages for 10, 20, 40, or 60 containers
Container Bundles
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price packages for 10, 20, 40, or 60 containers
Container Bundles
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price packages for 10, 20, 40, or 60 containers
Container Bundles
Best for:
Teams with defined, predictable workloads
Pricing Unit:
Fixed-price packages for 10, 20, 40, or 60 containers
Container Bundles
Best for:
Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
Container Bundles
Best for:
Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
Container Bundles
Best for:
Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
Container Bundles
Best for:
Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
Container Bundles
Best for:
Growing teams, microservices architectures, and organizations with 40+ containers
Pricing Unit:
Per-developer seat, with no limit on container usage
All subscriptions include:
Registry SLA guarantees (30-day Standard or 7-day Enhanced for Critical/High vulnerabilities)
Full version history (3-5 years) and dual-architecture support (AMD64 + ARM64)
Complete security artifact chain (provenance, attestation, SBOM, VEX, malware scans)
Standard support (Premium Support available with RIC + Libraries bundle)
Why we don’t suck
No forced reengineering
No vendor lock-in
No restrictions on open source
Full transparency on every fix
One-click integration
Why we don’t suck
Why we don’t suck
No forced reengineering
No forced reengineering
No vendor lock-in
No vendor lock-in
No restrictions on open source
No restrictions on open source
Full transparency on every fix
Full transparency on every fix
One-click integration
One-click integration
Get started in minutes
Browse the community catalog
Explore over 500 of our most popular images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Browse the community catalog
Explore over 500 of our most popular images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Browse the community catalog
Explore over 500 of our most popular images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Browse the community catalog
Explore over 500 of our most popular images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Browse the community catalog
Explore over 500 of our most popular images for free at cr.root.io. Pull and use them in any project, no strings attached. (Community tier has no SLA guarantees).
Request a free POV
Want to see how RIC works on your specific images? We’ll set up a free Proof of Value and deliver patched versions in about a week.
Request a free POV
Want to see how RIC works on your specific images? We’ll set up a free Proof of Value and deliver patched versions in about a week.
Request a free POV
Want to see how RIC works on your specific images? We’ll set up a free Proof of Value and deliver patched versions in about a week.
Request a free POV
Want to see how RIC works on your specific images? We’ll set up a free Proof of Value and deliver patched versions in about a week.
Request a free POV
Want to see how RIC works on your specific images? We’ll set up a free Proof of Value and deliver patched versions in about a week.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Get a custom quote
Let’s design a plan that fits your team’s exact needs—whether Container Bundles or Unlimited per-seat pricing—and calculate the ROI you can expect.
Note: RIC covers base OS, runtimes, and bundled packages. For application-layer dependencies (npm, PyPI, Maven, etc.), see our Libraries add-on offering.
