GitBOM is a minimalistic scheme for build tools to:

  1. Build a compact Artifact Dependency Graph (ADG), tracking every source code file incorporated into each built artifact.
  2. Embed a unique, content-addressable reference for that Artifact Dependency Graph (ADG), the GitBOM identifier, into the artifact at build time.

GitBOM is designed to:

  • Consistently construct verifiable Artifact Dependency Graph (ADG)s across languages, environments, and packaging formats, with zero developer effort, involvement, or awareness
  • Enable automatic, verifiable artifact resolution across today’s diverse software supply chains
  • Complement SBOMs, such as SPDX, CycloneDX, or SWID
  • Co-exist with, but not require, version control systems

GitBOM is NOT (contrary to the name’s appearance):

  • Git
  • An SBOM, nor a replacement for SBOMs
  • A version control system
  • A signing scheme

It is compatible with and augments these classes of tools.


GitBOM applies the Unix Philosophy of “do one thing, and do it well.”

By constructing a complete, concise, and verifiable Artifact Dependency Graph (ADG) for every software artifact, GitBOM enables:

  • Run-time detection of potential vulnerabilities, regardless of the depth in the ADG for every software artifact from which that vulnerability originated
  • Post-exploit forensics

By creating a unique, immutable, verifiable identifier (the GitBOM ID) for every software artifact, GitBOM:

In short, it would let anyone easily answer the question, “Does this product contain log4j?”


How does GitBOM improve software identification and vulnerability management?

GitBOM proposes a solution to the completeness and the efficiency challenges facing other supply chain tools.

  • By correlating every piece of software with a verifiable and complete Artifact Dependency Graph (ADG) of all the “ingredients” that went into it (source files, dependencies, object files, etc.), GitBOM enables the identification of software derived from sources known to contain vulnerabilities.
  • GitBOM only includes the minimum information – a “fingerprint” – of the dependency graph to enable efficient run-time scanning for a known-vulnerable artifact
  • A GitBOM Artifact Dependency Graph (ADG) can be cross-referenced against known vulnerabilities, regardless of the dependency depth or language.
How does GitBOM work?

Drawing on the version control system git, GitBOM observes that:

  1. Every artifact is a blob
  2. Every blob can be referenced by its gitoid
  3. The gitoid may be used as an artifact ID for leaf artifacts (In fact, today most source code artifacts are already stored with their git commit as their ID)
  4. Artifact IDs can be extended to derived artifacts by producing GitBOM Documents
  5. Build tools can embed GitBOM Document Identifiers into the derived artifacts they produce

GitBOM creatively re-purposes git’s directed acyclic graph to do all this. For a deeper analysis of this proposal, check out the white paper.

We believe this approach can work across all packaging formats, language ecosystems, and operating systems.

And we’d like your help to build it.

Get Involved

Head over to the community page for details on meeting times, mailing lists, and more.