SBOMit is a supply-chain security framework that generates accurate SBOMs directly from in-toto attestations, ensuring that component inventories reflect the real dependencies used during the build process. SBOMit leverages the witness tool to capture build-time filesystem, process, and execution events, and converts these authenticated provenance records into a complete, verifiable SBOM.
In addition to filesystem and process tracing, SBOMit includes network tracking to observe outbound connections and capture dynamically downloaded build-time dependencies. This ensures that transient or runtime-fetched components are not missed by traditional SBOM tools.
SBOMit outputs a cryptographically verifiable SBOM enriched with:
-
Build-Time Dependency Discovery Extracted from witness attestations, including files read/written, processes executed, and dynamically generated artifacts.
-
Network-Based Dependency Capture Mapping network requests to dependency sources (e.g., Cargo crates, pip packages, OS packages) to detect ephemeral dependencies not captured statically.
-
Provenance-Backed Integrity Every SBOM element is derived from authenticated in-toto attestations, enabling downstream verification, reproducibility analysis, and policy enforcement.
For the detailed specification, please refer to:
📄 Specification
The SBOMit specification is licensed under the
📜 Creative Commons Attribution 4.0 International Public License
-
Schedule: Every Wednesday at 11:00 AM US Eastern Time
📍 Zoom Meeting Link -
Notes:
📝 Meeting Notes
- Let others talk (don’t interrupt)
- Be polite when you disagree
- Be respectful of others’ time
- Avoid rambling
- Limit excessive agreement/piggybacking
- Topics that begin to dominate will be deferred to a future meeting with a dedicated discussion slot