SBOMit is a supply-chain security framework that generates accurate SBOMs directly from in-toto attestations, ensuring that component inventories reflect the real dependencies used during the build process. SBOMit leverages the witness tool to capture build-time filesystem, process, and execution events, and converts these authenticated provenance records into a complete, verifiable SBOM.

In addition to filesystem and process tracing, SBOMit includes network tracking to observe outbound connections and capture dynamically downloaded build-time dependencies. This ensures that transient or runtime-fetched components are not missed by traditional SBOM tools.

SBOMit outputs a cryptographically verifiable SBOM enriched with:

1. Build-Time Dependency Discovery Extracted from witness attestations, including files read/written, processes executed, and dynamically generated artifacts.

2. Network-Based Dependency Capture Mapping network requests to dependency sources (e.g., Cargo crates, pip packages, OS packages) to detect ephemeral dependencies not captured statically.

3. Provenance-Backed Integrity Every SBOM element is derived from authenticated in-toto attestations, enabling downstream verification, reproducibility analysis, and policy enforcement.

For the detailed specification, please refer to:
📄 Specification

The SBOMit specification is licensed under the
📜 Creative Commons Attribution 4.0 International Public License

• Schedule: Every Wednesday at 11:00 AM US Eastern Time
  📍 Zoom Meeting Link

• Notes:
  📝 Meeting Notes

• Let others talk (don’t interrupt)
• Be polite when you disagree
• Be respectful of others’ time
  • Avoid rambling
  • Limit excessive agreement/piggybacking
• Topics that begin to dominate will be deferred to a future meeting with a dedicated discussion slot