OmniBOR (Universal Bill Of Receipts) is a minimalistic scheme for build tools to:

  1. Build a compact Artifact Dependency Graph (ADG), tracking every source code file incorporated into each built artifact.
  2. Embed a unique, content-addressable reference for that Artifact Dependency Graph (ADG), the OmniBOR identifier, into the artifact at build time.

OmniBOR is designed to:

  • Consistently construct verifiable Artifact Dependency Graph (ADG)s across languages, environments, and packaging formats, with zero developer effort, involvement, or awareness

  • Enable automatic, verifiable artifact resolution across today’s diverse software supply chains

  • Complement SBOMs, such as SPDX, CycloneDX, or SWID

  • Co-exist with, but not require, version control systems

OmniBOR is NOT:

  • Git (or any other VCS)
  • An SBOM, nor a replacement for SBOMs
  • A signing scheme

It is compatible with and augments these classes of tools.

OmniBOR was formerly known as GitBOM.


OmniBOR applies the Unix Philosophy of “do one thing, and do it well.”

By constructing a complete, concise, and verifiable Artifact Dependency Graph (ADG) for every software artifact, OmniBOR enables:

  • Run-time detection of potential vulnerabilities, regardless of the depth in the ADG for every software artifact from which that vulnerability originated

  • Post-exploit forensics

By creating a unique, immutable, verifiable identifier (the OmniBOR ID) for every software artifact, OmniBOR:

In short, it would let anyone easily answer the question, “Does this product contain log4j?”


How does OmniBOR improve software identification and vulnerability management?

OmniBOR proposes a solution to the completeness and the efficiency challenges facing other supply chain tools.

  • By correlating every piece of software with a verifiable and complete Artifact Dependency Graph (ADG) of all the “ingredients” that went into it (source files, dependencies, object files, etc.), OmniBOR enables the identification of software derived from sources known to contain vulnerabilities.
  • OmniBOR only includes the minimum information – a “fingerprint” – of the dependency graph to enable efficient run-time scanning for a known-vulnerable artifact
  • A OmniBOR Artifact Dependency Graph (ADG) can be cross-referenced against known vulnerabilities, regardless of the dependency depth or language.
How does OmniBOR work?

Drawing on the version control system git, OmniBOR observes that:

  1. Every artifact is a blob
  2. Every blob can be referenced by its gitoid
  3. The gitoid may be used as an artifact ID for leaf artifacts (In fact, today most source code artifacts are already stored with their git commit as their ID)
  4. Artifact IDs can be extended to derived artifacts by producing OmniBOR Documents
  5. Build tools can embed OmniBOR Document Identifiers into the derived artifacts they produce

OmniBOR creatively re-purposes git’s directed acyclic graph to do all this. For a deeper analysis of this proposal, check out the white paper.

We believe this approach can work across all packaging formats, language ecosystems, and operating systems.

And we’d like your help to build it.

Get Involved

Head over to the community page for details on meeting times, mailing lists, and more.