What if we could know the complete and reproducible artifact tree for every binary executable, shared object, container, etc – including all its dependencies – and we could efficiently cross-reference that against a database of known vulnerabilities before deployment? If we had had that information, could we have remediated vulnerabilities such as Log4Shell faster? Might it even help open-source maintainers identify at-risk dependencies sooner? GitBOM is an open-source initiative to construct a verifiable Artifact Dependency Graph (ADG) and enable automatic, verifiable artifact resolution. In this talk, we will explain about GitBOM and demonstrate a use case on CVE detection using llvm-gitbom. Given a version of OpenSSL, we will show how we detect if this version has any vulnerabilities that are not fixed and what if any, have been fixed in that version.