What Is an RBOM (Runtime Bill of Materials)? Clearing Unused Code

An RBOM, or Runtime Bill of Materials, is not an explosive, but it can reduce vulnerable code in similarly decisive ways. An RBOM operates as a dynamic, execution-aware refinement of the Software Bill of Materials (SBOM). SBOMs record all software artifacts associated with a build, whereas RBOMs capture only the components that are actually executed or loaded into memory at runtime. Thinking about how RBOM improves compliance requires deeply analyzing large codebases, identifying unused components, isolating what is truly essential, and reducing SBOM elements that unnecessarily expand the attack surface.

One of the best ways to think about RBOM is in terms of risk reduction. In many DevSecOps pipelines, teams believe security has been fully integrated once scanning is enabled and builds are passing. However, if a scanner is configured too permissively or lacks meaningful baselining, there may be no effective comparison between versions or visibility into what truly changed. Simply comparing one build to the next does not always provide actionable insight. RBOM goes further by establishing a runtime baseline and evaluating which libraries, binaries, dependencies, and other code elements are actually executed. This approach ensures that organizations do not spend time managing vulnerabilities in code their product does not use.

FedRAMP, under CM-8 guidance, requires a complete and up-to-date inventory of all system components. This process often begins with an SBOM. However, just because you can bring every possible item does not mean you should - bringing six bathing suits to a ski vacation is unnecessary. Returning to RBOM, the first step is analyzing all components within the codebase. Comparing the SBOM to the RBOM brings clarity to what is actually required versus what merely exists.

The rise of open-source usage, AI-assisted development, and rapid coding practices has significantly expanded dependency trees. Many projects include just-in-case libraries that are never used at runtime. RBOM comparison identifies unused components within the overall package, uncovering what might otherwise take engineers hundreds of hours to manually analyze and resolve.

The next RBOM step highlights unused components for further evaluation and potential removal. These elements are flagged for deeper analysis within the platform. For example, one Python graphics library used by a RapidFort customer had over 3,200 packages installed, yet only 200 were actually used at runtime. This does not imply that the remaining packages were malicious or without value - only that they were not used in that deployment. Many production environments lack a systematic way to surface these inactive components.

Highlighting which packages are actually used can significantly reduce security vulnerabilities. In this case, eliminating unused packages reduced Common Vulnerabilities and Exposures (CVEs) associated with dormant code while shrinking the overall attack surface. Beyond lowering security risk, this reduction also improved build times and increased efficiency within production pipelines.

RBOM supports two primary approaches for eliminating excess SBOM components. The first is less of a removal and more of a swap - using RapidFort’s curated library to replace open-source images with hardened, near-zero-CVE equivalents in a one-for-one exchange. Think of this as a washing-machine approach: vulnerable open-source images go in, and hardened images come out. The second approach removes unused code - such as the 3,000 dormant Python packages - to streamline the artifact down to essential runtime components. Ultimately, the RBOM should closely align with the SBOM. This means no explaining discrepancies to auditors, no securing unused code, and no engineering time wasted on non-essential remediation efforts.

Overall, RBOM is an efficient tool for evaluating the SBOM at runtime, ensuring that everything listed in the inventory is actually being used. One final metaphor: if you run a retail store, you stock items that sell. If 90% of your inventory never moves, it occupies valuable space. If your platform or product uses 80% of its footprint for unused components - and 95% of your vulnerabilities reside there - it may be time to deploy an RBOM. Break down large codebases, identify unused components, isolate essential runtime elements, and eliminate unnecessary vulnerabilities. If you want to dramatically reduce CVEs and strengthen your compliance posture, contact the RapidFort team for a demo.