diff --git a/src/ghastoolkit/supplychain/dependencies.py b/src/ghastoolkit/supplychain/dependencies.py
index a834b514..b6977c56 100644
--- a/src/ghastoolkit/supplychain/dependencies.py
+++ b/src/ghastoolkit/supplychain/dependencies.py
@@ -1,4 +1,5 @@
 import logging
+import random
 from dataclasses import dataclass, field
 from datetime import datetime
 import re
@@ -123,6 +124,12 @@ def exportBOM(
     ) -> dict:
         """Create a dependency graph submission JSON payload for GitHub."""
         resolved = {}
+        job = {
+            "correlator": tool,
+            # create random 10 digit number
+            "id": "".join([str(random.randint(0, 9)) for _ in range(10)]),
+        }
+
         for dep in self:
             name = dep.name
             purl = dep.getPurl()
@@ -132,7 +139,7 @@ def exportBOM(
             "version": 0,
             "sha": sha,
             "ref": ref,
-            "job": {"correlator": tool, "id": tool},
+            "job": job,
             "detector": {"name": tool, "version": version, "url": url},
             "scanned": datetime.now().isoformat(),
             "manifests": {
diff --git a/tests/test_dependencies.py b/tests/test_dependencies.py
index 830d4b2c..3f13ec5c 100644
--- a/tests/test_dependencies.py
+++ b/tests/test_dependencies.py
@@ -1,4 +1,3 @@
-
 import unittest
 
 from ghastoolkit import Dependencies, Dependency, Licenses
@@ -10,7 +9,9 @@ def setUp(self) -> None:
         self.deps.append(Dependency("urllib3", manager="pypi", license="MIT"))
         self.deps.append(Dependency("rich", manager="pypi", license="NOASSERTION"))
         self.deps.append(Dependency("pyyaml", manager="pypi", license="GPL-3.0"))
-        self.deps.append(Dependency("pyproject-hooks", manager="pypi", license="Apache-2.0"))
+        self.deps.append(
+            Dependency("pyproject-hooks", manager="pypi", license="Apache-2.0")
+        )
         self.deps.append(Dependency("requests", manager="pypi", license="GPL-2.0"))
         return super().setUp()
 
@@ -50,7 +51,7 @@ def test_apply_license(self):
         licenses.add("pkg:pypi/rich", ["MIT"])
 
         self.deps.applyLicenses(licenses)
-        
+
         deps = self.deps.findUnknownLicenses()
         self.assertEqual(len(deps), 0)
 
@@ -70,3 +71,25 @@ def test_update_dep(self):
     def test_hashable(self):
         dep = Dependency("urllib3", manager="pypi", license="MIT")
         self.assertEqual(hash(dep), hash(dep.getPurl()))
+
+    def test_snapshot(self):
+        snapshot = self.deps.exportBOM(
+            "ghastoolkit",
+            path="./here.json",
+            sha="123456",
+            version="0.1.0",
+            ref="refs/heads/main",
+        )
+
+        self.assertEqual(snapshot.get("version"), 0)
+
+        detector = snapshot.get("detector", {})
+        self.assertEqual(detector.get("name"), "ghastoolkit")
+        self.assertEqual(detector.get("version"), "0.1.0")
+
+        job = snapshot.get("job", {})
+        self.assertEqual(job.get("correlator"), "ghastoolkit")
+        # ID is a 10 digit random number
+        self.assertIsNotNone(job.get("id"))
+        self.assertTrue(job.get("id", "").isdigit())
+        self.assertEqual(len(job.get("id", "")), 10)