diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0977caef..2c4c91c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,6 +51,12 @@ jobs:
           draft: true
           generate_release_notes: true
 
+  create-sbom:
+    needs: [create-release, build-docker-release]
+    uses: ./.github/workflows/sbom.yml
+    with:
+      upload_url: ${{ needs.create-release.outputs.upload_url }}
+
   build-release:
     name: Release ${{ matrix.build }}
     needs: [create-release]
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
new file mode 100644
index 00000000..ecf7b1b6
--- /dev/null
+++ b/.github/workflows/sbom.yml
@@ -0,0 +1,54 @@
+name: Create SBOM files
+
+on:
+  workflow_call:
+    inputs:
+      upload_url:
+        description: "Release assets upload URL"
+        required: true
+        type: string
+
+jobs:
+  create-sbom:
+    runs-on: self-hosted
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      # Store the version, stripping any v-prefix
+      - name: Write release version
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          echo Version: $VERSION
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Create SBOM with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          format: 'spdx-json'
+          output: "defguard-gateway-${{ env.VERSION }}.sbom.json"
+          scan-ref: '.'
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+      - name: Create docker image SBOM with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}"
+          scan-type: 'image'
+          format: 'spdx-json'
+          output: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
+
+      - name: Upload SBOM
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ inputs.upload_url }}
+          asset_path: "defguard-*.sbom.json"
+          asset_content_type: application/octet-stream
diff --git a/Dockerfile b/Dockerfile
index 2c2d714c..d1d5bd69 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,11 @@
-FROM rust:1-slim AS builder
+FROM public.ecr.aws/docker/library/rust:1-slim AS builder
 
 RUN apt-get update && apt-get -y install protobuf-compiler libnftnl-dev libmnl-dev
 WORKDIR /app
 COPY . .
 RUN cargo build --release
 
-FROM debian:13-slim
+FROM public.ecr.aws/docker/library/debian:13-slim
 RUN apt-get update && apt-get -y --no-install-recommends install \
     iproute2 wireguard-tools sudo ca-certificates iptables ebtables nftables && \
     apt-get clean && rm -rf /var/lib/apt/lists/*