diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5d39eff..c8e3a29 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -63,6 +63,16 @@ jobs:
       - name: Scan build artifacts for secrets
         run: gitleaks detect --config .gitleaks.toml --source ./build --no-git --verbose --redact
 
+      - name: Generate SBOM
+        run: npx @cyclonedx/cyclonedx-npm --output-file sbom.json --output-format json
+
+      - name: Upload SBOM as release artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json
+          if-no-files-found: error
+
       - name: Version and Publish
         uses: changesets/action@v1
         with:
diff --git a/.gitignore b/.gitignore
index e7356d0..99291ef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,6 +29,9 @@ coverage/
 .automaker/authority/
 .automaker/settings.json
 
+# SBOM (generated artifact)
+sbom.json
+
 # Reports (generated artifacts)
 protoLabs.report.html
 *.report.html
diff --git a/README.md b/README.md
index b59f0fa..6feb3c9 100644
--- a/README.md
+++ b/README.md
@@ -676,6 +676,12 @@ See [`CONTRIBUTING.md`](./CONTRIBUTING.md) and [`LOCAL.md`](./LOCAL.md) for full
 
 ---
 
+## Compliance
+
+HELiXiR generates a [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) as part of every release. The `sbom.json` artifact is attached to each GitHub Release and lists all runtime and development dependencies with their versions, licenses, and package identifiers — suitable for enterprise security audits and supply-chain compliance reviews.
+
+---
+
 ## Contributing
 
 See [CONTRIBUTING.md](./CONTRIBUTING.md) for guidelines.