diff --git a/.github/workflows/sbom-syft.yml b/.github/workflows/sbom-syft.yml
new file mode 100644
index 0000000..33f9284
--- /dev/null
+++ b/.github/workflows/sbom-syft.yml
@@ -0,0 +1,37 @@
+# SBOM workflow for Syft
+#
+# Triggers when syft version or config is updated.
+# Downloads SBOM from GitHub releases (per-architecture).
+#
+# https://github.com/anchore/syft
+
+name: "SBOM: syft"
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'apps/syft/config.yaml'
+      - '.github/workflows/sbom-syft.yml'
+
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Run in dry-run mode (no upload)'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  build:
+    uses: ./.github/workflows/sbom-builder.yml
+    with:
+      app: syft
+      dry_run: ${{ github.event.inputs.dry_run == 'true' }}
+    secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+
diff --git a/.github/workflows/sbom-trivy.yml b/.github/workflows/sbom-trivy.yml
new file mode 100644
index 0000000..f746946
--- /dev/null
+++ b/.github/workflows/sbom-trivy.yml
@@ -0,0 +1,37 @@
+# SBOM workflow for Trivy
+#
+# Triggers when trivy version or config is updated.
+# Downloads SBOM from GitHub releases.
+#
+# https://github.com/aquasecurity/trivy
+
+name: "SBOM: trivy"
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'apps/trivy/config.yaml'
+      - '.github/workflows/sbom-trivy.yml'
+
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Run in dry-run mode (no upload)'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  build:
+    uses: ./.github/workflows/sbom-builder.yml
+    with:
+      app: trivy
+      dry_run: ${{ github.event.inputs.dry_run == 'true' }}
+    secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+
diff --git a/README.md b/README.md
index e218352..d254530 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,8 @@ Each app has its own folder with version tracking. When you bump the `version` i
 | [Keycloak](https://github.com/keycloak/keycloak) | Backend | Lockfile (pom.xml) | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-keycloak.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-keycloak.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/keycloak/) |
 | [Keycloak](https://github.com/keycloak/keycloak) | JS | Lockfile (pnpm) | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-keycloak-js.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-keycloak-js.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/keycloak/) |
 | [OSV Scanner](https://github.com/google/osv-scanner) | OSV Scanner | Lockfile | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-osv-scanner.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-osv-scanner.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/osv-scanner/) |
+| [Syft](https://github.com/anchore/syft) | Syft | Lockfile | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-syft.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-syft.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/syft/) |
+| [Trivy](https://github.com/aquasecurity/trivy) | Trivy | GitHub Release | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-trivy.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-trivy.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/trivy/) |
 
 ## Directory Structure
 
diff --git a/apps/syft/config.yaml b/apps/syft/config.yaml
new file mode 100644
index 0000000..21acea4
--- /dev/null
+++ b/apps/syft/config.yaml
@@ -0,0 +1,25 @@
+# Syft SBOM Configuration
+#
+# Syft is a CLI tool and library for generating a Software Bill of Materials
+# from container images and filesystems.
+#
+# SBOM source: Lockfile (go.mod from GitHub release)
+# https://github.com/anchore/syft
+
+name: syft
+version: "1.39.0"
+
+# cdxgen generates CycloneDX SBOMs from the Go lockfile
+format: cyclonedx
+
+source:
+  type: lockfile
+  repo: "anchore/syft"
+  lockfile: "go.mod"
+  tag_prefix: "v"
+
+sbomify:
+  component_id: "AGWWwQ5T2dP1"
+  component_name: "Syft"
+  product_id: "JaBHDMM1gmuZ"
+
diff --git a/apps/trivy/config.yaml b/apps/trivy/config.yaml
new file mode 100644
index 0000000..691af27
--- /dev/null
+++ b/apps/trivy/config.yaml
@@ -0,0 +1,24 @@
+# Trivy SBOM Configuration
+#
+# Trivy is a comprehensive security scanner that finds vulnerabilities,
+# misconfigurations, secrets, and SBOMs.
+#
+# SBOM source: GitHub releases
+# https://github.com/aquasecurity/trivy
+
+name: trivy
+version: "0.68.2"
+
+format: cyclonedx
+
+source:
+  type: github_release
+  repo: "aquasecurity/trivy"
+  asset: "bom.json"
+  tag_prefix: "v"
+
+sbomify:
+  component_id: "D1h5y3TC4GqX"
+  component_name: "Trivy"
+  product_id: "X7qe2Jyf9r29"
+