diff --git a/.chainloop.yml b/.chainloop.yml
index 1e1b8f73b..2f19a0902 100644
--- a/.chainloop.yml
+++ b/.chainloop.yml
@@ -2,3 +2,5 @@
 attestation:
   - name: binary
     path: artifacts/spring-petclinic-*.jar
+  - name: sbom
+    path: metadata/sbom.cyclonedx.json
diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml
index 9fcb0edd8..bde9e1091 100644
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build.yml
@@ -34,12 +34,36 @@ jobs:
           name: artifacts
           path: target/*.jar
 
+  collect-metadata:
+    runs-on: ubuntu-latest
+    name: "Security and Compliance Checks"
+    needs: build
+    steps:
+      - name: Download all workflow run artifacts
+        uses: actions/download-artifact@v3
+
+      - name: Generate metadata
+        run: |
+          mkdir -p metadata
+
+      - uses: anchore/sbom-action@v0
+        with:
+          file: artifacts/*.jar
+          format: cyclonedx-json
+          output-file: ./metadata/sbom.cyclonedx.json
+          upload-artifact: false
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: metadata
+          path: metadata/*
+
   # Chainloop integration
   # will run only if the build job is successful
   chainloop:
     name: Chainloop
     uses: chainloop-dev/labs/.github/workflows/chainloop.yml@a75dff2ef342a1e5c5e1ec5c42fb99f3d1bc03cb
-    needs: build
+    needs: collect-metadata
     # with:
     #   contract_revision: 3
     secrets: