diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index e12f4b97a..1d06124ae 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -79,6 +79,18 @@ jobs:
           exit-code: '1'
           severity: 'CRITICAL,HIGH'
 
+      - name: Generate SBOM
+        run: |
+          mkdir -p sbom
+          for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
+            trivy image --format cyclonedx --output "sbom/${svc}-${{ github.sha }}.json" "${svc}:${{ github.sha }}"
+          done
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom/
+
       - name: Push Images to Registry
         if: ${{ secrets.DOCKER_REGISTRY != '' }}
         run: |
@@ -90,6 +102,22 @@ jobs:
             docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
           done
 
+      - name: Install cosign
+        if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }}
+        uses: sigstore/cosign-installer@v3
+        with:
+          cosign-release: 'v2.2.0'
+      - name: Sign images with cosign
+        if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }}
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
+          for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
+            cosign sign --key cosign.key --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
+            cosign sign --key cosign.key --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
+          done
+
       - name: Deploy to Kubernetes
         if: ${{ secrets.KUBE_CONFIG != '' }}
         run: |