diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 593fe061..f041854f 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -48,4 +48,7 @@ jobs:
             exit 1
         fi
         ./scripts/unittests.sh
+    - uses: trailofbits/gh-action-pip-audit@v1.0.0
+      with:
+        inputs: requirements.txt
 
diff --git a/Taskfile.yml b/Taskfile.yml
index be72a759..0878af39 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -11,7 +11,6 @@ tasks:
 
   audit:
     desc: Audit the code
-    deps: [about]
     cmds:
       - ./scripts/builder.sh pip-audit -r requirements.txt
 
@@ -57,7 +56,7 @@ tasks:
 
   docs:
     desc: Create sphinx documentation
-    deps: [about]
+    deps: [about, sbom]
     cmds:
       - ./scripts/builder.sh /bin/bash -c "cd docs && make clean && make html"
 
@@ -91,6 +90,11 @@ tasks:
     cmds:
       - ./scripts/builder.sh python3 -m twine upload --repository pypi dist/*
 
+  sbom:
+    desc: Audit the code
+    cmds:
+      - ./scripts/builder.sh ./scripts/sbom.sh
+
   unittests:
     desc: Run unittests
     deps: [about]
diff --git a/docs/index.rst b/docs/index.rst
index f26108ef..e904cd77 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -29,6 +29,7 @@
    errors
    logger
    proof_mechanism
+   sbom
 
 Indices and tables
 ==================
diff --git a/docs/sbom.rst b/docs/sbom.rst
new file mode 100644
index 00000000..6b721d9e
--- /dev/null
+++ b/docs/sbom.rst
@@ -0,0 +1,10 @@
+.. _sbomxmlref:
+
+SBOM CDX for PySDK
+...........................
+
+.. literalinclude:: sbom.xml
+   :language: xml
+
+
+
diff --git a/docs/sbom.xml b/docs/sbom.xml
new file mode 100644
index 00000000..bbd285ae
--- /dev/null
+++ b/docs/sbom.xml
@@ -0,0 +1,137 @@
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:25074d56-d86b-4c68-bb27-536a60903e86" version="1">
+  <metadata>
+    <timestamp>2022-08-16T12:45:07.303664+00:00</timestamp>
+    <tools>
+      <tool>
+        <vendor>CycloneDX</vendor>
+        <name>cyclonedx-python-lib</name>
+        <version>2.7.1</version>
+        <externalReferences>
+          <reference type="build-system">
+            <url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
+          </reference>
+          <reference type="distribution">
+            <url>https://pypi.org/project/cyclonedx-python-lib/</url>
+          </reference>
+          <reference type="documentation">
+            <url>https://cyclonedx.github.io/cyclonedx-python-lib/</url>
+          </reference>
+          <reference type="issue-tracker">
+            <url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
+          </reference>
+          <reference type="license">
+            <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
+          </reference>
+          <reference type="release-notes">
+            <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
+          </reference>
+          <reference type="vcs">
+            <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
+          </reference>
+          <reference type="website">
+            <url>https://cyclonedx.org</url>
+          </reference>
+        </externalReferences>
+      </tool>
+    </tools>
+  </metadata>
+  <components>
+    <component bom-ref="f3311e58-7a8c-4205-a003-783393988be3" type="library">
+      <name>backoff</name>
+      <version>1.11.1</version>
+    </component>
+    <component bom-ref="fe3a9db9-1e53-40d5-8ab8-3b9f40dfea1d" type="library">
+      <name>certifi</name>
+      <version>2022.6.15</version>
+    </component>
+    <component bom-ref="44ebc681-157d-47c2-a0a8-7117cb897d43" type="library">
+      <name>charset-normalizer</name>
+      <version>2.1.0</version>
+    </component>
+    <component bom-ref="1d5fa50c-305c-4ebd-a1c4-d9b151ca7376" type="library">
+      <name>flatten-dict</name>
+      <version>0.4.2</version>
+    </component>
+    <component bom-ref="9eaf3f41-66a4-462f-924c-a9db060f9fc5" type="library">
+      <name>idna</name>
+      <version>3.3</version>
+    </component>
+    <component bom-ref="e3774d48-e0f9-4b26-b5d8-d24e56edfd51" type="library">
+      <name>importlib-metadata</name>
+      <version>4.12.0</version>
+    </component>
+    <component bom-ref="d6f98551-84f9-4ee2-9d38-4b1abdd3dc71" type="library">
+      <name>iso8601</name>
+      <version>1.0.2</version>
+    </component>
+    <component bom-ref="eeea1962-fd0e-4f67-bd23-72218e473a50" type="library">
+      <name>jinja2</name>
+      <version>3.1.2</version>
+    </component>
+    <component bom-ref="98765196-4bfc-47ee-94aa-45363a2abf32" type="library">
+      <name>markupsafe</name>
+      <version>2.1.1</version>
+    </component>
+    <component bom-ref="3ecb30e3-7051-4a8e-bb33-284c4cfe8b02" type="library">
+      <name>pyaml-env</name>
+      <version>1.1.5</version>
+    </component>
+    <component bom-ref="7a42e74c-8b96-4072-8b08-076dfa803548" type="library">
+      <name>pyyaml</name>
+      <version>5.4.1</version>
+    </component>
+    <component bom-ref="30b9b102-bb3d-4427-bb00-de769ebcdc01" type="library">
+      <name>requests</name>
+      <version>2.28.1</version>
+    </component>
+    <component bom-ref="09404448-8e46-4211-9f4e-db2fc71dc6fb" type="library">
+      <name>requests-toolbelt</name>
+      <version>0.9.1</version>
+    </component>
+    <component bom-ref="3f8f53b3-c631-49c7-a507-c9598822a952" type="library">
+      <name>rfc3339</name>
+      <version>6.2</version>
+    </component>
+    <component bom-ref="d8208e44-9754-4451-9384-c53bf1e4c459" type="library">
+      <name>six</name>
+      <version>1.16.0</version>
+    </component>
+    <component bom-ref="87ebeb12-0937-4a08-aae8-432e63147fd9" type="library">
+      <name>typing-extensions</name>
+      <version>4.3.0</version>
+    </component>
+    <component bom-ref="8786d04a-af4d-4f0a-80ba-5627cd38d14f" type="library">
+      <name>urllib3</name>
+      <version>1.26.11</version>
+    </component>
+    <component bom-ref="eaf445b4-d005-41b2-8638-a43916436dfd" type="library">
+      <name>xmltodict</name>
+      <version>0.13.0</version>
+    </component>
+    <component bom-ref="37abdfb9-fea7-46c0-ba41-7361005ca3f6" type="library">
+      <name>zipp</name>
+      <version>3.8.1</version>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="f3311e58-7a8c-4205-a003-783393988be3"/>
+    <dependency ref="fe3a9db9-1e53-40d5-8ab8-3b9f40dfea1d"/>
+    <dependency ref="44ebc681-157d-47c2-a0a8-7117cb897d43"/>
+    <dependency ref="1d5fa50c-305c-4ebd-a1c4-d9b151ca7376"/>
+    <dependency ref="9eaf3f41-66a4-462f-924c-a9db060f9fc5"/>
+    <dependency ref="e3774d48-e0f9-4b26-b5d8-d24e56edfd51"/>
+    <dependency ref="d6f98551-84f9-4ee2-9d38-4b1abdd3dc71"/>
+    <dependency ref="eeea1962-fd0e-4f67-bd23-72218e473a50"/>
+    <dependency ref="98765196-4bfc-47ee-94aa-45363a2abf32"/>
+    <dependency ref="3ecb30e3-7051-4a8e-bb33-284c4cfe8b02"/>
+    <dependency ref="7a42e74c-8b96-4072-8b08-076dfa803548"/>
+    <dependency ref="30b9b102-bb3d-4427-bb00-de769ebcdc01"/>
+    <dependency ref="09404448-8e46-4211-9f4e-db2fc71dc6fb"/>
+    <dependency ref="3f8f53b3-c631-49c7-a507-c9598822a952"/>
+    <dependency ref="d8208e44-9754-4451-9384-c53bf1e4c459"/>
+    <dependency ref="87ebeb12-0937-4a08-aae8-432e63147fd9"/>
+    <dependency ref="8786d04a-af4d-4f0a-80ba-5627cd38d14f"/>
+    <dependency ref="eaf445b4-d005-41b2-8638-a43916436dfd"/>
+    <dependency ref="37abdfb9-fea7-46c0-ba41-7361005ca3f6"/>
+  </dependencies>
+</bom>
diff --git a/requirements-dev.txt b/requirements-dev.txt
index 8292bba1..35fab324 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -19,6 +19,7 @@ twine~=4.0
 sphinx~=5.1
 sphinx-rtd-theme~=1.0
 sphinxcontrib-spelling~=7.6
+xq~=0.0
 
 # analyze dependencies
 pipdeptree~=2.2
diff --git a/scripts/sbom.sh b/scripts/sbom.sh
new file mode 100755
index 00000000..61968339
--- /dev/null
+++ b/scripts/sbom.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# generate sbom
+#
+if [ "$USER" != "builder" -a "$USER" != "vscode" ]
+then
+    echo "Cannot run sbom.sh outside container"
+    exit 0
+fi
+
+pip-audit -r requirements.txt -f cyclonedx-xml -o /tmp/sbom.xml
+cat /tmp/sbom.xml | xq > docs/sbom.xml
+rm /tmp/sbom.xml