diff --git a/.github/workflows/build_container.yaml b/.github/workflows/build_container.yaml
index 9787cd8..2543c81 100644
--- a/.github/workflows/build_container.yaml
+++ b/.github/workflows/build_container.yaml
@@ -88,6 +88,7 @@ jobs:
       # Provenance SBOM and attestation
       - name: Generate SBOM
         uses: anchore/sbom-action@v0
+        id: syft
         with:
           image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }}
           registry-username: ${{ secrets.QUAY_USER }}
@@ -96,7 +97,7 @@ jobs:
 
       - name: Attach SBOM to image
         run: |
-          cosign attach sbom --sbom pet-battle-api.sbom \
+          cosign attach sbom --sbom ${{ steps.syft.output-file }} \
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }}
         env:
           COSIGN_PASSWORD: ""
diff --git a/README.md b/README.md
index 3f035d5..bbd1726 100644
--- a/README.md
+++ b/README.md
@@ -281,3 +281,17 @@ To verify an image:
 curl --progress-bar -o cosign.pub https://raw.githubusercontent.com/petbattle/pet-battle-api/master/cosign.pub
 cosign verify --key cosign.pub quay.io/petbattle/pet-battle-api:latest
 ```
+
+SBOM generated using [syft](https://github.com/anchore/syft). 
+
+Verify signed SBOM:
+
+```bash
+cosign verify --key cosign.pub --attachment sbom quay.io/petbattle/pet-battle-api:latest
+```
+
+Verify SBOM attestation:
+
+```bash
+cosign verify-attestation --key cosign.pub quay.io/petbattle/pet-battle-api:latest
+```