diff --git a/docker-multiarch-build-push/action.yml b/docker-multiarch-build-push/action.yml
index c6ca2af..b163d01 100644
--- a/docker-multiarch-build-push/action.yml
+++ b/docker-multiarch-build-push/action.yml
@@ -35,6 +35,11 @@ inputs:
     description: If true cosign is used to sign the image
     required: false
     default: 'false'
+
+## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
+permissions:
+  contents: write
+
 runs:
   using: composite
   steps:
@@ -105,6 +110,14 @@ runs:
       with:
         sarif_file: 'trivy-results.sarif'
 
+    - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ steps.split.outputs.TAG }}
+        format: 'github'
+        output: 'dependency-results.sbom.json'
+        github-pat: ${{ secrets.GITHUB_TOKEN }}
+
     # Sign the resulting Docker image digest except on PRs.
     # This will only write to the public Rekor transparency log when the Docker
     # repository is public to avoid leaking data.  If you would like to publish