diff --git a/.github/workflows/native-image-configure-with-tracing-agent.yml b/.github/workflows/native-image-configure-with-tracing-agent.yml
index 8ff6b1c4b..b49f558e2 100644
--- a/.github/workflows/native-image-configure-with-tracing-agent.yml
+++ b/.github/workflows/native-image-configure-with-tracing-agent.yml
@@ -15,7 +15,7 @@ permissions:
contents: read
jobs:
run:
- name: Run 'native-image/configure-with-tracing-agent
+ name: Run 'native-image/configure-with-tracing-agent'
runs-on: ubuntu-latest
timeout-minutes: 15
strategy:
diff --git a/.github/workflows/native-image-embed-sbom.yml b/.github/workflows/native-image-embed-sbom.yml
new file mode 100644
index 000000000..e04b14658
--- /dev/null
+++ b/.github/workflows/native-image-embed-sbom.yml
@@ -0,0 +1,32 @@
+name: native-image/embed-sbom
+on:
+ push:
+ paths:
+ - 'native-image/embed-sbom/**'
+ - '.github/workflows/native-image-embed-sbom.yml'
+ pull_request:
+ paths:
+ - 'native-image/embed-sbom/**'
+ - '.github/workflows/native-image-embed-sbom.yml'
+ schedule:
+ - cron: "0 0 1 * *" # run every month
+ workflow_dispatch:
+permissions:
+ contents: read
+jobs:
+ run:
+ name: Run 'native-image/embed-sbom'
+ runs-on: ubuntu-latest
+ timeout-minutes: 15
+ steps:
+ - uses: actions/checkout@v4
+ - uses: graalvm/setup-graalvm@v1
+ with:
+ java-version: '24-ea'
+ distribution: 'graalvm'
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ native-image-job-reports: 'true'
+ - name: Run 'native-image/embed-sbom'
+ run: |
+ cd native-image/embed-sbom
+ ./run.sh
\ No newline at end of file
diff --git a/native-image/embed-sbom/README.md b/native-image/embed-sbom/README.md
new file mode 100644
index 000000000..21bef16af
--- /dev/null
+++ b/native-image/embed-sbom/README.md
@@ -0,0 +1,3 @@
+# Embed an SBOM in a Native Executable to Identify Its Dependencies
+
+You can find the steps to run this demo on [the website](https://www.graalvm.org/latest/reference-manual/native-image/guides/use-sbom-support/).
\ No newline at end of file
diff --git a/native-image/embed-sbom/index.html b/native-image/embed-sbom/index.html
new file mode 100644
index 000000000..d65fc5df0
--- /dev/null
+++ b/native-image/embed-sbom/index.html
@@ -0,0 +1,9 @@
+
+
+
+ jwebserver
+
+
+ Hello, GraalVM user!
+
+
\ No newline at end of file
diff --git a/native-image/embed-sbom/jwebserver b/native-image/embed-sbom/jwebserver
new file mode 100755
index 000000000..7f4e8aa04
Binary files /dev/null and b/native-image/embed-sbom/jwebserver differ
diff --git a/native-image/embed-sbom/run.sh b/native-image/embed-sbom/run.sh
new file mode 100755
index 000000000..0e018f859
--- /dev/null
+++ b/native-image/embed-sbom/run.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -ex
+
+native-image -Ob --enable-sbom=cyclonedx -m jdk.httpserver -o jwebserver
+
+# Requires GraalVM for JDK 24 Early Access build 24.ea.23-graal or later:
+# sdk install java 24.ea.23-graal
+cd sbom-test
+mvn clean package
+mvn -Pnative package
\ No newline at end of file
diff --git a/native-image/embed-sbom/sbom-test/README.md b/native-image/embed-sbom/sbom-test/README.md
new file mode 100644
index 000000000..079823dc2
--- /dev/null
+++ b/native-image/embed-sbom/sbom-test/README.md
@@ -0,0 +1,6 @@
+# Including Class-Level Metadata in the SBOM
+
+This demo tests including class-level metadata to the SBOM components at build time.
+Find more information on [the website](https://www.graalvm.org/jdk24/security-guide/native-image/sbom/#including-class-level-metadata-in-the-sbom).
+
+> Available with GraalVM for JDK 24 and later.
\ No newline at end of file
diff --git a/native-image/embed-sbom/sbom-test/pom.xml b/native-image/embed-sbom/sbom-test/pom.xml
new file mode 100644
index 000000000..42f9d25d5
--- /dev/null
+++ b/native-image/embed-sbom/sbom-test/pom.xml
@@ -0,0 +1,80 @@
+
+ 4.0.0
+ com.sbom
+ sbom-test
+ 1.0-SNAPSHOT
+
+
+ UTF-8
+ 21
+ 21
+ 0.10.3
+
+
+
+
+
+ commons-validator
+ commons-validator
+ 1.7
+
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-jar-plugin
+ 3.4.2
+
+
+
+ com.sbom.SBOMTestApplication
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-compiler-plugin
+ 3.10.1
+
+
+
+
+
+
+
+ native
+
+
+
+ org.graalvm.buildtools
+ native-maven-plugin
+ ${native.maven.plugin.version}
+ true
+
+
+ build-native
+
+ compile-no-fork
+
+ package
+
+
+
+
+ --enable-sbom=class-level
+ -Ob
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/native-image/embed-sbom/sbom-test/src/main/java/com/sbom/SBOMTestApplication.java b/native-image/embed-sbom/sbom-test/src/main/java/com/sbom/SBOMTestApplication.java
new file mode 100644
index 000000000..8d2deb623
--- /dev/null
+++ b/native-image/embed-sbom/sbom-test/src/main/java/com/sbom/SBOMTestApplication.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * The Universal Permissive License (UPL), Version 1.0
+ *
+ * Subject to the condition set forth below, permission is hereby granted to any
+ * person obtaining a copy of this software, associated documentation and/or
+ * data (collectively the "Software"), free of charge and under any and all
+ * copyright rights in the Software, and any and all patent rights owned or
+ * freely licensable by each licensor hereunder covering either (i) the
+ * unmodified Software as contributed to or provided by such licensor, or (ii)
+ * the Larger Works (as defined below), to deal in both
+ *
+ * (a) the Software, and
+ *
+ * (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ * one is included with the Software each a "Larger Work" to which the Software
+ * is contributed by such licensors),
+ *
+ * without restriction, including without limitation the rights to copy, create
+ * derivative works of, display, perform, and distribute the Software and make,
+ * use, sell, offer for sale, import, export, have made, and have sold the
+ * Software and the Larger Work(s), and to sublicense the foregoing rights on
+ * either these or other terms.
+ *
+ * This license is subject to the following condition:
+ *
+ * The above copyright notice and either this complete permission notice or at a
+ * minimum a reference to the UPL must be included in all copies or substantial
+ * portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package com.sbom;
+
+import org.apache.commons.validator.routines.RegexValidator;
+
+public class SBOMTestApplication {
+ private static final boolean IS_EMPTY_OR_BLANK = new RegexValidator("^[\\s]*$").isValid(" ");
+
+ public static void main(String[] argv) {
+ System.out.println(String.valueOf(IS_EMPTY_OR_BLANK));
+ ClassInSameFile someClass = new ClassInSameFile("hello ", "world");
+ someClass.doSomething();
+ }
+}
+
+class ClassInSameFile {
+ private final String value1;
+ private final String value2;
+
+ ClassInSameFile(String value1, String value2) {
+ this.value1 = value1;
+ this.value2 = value2;
+ }
+
+ void doSomething() {
+ System.out.println(value1 + value2);
+ }
+
+ // This method is unreachable and will therefore not be included in the SBOM
+ String unreachable() {
+ return value1 + value2;
+ }
+}
\ No newline at end of file