diff --git a/internal/core/constants.go b/internal/core/constants.go
index 1d9e2fce..b4794bdd 100644
--- a/internal/core/constants.go
+++ b/internal/core/constants.go
@@ -30,6 +30,7 @@ const (
 	CodeqlAnalyzeAction   = "github/codeql-action/analyze@v3"
 	CodeqlAutobuildAction = "github/codeql-action/autobuild@v3"
 
+	DownloadSyftAction = "anchore/sbom-action/download-syft@v0.20.5"
 	GolangciLintAction = "golangci/golangci-lint-action@v8"
 	GoreleaserAction   = "goreleaser/goreleaser-action@v6"
 	MisspellAction     = "reviewdog/action-misspell@v1"
diff --git a/internal/ghworkflow/workflow_release.go b/internal/ghworkflow/workflow_release.go
index b2dc8e57..5391b511 100644
--- a/internal/ghworkflow/workflow_release.go
+++ b/internal/ghworkflow/workflow_release.go
@@ -26,6 +26,10 @@ func releaseWorkflow(cfg core.Configuration) {
 	j.Steps[0].With = map[string]any{
 		"fetch-depth": 0,
 	}
+	j.addStep(jobStep{
+		Name: "Install syft",
+		Uses: core.DownloadSyftAction,
+	})
 	j.addStep(jobStep{
 		Name: "Generate release info",
 		Run: makeMultilineYAMLString([]string{
diff --git a/internal/goreleaser/goreleaser.yaml.tmpl b/internal/goreleaser/goreleaser.yaml.tmpl
index 84188773..75b130f3 100644
--- a/internal/goreleaser/goreleaser.yaml.tmpl
+++ b/internal/goreleaser/goreleaser.yaml.tmpl
@@ -16,9 +16,6 @@ archives:
       - {{ . }}
 {{- end }}
 
-checksum:
-  name_template: "checksums.txt"
-
 builds:
   - binary: '{{ .binaryName }}'
     env:
@@ -46,9 +43,8 @@ builds:
     # Set the modified timestamp on the output binary to ensure that builds are reproducible.
     mod_timestamp: "{{`{{ .CommitTimestamp }}`}}"
 
-release:
-  make_latest: true
-  prerelease: auto
+checksum:
+  name_template: "checksums.txt"
 
 {{- if .githubDomain }}
 github_urls:
@@ -57,5 +53,13 @@ github_urls:
   download: https://{{ .githubDomain.Host }}/
 {{- end }}
 
+release:
+  make_latest: true
+  prerelease: auto
+
+sboms:
+  - id: archive
+    artifacts: archive
+
 snapshot:
   version_template: "{{`{{ .Tag }}`}}-next"
diff --git a/internal/nix/nix-shell.go b/internal/nix/nix-shell.go
index 12be26d9..c40b072a 100644
--- a/internal/nix/nix-shell.go
+++ b/internal/nix/nix-shell.go
@@ -36,7 +36,8 @@ func RenderShell(cfg core.Configuration, sr golang.ScanResult, renderGoreleaserC
 		packages = append(packages, "golangci-lint")
 	}
 	if renderGoreleaserConfig {
-		packages = append(packages, "goreleaser")
+		// syft is used by goreleaser to generate an SBOM
+		packages = append(packages, "goreleaser", "syft")
 	}
 	runControllerGen := cfg.ControllerGen.Enabled.UnwrapOr(sr.KubernetesController)
 	if runControllerGen {