diff --git a/.circleci/config.yml b/.circleci/config.yml
index b65dfbd72..282b5c46f 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -39,6 +39,9 @@ jobs:
       - run: opam exec -- dune build COMMIT
       - store_artifacts:
           path: ./_build/default/COMMIT
+      - run: opam exec -- dune build vpnkit.spdx.json
+      - store_artifacts:
+          path: ./_build/default/vpnkit.spdx.json
       - run: opam exec -- dune build licenses.json
       - store_artifacts:
           path: ./_build/default/licenses.json
diff --git a/dune b/dune
index 97e3f6362..f1ab0b4ac 100644
--- a/dune
+++ b/dune
@@ -26,6 +26,12 @@
  (deps    vpnkit.exe (:gen ./scripts/mac_package.exe))
  (action  (run %{gen} -out %{target} -in %{deps})))
 
+(rule
+  (alias sbom)
+  (target vpnkit.spdx.json)
+  (deps (:gen ./scripts/sbom.sh))
+  (action (run %{gen} %{target})))
+
 (rule
  (alias e2e)
  (deps src/hostnet_test/main.exe
diff --git a/scripts/sbom.sh b/scripts/sbom.sh
new file mode 100755
index 000000000..6717b23b9
--- /dev/null
+++ b/scripts/sbom.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env sh
+set -e
+
+# echo $OPAM_SWITCH_PREFIX
+echo $1
+
+pkg=(
+    $(opam list -s --installed --required-by=vpnkit --recursive --columns package --nobuild --color=never)
+)
+
+dir="sbom_temp"
+mkdir "$dir"
+
+cp vpnkit.opam "$dir"
+
+for p in ${pkg[@]}; do
+  echo $p >> "$1"
+  cp -r "$OPAM_SWITCH_PREFIX/.opam-switch/packages/$p" "$dir/$p"
+done
+
+touch vpnkit.spdx.json
+docker run --rm \
+    -v ./$dir:/vpnkit \
+    -v ./vpnkit.spdx.json:/out/vpnkit.spdx.json \
+    -e BUILDKIT_SCAN_SOURCE=/vpnkit \
+    -e BUILDKIT_SCAN_DESTINATION=/out \
+    -e BUILDKIT_SCAN_EXTRA_SCANNERS=opam-cataloger \
+    docker/scout-sbom-indexer:1.15
+
+# Fix the relationships and file to point to the binary
+mv vpnkit.spdx.json vpnkit.spdx
+jq -c --arg uid "${$(uuidgen)//-/}" '
+"SPDXRef-File-\($uid)" as $fileId
+| .predicate
+| del(.files[])
+| .files |= . + [
+    {
+        "SPDXID": $fileId,
+        "fileName": "vpnkit.exe",
+        "licenseConcluded": "NOASSERTION"
+    }
+]
+| .relationships[] |= (
+     select(.relationshipType == "OTHER").relatedSpdxElement |= $fileId
+)
+' vpnkit.spdx > vpnkit.spdx.json
+
+rm -rf sbom_temp