diff --git a/.github/workflows/jit-security.yml b/.github/workflows/jit-security.yml
index 0df1374df0..7d0341d868 100644
--- a/.github/workflows/jit-security.yml
+++ b/.github/workflows/jit-security.yml
@@ -33,6 +33,17 @@ jobs:
         security_control: registry.jit.io/open-remediation-pr-alpine:latest
         security_control_output_file: /opt/code/jit-report/results.json
         
+  software-bill-of-materials:
+    if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'software-bill-of-materials' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sbom'
+    runs-on: ubuntu-20.04
+    timeout-minutes: 60
+    steps:
+    - name: syft
+      uses: jitsecurity-controls/jit-github-action@v4.2.0
+      with:
+        security_control: registry.jit.io/control-syft-alpine:latest
+        fail_if_cannot_checkout: false
+        
   static-code-analysis-c-cpp:
     if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-c-cpp' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast'
     runs-on: ubuntu-20.04