diff --git a/Makefile b/Makefile
index f1d589d..d9f04d3 100644
--- a/Makefile
+++ b/Makefile
@@ -5,6 +5,7 @@ ZIP = zip
 PIP3 = python3 -m pip
 PYTHON3 = python3
 POETRY = poetry
+SYFT = syft
 
 
 clean: ## clean existing builds
@@ -15,6 +16,7 @@ clean: ## clean existing builds
 
 release: ## Build a wheel
 	$(POETRY) build
+	$(SYFT) packages file:poetry.lock -o spdx-json > dist/sbom.json
 	cd dist && sha512sum * > ../checksums.sha512
 	gpg --detach-sign --armor checksums.sha512
 
diff --git a/README.md b/README.md
index 0d8ada7..a76239c 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,8 @@ make release
 
 ### Publish a new version
 
+**Requires `syft` to be installed to generate the sbom.**
+
 1. Bump the version number as described above
 2. `make deps` to update the dependencies
 3. `make release` to build the packages